www.mojou.co.uk/

Putting the Mojo into business through Technology

www.mojou.co.uk/

Discovery Write up

360 degree support

Stakeholder understanding

Desktop, Device, and Server Managementi• How many devices are in use and what software versions are present?• Are standard builds in use?• Is there Endpoint Protection in use?• How are security and vendor patches tracked and implemented?• What kind of device encryption is in place?• Is ‘BYOD’ allowed, and how it is managed?• What kind of virtualisation technologies are in use?

Stage 1: Discovery

www.mojou.co.uk/

• How are users and devices authenticated to the network?• Is there a single or multiple directory service in use and

what products and version levels are used?• How are controls between general users and

administrative access divided?• How are external customers, partners and clients given

access?

Identity & Access Management

www.mojou.co.uk/

Security & Networking• What kind of Firewalls, proxy servers, routers and other security and networkingaccess devices are in use and what versions are they currently at?

• How is network access controlled? This includes looking at VLANs, VPNs (traditionaland SSL), Wireless access and multi factor authentication.

• Is the network monitored for critical issues? IDS, IPS, SNMP, log monitoring etc.

• Monitoring and control for internet access and bandwidth as well as content (Email,Web, IM, FTP, etc.) filtering system.

• Is an internal PKI in use and how is it used, protected and monitored?

www.mojou.co.uk/

Data Protection and Recovery• The methods for data protection such as backups and recovery will be analysed.

• What regulations and controls are the organisation controlled by, such as Sarbanes-Oxley (SOX), Basel 2, PCI and the ISO27000 suite (27001, 27002)?• Provisioning and change management systems.• Incident Response.

IT and Security Process(This part of a review is optional and depends on an organisation type)

Enterprise Content Management(This can be customised to each environment)• How is data controlled?• What kind of monitoring of data access is in place?

www.mojou.co.uk/

Post Discovery Written ReviewA full written report of findings will be produced. This report includes, but is not limited to:

Overview

For each area classifying the protection and suitability of systems as:

• Needs urgent review/updating.• Needs short term review.• Meets or exceeds requirements.

Stage 2: Write up

Discovery Write up

360 degree support

Stakeholder understanding

www.mojou.co.uk/

People and Processes• Analysis of security education procedures for system users.

• Evaluation of the user as Information Security stakeholder.

• How are company resources provisioned to users?

• How is change management dealt with?

• Organisational security policy, procedures and guidelines.

• System configuration baselines and guidelines.

• Incident detection processes.

• Security incident response procedures.

Stage 2: Write up

Discovery Write up

360 degree support

Stakeholder understanding

www.mojou.co.uk/

RecommendationsThis looks at the environment as a whole. In a similar way to the overview recommendations, this includes a prioritised list of recommendations for the organisation to ensure that they stay on-top of security and infrastructure.

Common recommendations may include:

• Consolidation and upgrading of Firewalls.

This often cuts costs and adds additional protection.

• Use of additional product features in existing products.

• Changes to process and controls in place.

• Desktop and server upgrades.

Stage 2: Write up

Discovery Write up

360 degree support

Stakeholder understanding

www.mojou.co.uk/

• In a similar way to the discovery phase, meetings will be held with key business stake holders and team leaders. From this work a vendor neutral plan to implement agreed upgrades and changes will be put in place.

• This work will vary from internal changes, assisting and managing the changes to recommending specific external vendors. We can also project manage these changes on your behalf.

• MoJoU strongly recommend an independent 3rd party Architecture & Infrastructure review to enable you to fully understand, audit, and document your security posture.

• Our trained consultants will work with you to agree the best possible methodology to derive the very best meaningful results.

Stage 3: Stake Holder review & Planning

Discovery Write up

360 degree support

Stakeholder understanding

www.mojou.co.uk/

• Vulnerability Assessment of your Desktop, Servers and Infrastructure

• Penetration Testing of all your Internal & External Web Applications

• Architecture & Infrastructure Review with Recommendation and Remediation

• Source Code Review

• PCI-DSS

• Forensic Analysis

• Business Continuity, Brand Protection

• Continuous IT Security Improvement Programs

• Education & Training / Learning & Development

• Social Engineering

MoJoU

www.mojou.co.uk/

• IT Security Review of Policies & Procedures, Planning, Risk Assessment and Mitigation

• SIEM 2 – Event & Log Management

• GDPR Review and implementation

• ISMS / Governance, Risk & Compliance

• Incident Response & Incident Management, Proactive Threat Protection

• Privileged User Management, Traceability, Access Control

• Privileged Identity Management & Password Protection

• Advanced Threat Protection, Application White Listing, End Point Protection

MoJoU

www.mojou.co.uk/

PCI –DSS Overview• •The PCI Data Security Standard states all entities that transmit, process or store credit /

debit card data must be compliant with PCI-DSS.• It also states – that sensitive authentication data ie: CAV2/CVV2/CVC2 cannot be stored

encrypted or non-encrypted.• In addition – cardholder data such as the Primary Account Number (PAN) can only be

stored if encrypted with full audit trail.

www.mojou.co.uk/

PCI –DSS OverviewEnd-to-End Media Encryption

Complies with security standards and regulations but not CVV2 capture and storage

Pause and Resume (Manual or Automated)Manual

Reliant on agent interventionOpen to abuse

Automated Can be difficult to scope and implementFCA compliance implications– broken callAgents exposed to sensitive informationInformation stored at agent desktop level

www.mojou.co.uk/

PCI –DSS Overview

www.mojou.co.uk/

PCI –DSS Overview

www.mojou.co.uk/

PCI –DSS Overview

“For every happy member of sales staff I have, I am likely to sell twice as much, they love the brand and our ethos that values them”

Director AO.com

www.mojou.co.uk/

PCI –DSS Overview

CustomerAgent

**** **** 1307

www.mojou.co.uk/

GDPR – General Data Protection regulation

www.mojou.co.uk/

GDPR – General Data Protection regulation• Regulation rather than directive

• Anyone who stores personal data. What is personal and not?

• Indirect = bits of info that allows you to build a profile,

• IP address for example or online identifiers (UDID's)

• Service providers have direct obligations on processes

• You have to keep records on how you protect data.

• Mandatory - data controller. Above 250 employees

• Cannot charge going forwards to access your own data

• Data breach - you have 72 hours to report a data breach.

• You will need to notify regulators and those who have lost data.

www.mojou.co.uk/

Email:info@mojou.co.uk

Phone:01932 508844

Address:White House, 17 Plover Close, Fareham, PO143PX