OIC Solutions key services offered to clients are
If you are a startup, dreaming about winning multi-national Blue Chip clients as customers. Blue Chip clients as I am sure you are aware have extensive due diligence processes to satisfy before accepting you as a supplier of services to them. You will need either one or two of our services depending on your business model.
If your business model involves holding or storing any level of corporate information regardless of its data classification (public, private or confidential) and your main product is a web application, you will need both comprehensive IT Security Policies and a comprehensive Web Application Security Assessment Report. If you cannot email these documents to your clients when they ask, you are not going to win their business.
If your business model involves involves holding or storing any level of corporate information regardless of its data classification (public, private or confidential) but your product is not a Web Application, you will only need comprehensive IT Security Policies in place to start to satisfy Blue Chip level due diligence standards.
Information about IT Security Policies is available here
If your business model involves obtaining any kind of Licence such as an FCA Trading licence or a licence to supply services to the public you will require at a minimum comprehensive IT Security Policies as part of the application process.
Information about IT Security Policies is available here.
Technical Security Testing
This service is designed for web applications that are built using common open source software such as WordPress, Prestashop, Joomla or Magento. These sites could also have additional bespoke development.
Web Application Security Analysis includes a written report that caters both to technical vulnerability issues and plain English business context implications. This can be followed by an online video discussion about the testing process, results and security advice.
The testing ratio is 40% manual and 60% automated.
At this level we are only testing we are only searching for the “low hanging fruit”.
Specific information about costs, time scales and specific tests of Option 1 testing are available here.
Web Application Security Testing includes a written report that caters both to technical vulnerability issues and plain English business context implications. This can be followed by an online video discussion about the testing process, results and security advice.
With Option 2 we offer two testing framework choices.
Option 2.1 is the “classic” OWASP Top 10 and SANS Top 25 testing framework and is comprised of 144 individual tests. The second is Option 2.2 the “cutting edge” Level 1 Application Security Verification Standard (ASVS) V4.0 testing framework which is comprised of 133 individual tests.
The ASVS V4.0 represents the “cutting edge” of testing frameworks. V1.0 was released in 2008 and the V4.0 was released in March 2019. It´s suitability for the assessment of your web application is not guaranteed and the “classic” testing framework in fact may be a better choice.
Both testing frameworks employ a cyclical methodology of Testing – Remediation – Retesting. If weaknesses or vulnerabilities exist, they should be identified using either of these frameworks.
If during testing we identify a serious issue we will inform you immediately and not sit on the findings until we publish the report.
The testing ratio is 75% manual and 25% automated.
You can read more specific information about the option 2 testing process on our Web Application Security Testing page.
It is a recommended best practice to commission an Option 1 or Option 2 Security Assessment on an annual basis regardless of conscious changes.
Even though you may not have implemented changes in the previous 12 months new vulnerabilities and exploits will have been discovered and will be in the wild. Additionally, a Security Assessment should be performed on demand after any large scale infrastructure change, release or implementation of new software or post cloud migration.
You have to bear in mind that any testing is a moment in time snapshot. Things change, new vulnerabilities are discovered, new exploits are developed, new components are added and maybe misconfigured, so regular testing is required and justified.
We can assess the security of publicly accessible IP Addresses.
This could include email servers (mx, smtp), Virtual Private Servers (VPS), Login pages to Control Panels. Intranets, Portals, Outlook Web Access (OWA), Remote Desktop Portals (RDP), Virtual Private Networks (VPN) as well as Routers & Databases.
We can check it’s security and identify any vulnerabilities before malicious hackers do.
We never disclose testing results to third parties.
Cyber Security Consultancy Services could include advice on strengthening your security posture or undertaking a Risk Assessment which aims to help you identify your true assets and the associated risks to them.
We can create bespoke comprehensive IT Security policies that you may need in order to satisfy prospective new clients due diligence, GDPR compliance protection or FCA Licencing requirements.
Some companies are aware of the UK Government Cyber Security Essentials Scheme and would like to become accredited but don’t know where to start. OIC Solutions can guide and support you through the process. For more information see our page here.
Other services provided include cloud based infrastructure review and Best Practice advice for Microsoft Azure or Amazon Web Services. If you are considering moving some or all infrastructure to the Cloud, we can offer you advice on the Security Best Practices.
Post Hack / Security Incident Investigation, conduct a process review for Compliance purposes with onsite training of staff in order to satisfy Compliance concerns raised by organisations such as the FCA.
Crash course Cyber Self Defence Courses for staff. Educate but not overwhelm staff and provide them with real world Cyber Streetwise skills, crib sheets and web site pages for your Intranet that users can turn to in the first instance for guidance if something happens or suspicions are raised.
Any other Cyber Security issue, be it technical or non-technical that you have and need considered advice about.