In the last 10 years, organizations have seen cybersecurity threat levels increase over 1000% and have suffered productivity and outright monetary losses of more than $100 billion. As the threat level continues to escalate, ISO 27001 has become the de facto standard to help all businesses keep safe. Avani offers you the tools and resources to successfully implement and maintain compliance with the ISO 27001 standard.
ISO 27001:2013 Audit Advisory & Implementation Services
ISO 27001 certification enables businesses to demonstrate that they have established an Information Security Management System (ISMS) that complies with internationally recognized standards. Avani's ISO 27001 compliance teams utilize our established methodology and proprietary product to evaluate our customers' existing security framework and to identify and implement all of the controls necessary to eliminate and/or mitigate vulnerabilities. Our engagement model includes a technical team that works alongside a customer engagement team to ensure customer requirements are understood and satisfied. The technical team implements Avani's Assess>Remediate>Monitor methodology to help our customers to identify, track, and report on compliance actions, with minimal effort. Our methodology integrates well with other ISO standards to facilitate compliance for multiple certifications.
| Assess |  |
Remediate |  |
Monitor |
|---|
| Compliance Gap Assessment Against ISO 27001 Controls |
ISMS Framework Development/Enhancement | Implementation Reviews |
| Scope of ISMS | Policy and Procedure Documentation |
ISMS Internal Audit |
| Resource Requirements | Risk Mitigation | Pre-audit Assessment |
| Risk Assessment | Incident Management | Certification Audit Support |
| Road Map for Implementation and Certification | BCP/DR Plan and Testing | Ongoing Support for Maintenance of the ISO 27001 Standards |
- Avani's proprietary product brings all ISMS stakeholders, including organizations, consulting and advisory agencies, and auditors to a single unified platform to perform all required assessment, remediation, and monitoring tasks
- Easily assess, document, and track security controls collaboratively to support ISO 27001 certification and maintenance
- Executive dashboards enable stakeholders to track compliance status against the ISO 27001 standard requirements as well as progress with respect to internal and external compliance milestones via reminders
- Supports continuous improvement by providing recommendations to address any compliance gaps or deviations from the ISO 27001 standard
- Manage workflows and checklists to close compliance gaps
- Supports data collection and document management to demonstrate compliance for audit purposes
In this phase we provide recommendations to close the gaps identified in ISMS framework and provide guidance for improving the ISMS.
We provide support in maintaining your ISMS via regular reviews and internal audits. We also support you during annual external surveillance audits and recertification audits.
| Business Issue | How ISO/IEC 27001 helps | Benefit to your organization |
|---|---|---|
Reputation |
|
|
Engagement |
|
|
Compliance |
|
|
Risk Management |
|
|
As traditional IT and communications networks continue to converge and new technologies and methodologies come online (e.g., SaaS, cloud data storage, IoT), businesses face an increasing challenge to understand their infrastructure and its vulnerability to unauthorized access. Avani can help you with this challenge. We conduct Vulnerability Assessments to document your network and communications infrastucture and to quantify, classify, and address the security vulnerabilities of this infrastructure. Avani's vulnerability assessment will help you to understand your security vulnerabilities so you can protect against their potential exploitation and the associated threats to your business' critical data and your reputation with your employees, partners, and customers.
| Assess | |
Remediate | |
Monitor |
|---|
| Scope and Information Gathering | Identify and Classify Vulnerabilities | Monitor vulnerabilities |
| Interview system admins | Investigation of vulnerabilities | Monitor Risks |
| Review Policies and Procedures | Implement Remediation | |
| Vulnerability Scanning |
During this phase, Avani works with stakeholders to plan and perform the vulnerability assessment. Planning activities include information gathering, defining the scope of activities, defining roles and responsibilities, interviewing system administrators, and reviewing policies and procedure relevant to the systems being assessed. Performance activities include conducting scanning activities using the appropriate tools and documenting the observed vulnerabilities.
