NCC can perform in-depth security assessments of a company’s infrastructure. During the assessment, external as well as internal threats are identified and prioritised. The client will be supplied with mitigation controls that can be implemented to address issues that were discovered.
The results of the assessments done by NCC can also be used for governance and compliance proof when so required by 3rd parties.
The structure and scope of the assessment proposed by NCC is based on current best practice trends in the industry. The security assessment scope is customized to fit with the business needs and the security risk and compliance strategy of the client.
In general security assessments performed by NCC will follow the following framework:
• Phase 1: Planning – Initial negotiation and strategizing for the simulated attacks.
• Phase 2: Discovery – Reconnaissance and identification of target vulnerabilities.
• Phase 3: Informal Internal Reporting – Reflection and analysis on findings, leading to repair work. This phase will include meetings with the IT department.
• Phase 4: Mitigation – Strategize Short and Long Term Vulnerability Mitigation. Mitigation controls to be implemented by the internal IT team.
• Phase 5: Repeat Phase 1,2,3 to test implemented mitigation controls.
• Phase 6: Formal Report and feedback to management.
1. Phase 1: Planning
Formal meeting scheduled between the internal or external assessment team to establish clear, explicit roles and responsibilities for the tests.
The client needs to formally agree and negotiate the scope for the following:
• Network Test Rules.
• Objectives – Which networks, parts thereof, or related systems are being assessed?
• Limits – Are any systems or practices considered “off-limits” for the assessment team?
• Complexity – How deep and advanced of an attack should the team simulate?
• Defence goals – What cybersecurity objectives should inform the test, and how?
2. Phase 2: Discovery
During this state NCC engineers will perform tests (Scan of objects as identified and agreed upon in Phase 1) remotely and on premises. The client will be informed on when the planned intended test will take place. Note that no tests will take place without the formal agreement of the client explicitly allowing NCC to run the tests on the scheduled date and time.
• Objective – Develop a strategy for the network assessment and initiate the vulnerabilities investigation.
• Limits – Devices that are undiscoverable due to be turned off during the assessment.
• Complexity – The aim at this stage is to identify the critical vulnerabilities in the infrastructure. This is a combination of verifying previously identified vulnerabilities (if exist) and monitoring for, detecting, and documenting any new ones.
• Defence goals – the discovery phase may lead to further strategizing, depending on the findings. The Client should account for “known unknowns” when planning.
3. Phase 4: Mitigation
The results of the security assessment tests are checked and verified by senior NCC engineers and management. The results are also discussed with the client. NCC will recommend an implementation strategy and priorities for the implementation of mitigation controls where needed. These recommendations will include short and long term mitigation controls.
4. Repeat Phase 1,2,3
The client will inform NCC when they are ready for a retest after the implementation of the proposed mitigation controls. NCC will repeat phases 1,2 & 3 to retest identified objects and implemented mitigation controls.
5. Phase 6: Formal Report and feedback to management
The results of the security assessment tests are checked and verified by senior NCC engineers and management.
The report will also contain detail on the following:
• Detailed explanation of the implications of the identified vulnerabilities, business impact and potential risks.
• Detailed steps of immediate mitigation controls where applicable.
• Strategic Short and Long Term vulnerability mitigation controls.
This might include implementing or acquiring new cybersecurity systems, or reviewing existing implementations to identify targeted mitigations.
• With respect to compliance objectives, the assessment report might necessitate immediate preventive measures to avoid a costly breach or infraction.
• Assess client’s related IT security policies if it exists and advice accordingly.
6. Executive Summary on Bank specific users
NCC is categorized as an independent provider for IT security assessments.
Detail information and report on the bank specific users will be supplied as proof that your company is compliant as stipulated by Supplier Control Obligations (SCO) for Information & Cyber Security between yourself and the banks.
7. Overall assessment of risk