Security Assurance Services
IT Audit & System Audits
Our Information Technology (IT) and Information Systems (IS) controls services helps our clients to potentially reduce the risks in the application, infrastructure and data layer of your IT function. Information security is a key area of focus in the current landscape of mobile technology, social media and cloud computing. Our core capabilities include:
- Documentation of IT/IS Process Narratives and procedures
- Evaluation and Preparation of infrastructure and Information Systems (IS) flowcharts
- Evaluation and Preparation of Process & logical security flow charts
- Designing IT General Controls (ITGC)
- Implementing ITGCs
- Rationalization of IT controls
- ITGC controls testing
- Review and monitoring of ITGCs
- SSAE16 (Process and Controls design, documentation & testing support)
- Evaluation of Physical & Logical Access Controls
- Confidentiality and Information Security reviews
- Incident Management Reviews
- Business continuity Plan (BCP) / Disaster Recovery Plan (DRP) reviews
IT Infrastructure security review
We assist organisations to optimise IT controls, securing information assets across the environment.
Assessments are performed to validate whether the underlying IT infrastructure support an adequate control structure. Custom audit plans and programs are generated on operating systems, databases and platforms. Our services and capabilities include:
- IT Infrastructure controls review
- Security and configuration reviews for Operating system (OS) and Database (DB) servers (custom work programs)
- IT General controls review (ITGC)
- Network Infrastructure reviews (i.e. Routers, switches etc.)
- Operating System – Linux, AIX, UNIX, Windows (All versions)
- Database – Oracle, SQL (All versions)
Application Penetration Testing
Your enterprise is run on applications. ERPs, Web Applications, Cloud Apps, Web Services, etc which are essentials for your organization. However, these applications are under attack more than ever. Statistics show that over 60% of applications are highly vulnerable to multiple security flaws. Attackers use these flaws to compromise your application and its sensitive data including user information, customer information, financial information and so on.
Traecit’s Application Security Penetration Testing is a powerful application security testing practice created by Traecit. Our team delivers comprehensive, end-to-end security testing for your enterprise applications. We test your applications in the same way that skilled hackers and attackers would. Our simulations and tests are designed to identify as many security weaknesses in your applications. After our testing, we provide detailed guidance on ways to comprehensively remedy these weaknesses. Our application security testing practice has been vital to leading companies all over the world.
Cloud Security Assessment
The Cloud has become an essential aspect of any company’s IT Environment today. However, securing a cloud environment, be it IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service) is critical for an organization venturing into these technology paradigms. Organizations have private, public or hybrid cloud deployments where security is a key concern.
Traecit’s Cloud Security Test analyses the security of the organization’s Cloud system from three different viewpoints. Initially, we perform a security assessment of the Cloud system from an external, Internet-facing perspective. This involves the use of infrastructure and application penetration testing methodologies. Due to the shared nature of the Cloud environment, we also assess system security from the perspective of a neighbouring, compromised or malicious host. This assessment includes network-based attacks and exploitation of shared resources in an attempt to gain access to the target system. Finally, Traecit conducts an assessment of the security protection enforced on the node in order to prevent it from being compromised. This includes a node hardening assessment, a review of virtualisation security, an analysis of how the node is remotely administered and a review of the external and internal network infrastructure security related to the node.
Security Code Review
Code is the ultimate leveler! Your applications might be extremely secure or have more holes than a piece of swiss cheese because of your Application’s Code. More than half of application security issues arise due to insecure code. However, companies have incredible difficulties identifying vulnerabilities in code. Yes, there are several automated source code review tools and products, but they tend to miss out on several issues that we do not.
Traecit’s Security Code Review is our Hybrid Code review practice. We use a combination of manual and automated security code review techniques. There’s a major reason why a Fortune 100 Bank and Payment Card Brand trusts with their entire application security code review practice.
SecDevOps and Custom Security Automation
Traecit’s SecDevOps and Custom Security Automation Framework (C2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The C2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement C2SAF within weeks to a fully operational and measurable working framework.
Security Consulting Services
ERP advisory Services
Our services help organisations achieve the full benefits of enterprise resource softwares as a business enabler, rather than a mere deployment of an IT tool. Our services include the following:
- ERP business process controls review
- ERP roles redesign,segregation of duties (SOD) analysis
- ERP access controls review
- ERP effectiveness and data quality assessment
- ERP Application Controls design, documentation and testing
- Data Migration and completeness Audits
- Pre-implementation reviews
- Post-implementation reviews
Specialization– Oracle, PeopleSoft, SAP
PCI – DSS Advisory and Implementation
PCI Compliance is challenging. Any entity handling cardholder data or even supporting other entities handling cardholder data needs to be compliant with PCI-DSS (Payment Card Industry Data Security Standard). Your organization may need to be PCI Compliant and/or Certified. Where do you start? The compliance is complex and extremely comprehensive. This looks daunting!
What you need, is a structured program and approach to PCI. This program must, in manageable capsules, take your organization towards PCI Compliance. This involves ensuring that your processes, technology and people are aligned to the goal (PCI Compliance) and achieve the necessary PCI security requirements.