During this phase, Avani provides recommendations for resolving the vulnerabilities identified during the assessment phase and works with the customer stakeholders to implement the appropriate mitigation measures. Avani addresses vulnerabilities based on a risk matrix analysis which assesses each identified vulnerability based on the level of risk, the impact of exploitation, and the cost of various remediation options. Avani then works with customer stakeholders to prioritize risks for mitigation and to select the specific mitigation strategies to be employed. Mitigation strategies may include removing unneeded services or systems, patching/updating software, upgrading systems, and custom solutions.
In order to ensure ongoing protection against existing as well as emerging vulnerabilities, the final phase of Avani's vulnerability assessment includes the deployment of tools and processes to ensure ongoing monitoring of critical infrastructure. This enables businesses to move from a security posture based on single-point-in-time vulnerability "sampling" to one of continuous monitoring that reduces the overall risk faced by the business.
- Identify known security exposures before potential attackers can exploit them
- Identify and address new security exposures quickly and efficiently
- Identify network security concerns from both the internal and external perspective
- Identify and map key network/infrastructure assets on an enterprise wide basis
- Protect company assets, including reputation, from damage or loss
Penetration testing (also known as ethical hacking) mimics the tools and techniques of malicious hackers to attempt to exploit vulnerabilities in critical software systems. The goal of penetration testing is to obtain control of systems and to gain access to sensitive data without being detected. Penetration testing is often conducted in conjunction with vulnerability testing to determine if the potential exposures identified during vulnerability testing are actually exploitable to compromise your systems. Avani's iSaaS team has the experience and expertise to conduct penetration testing to effectively identify and exploit vulnerabilities in a controlled fashion that keeps your sensitive data safe and avoids disruptions to your ongoing operations. In order to ensure protection against insider threats as well as external threats, Avani's penetration testing methodology includes testing from inside the network as well as outside the network. After the results of the penetration testing are documented, Avani iSaaS team works with you to close the identified vulnerabilities to keep your data and your systems safe.
| Assess | |
Remediate | |
Monitor |
|---|
| Identify Scope of Testing | Identify and Classify Vulnerabilities | Monitor vulnerabilities |
| Interview system admins | Investigation of vulnerabilities | Monitor Risks |
| Review of Potential Vulnerabilities (Most Effective When Paired with Vulnerability Testing) | Provide Remediation | Perform Regular Penetration Testing |
Each penetration test begins with information gathering. During the assessment phase, Avani works with the customer to define the scope of the required testing, including number of networks, IP address ranges within each network, subnets, and individual nodes as well as critical systems and data. After the scope has been defined, Avani uses both vulnerability scanning tools and manual analysis to identify security flaws. Once the team is able to obtain unauthorized access, they use various escalation techniques to determine the total potential impact of the vulnerability. To ensure asset safety and system stability, Avani provides customer stakeholders with status updates during each phase of testing. At the conclusion of testing, the Avani team provides the customer with a detailed report identifying the vulnerabilities that were exploited, ranked by severity (based on likelihood of exploitation and potential impact), along with recommendations for addressing the vulnerabilities.
The Avani team works with the customer to implement the recommendations reported during the assessment phase to close the identified vulnerabilities, based on customer defined business priorities and cost/benefit analysis.
Once the remediation phase has been closed, the Avani team makes sure that the identified vulnerabilities have been closed and are no longer a threat. The Avani team also prepares a plan to monitor ongoing risks, including recommendations for a regular schedule of penetration testing to minimize risks and ensure ongoing protection of critical networks, systems, and data.
