SECURITY SERVICES
Continuous Delivery
Architecture
DBAccess has a proven model for security services, ensuring safe operations and minimizing the likelihood of vulnerabilities for our customer applications and operational environments.
Our methodology for security services is a result of the experience we have in the following standards:
- ISO 27001-2
- SOC-2 Types 1 and 2
- ISO 15408
- NIST Recommendations
- FIPS Recommendations
- CIS Recommendations
SECURITY GOVERNANCE LIFECYCLE
The major stones for our security services is mainly focused to the following tracks:
Risks Analysis
At any time, this service can help to identify what are the risks, understanding the operational context and threat landscape, based in the following practices:
- Red-team meetings with technical & management teams.
- Risk profile analysis, including top priorities provided by the customer
- The risk statement is established considering the likelihood and impact to the business.
- The risk priority takes into account:
- Likelihood of threat
- Likelihood of success
- Scale of impact
- Severity/priority per risk and ordered list of risk (worst to least)
Gap Analysis
We review the current state of security posture against risks, international industry requirements and recommendations, performing the following:
- Evaluate architecture. (from the security point of view)
- Evaluate mapping between security controls and risks.
- Review access control scheme.
- Review hardening and updating policies.
- Review user management policies.
- Review change control policies.
- Compile security architecture and control information
- Compile policy and operations information
- Deploy light-weight software agents (visibility into platform)
- Check for vulnerabilities, weak points, anomalies in operations
- Comparison to best practices
Platform Hardening
Based on the results of the Gap Analysis we recommend remediation actions after discuss the results with the customer, so we can implement improvements such as:
- Improve controls for high impact risks: reconfigure, activate functionality, add controls, test effectiveness., by doing this kind of actions:
- S. configurations that increase system security.
- Minimalist service posture and reconfigurations.
- Secure configuration for communication protocol parameters.
- Improvements in user management.
- Feasible modifications in architectural security.
- Improve operation and control policies.
- Advise on hardening actions and priorities.
- Review resulting state of hardening measures.
- Service report describing:
- Recommendations carried out, organized by impact.
- Recommendations pending.
- Technical procedures implemented.
- Review hardening results against risks.
- Short to medium term recommendations and security projects.