This program must be simple, realistic and fit the organization’s culture and internal processes.
Traecit makes this really simple for your organization. We take on your organization’s PCI Compliance process as a complete project. We create your Enterprise PCI Program and take you through the structured process that aligns technology, process and people to meet and exceed the challenging PCI Security Requirements. Rest assured, your organization is in good hands. Traecit knows its PCI. Our team has managed PCI Compliance programs for some of the most challenging business environments.
ISO 27001 Advisory and Implementation
ISO-27001 is an important security compliance requirement for several companies. It has become an increasingly important business requirement that gives your organization greater respect and visibility with your clients, competitors and industry. Be it Manufacturing or BPO, ISO-27001 is an essential Business Requirement.
ISO-27001 has tremendous benefits to the organization. It fosters a culture of security and promotes management impetus to Information Security. It also streamlines several processes around IT Management, Human Resources and Information Security. However, most companies need guidance on ISO-27001 Compliance and Certification. They need a structured program that is clear, consistent and measurable.
ISO Compliance from Traecit is a program that has been implemented at several leading organizations all over the world. It has delivered successful ISO-27001 Compliance and Sustenance for massive manufacturing companies, banks as well as niche IT Services and Digital Marketing companies. In fact, Traecit’s ISO Compliance has delivered comprehensive results in complex environments, where some of the biggest names in Compliance, Audit and Assurance have failed. As part of the ISOaaS, Traecit provides end-to-end consulting and implementation expertise to get your company successfully compliant with ISO-27001.
ISHC – Information Security Health Check
Most of us go to a diagnostic center atleast once a year to get our health checked (hopefully). Any negative variation in our parameters, causes us to worry, if not lead to a panic situation. Imagine if you never had your health checked and were suddenly hit by a massive negative event? This is scary. Extremely scary.
What about your organization’s Security Health? Do you check it? How well? If you’re answer to these questions is in doubt, then you might be in for a shock. Most organizations do not have consistent and regular ways to assess the health of their organization’s security practices. They do not get their Security Health diagnosed. Hence, they are always prone to a security disaster.
Traecit’s Information Security Health Check (iSHC) can be thought of as a “Diagnostic Test” for your Organization’s Security. We perform a multitude of tests to check your organization’s health.
Parameters include Physical Security, Network Security, Application Security, Human Resource Security, processes, procedures and so on. Once we are done, we give you a detailed diagnostic report, with metrics and examples. Additionally, we also create detailed recommendations for your organization and create an Implementation Plan. Should you choose, we can also help you implement this plan and improve your organization’s security parameters overall.
Vendor Risk Assessment
Vendor risk management (VRM) is a management system for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd party vendors for information technology (IT) products and services or data exchange services.
When an enterprise outsources business processes to an external vendor, sensitive data may be stored, processed or transmitted on both company and vendor environments. Compliance and Regulatory Frameworks such as the Sarbanes-Oxley Act (SOX),Payment Card Industry Data Security Standard (PCI DSS) and the Health Information Portability and Accountability Act (HIPAA) mandate that risk management policies extend to third-party vendors, outsourcers, contractors and consultants.
Security Policy Framework Engineering
Information Security is a matter of securing, people, processes and technology from a wide array of threats and attacks. Merely implementing security controls isn’t enough. Developing Policies, Procedures, Guidelines and Standards is the only way that an organization can stay secure, day in and day out. In addition, Security Documents (Policies, Procedures, Guidelines and Standards) are required to demonstrate adherence to various industry best practices, compliance requirements and regulations. However, these documents cannot merely be copied from boilerplate templates or standardized from organization to organization. They are an important set of documents that must be engineered like any other management system in the organization. This is where Traecit can help.
Traecit helps the organization engineer security documentation based on the organisation’s security practices, risks and industry best practices. We design a comprehensive set of security documents that accurately represent the organisation’s risk profile, its applicability towards industry best practices and compliance guidelines, as well as the specific set of practices that the organization has adopted, in terms of Information security.
Software Asset Management (SAM)
The inability to report software allocation in compliance with vendor regulations is becoming a serious challenge for organisations. In many instances, organisations have been made liable for damages on account of improper implementation of licence agreements, inadequate policies and procedures, undefined cross-departmental processes, lack of software monitoring tools and the absence of overall software licence ownership and accountability.
Software vendors are trying to confirm deployment figures provided by their clients. However, organisations are still unaware of how unmanaged software assets can result in significant unplanned costs (or unrealised savings). To address these challenges, organisations need a strong programme (the set-up and alignment of organisation, processes and infrastructure) to effectively manage, control and protect software assets throughout all stages of the software lifecycle. The successful implementation of such a programme can bring necessary visibility and lower costs by empowering senior management with adequate data points, licence compliance and audit readiness.
TRAECIT’s approach typically includes three components:
a) Compliance assessment,
b) Design of an efficient SAM organisation,
c) Realising Savings (achieving quick wins).
We can help you establish better transparency on your software deployment situation.
To reduce software costs and facilitate compliance with licence agreements, we can help develop and introduce mechanisms for efficient SAM, customised for your organisation and aligned with industry standards.