The security of public-facing web assets remains the primary concern of web asset owners, managers, and developers. Avani's iSaaS team can address your concern about the security of your websites, web applications, and web services through our comprehensive web application security testing methodology. Avani utilizes standard and proprietary tools and techniques to help you identify actual and potential vulnerabilities through a process that includes the review of your web assets for inadvertent misconfiguration, weak authentication protocols, insufficient error handling, sensitive data leakage, etc. The Avani team documents the identified vulnerabilities, ranks them based upon their severity (probability of exploitation and potential impact), and provides a series of recommendations for addressing them. We then work with your stakeholders to remediate the vulnerabilities and to establish a plan to monitor your web assets on an ongoing basis to minimize overall risk to your business.
| Assess | |
Remediate | |
Monitor |
|---|
| Establish Security Perimeter | Create Test Plan | Monitor Vulnerabilities |
| Assess User Profiles | Build Test Scenarios | Monitor Risks |
| Code Review | Provide Remediation |
During the assessment phase, Avani's team reviews the code base, business case, user profiles, and functionality of your web applications. This provides the team with a detailed understanding of the application that helps us to develop a comprehensive test plan that goes beyond standard use cases and enables the team to approach your application as a malicious hacker would. After this initial analysis, the Avani team establishes a security perimeter for all Internet-facing applications hosted or managed by your organization.
- Injection attack
- Broken Authentication and Session Management
- Security Misconfiguration
- Using Components with Known Vulnerabilities
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Sensitive Data Exposure
- Missing Function Level Access Control
- Unvalidated Redirects and Forwards
- Insecure Direct Object References
To build secure web applications, a holistic approach to application security is required and security must be applied at all three layers
After the security perimeter is established, the Avani team evaluates the security risks facing your perimeter and prepares a test plan designed to address these risks. Some of the risks Avani's team addresses include:
- Injection Attacks
- Broken Authentication and Session Management
- Security Misconfiguration
- Using Components with Known Vulnerabilities
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Sensitive Data Exposure
- Missing Function Level Access Controls
- Unvalidated Redirects and Forwards
- Insecure Direct Object References
The test plan includes domain and platform based test cases and identifies the tools to be used for testing. Testing will address threats related to user privileges, critical transactions and sensitive data. The test plan may include both white box and black box testing, as required to evaluate potential threats.
White box testing (also called static testing) addresses applications in a non-runtime environment to detect flaws in the software's inputs and outputs that cannot be identified through dynamic web scanning alone. White box testing is most effective at locating the root causes of security vulnerabilities in source code.
Black box testing (also called dynamic testing) helps to identify security issues in applications as they run in the production environment. Black box testing is most effective at identifying vulnerabilities in the application's run-time environment that may be exploited by malicious hackers.
Once the Avani team has executed the test plan, they prepare a report that documents the current security stand of the systems tested and provides recommendations for remediating any identified issues.
Once the remediation phase has been closed, the Avani team prepares a plan to monitor ongoing risks and provides recommendations to proactively address these risks, including secure coding best practices. Frequent web application security testing will help your business to reduce risks, limit vulnerabilities, maintain secure web applications, and meet the requirements of PCI and other regulatory standards.
Secure Your Network, Host, and Application
| Development Phase | Software Security Activity | Savings Associated with Software Security |
|---|---|---|
Requirements |
Security requirements are added just like any other software requirement. | Issues are identified early, and development time and costs can be estimated more accurately. |
Design |
A security expert reviews the design for security issues and recommends mitigations. | Developers receive guidance on how to implement the design securely, decreasing development time. Features that turn out to be too complex and costly to implement correctly are identified and possibly eliminated early, reducing surprises later in the process. |
Construction / Implementation |
Developers use standardized components and libraries. Code is reviewed for security issues. | The use of standardized components decreases development time. Code reviews identify defects early, and mitigations can be applied as code is written. |
Verification |
A runtime test of the product includes specific security tests, possibly penetration testing. | Time to test the application is reduced if many of the issues have already been identified and fixed during development. |
Maintenance |
Modifications to the software are again reviewed for their security impact and use standardized components. | The use of standardized components makes it easier and faster for developers to maintain a project they did not participated in originally. |
Certified ISO 27001:2013 | ISO 9001:2015 Company
