Ely, England, 17 February, 2010 – IT Governance (ITG), the one-stop shop for compliance expertise, is broadening its range of services for companies that take information security seriously.
Cybercriminals target Internet Protocol (IP) addresses, website applications, firewalls, network devices, hardware and software. All Internet-facing networks and resources are subject to automated, malicious probing and, when a vulnerability is detected, the exploitation of that vulnerability is also usually automatic. No organisation is immune. A security breach of this nature, and the theft of data (personal or commercially confidential) or other business interruption, exposes an organisation to commercial and compliance penalties that can be significant.
The new IT Governance ‘penetration testing’ service examines and tests the technical security measures an organisation has in place to protect its networks and applications.
Effective penetration testing, often known as ‘pen testing’, involves the simulation of a malicious IT attack, using a carefully-planned combination of methods and tools to mimic the range of possible attacks – but, instead of completing the attack, ITG pentesters will document the vulnerability and recommend steps to reduce the risk. The consequent findings form the basis of a remediation programme.
Alan Calder, Chief Executive of IT Governance, says: “In a world where attacks on networks and applications are growing in number at an exponential rate, effective pen testing is the only way of establishing true security. The penalties incurred by organisations failing to defend against such attacks are becoming ever steeper.
“Client demand drove us to launch our ITG Security Testing service. More and more of our ISO27001 consultancy customers have recognised the need for security testing to be part of their initial security plan, as well as their longer term security maintenance. They want a pen testing service that can be integrated into the range of consultancy services they are already using, and also one which is delivered by a reputable and ISO27001-certificated company, such as IT Governance.
“Compliance requirements also increasingly recognise that penetration testing should form part of ongoing security activity in all organisations. Department for Work and Pensions (DWP) contracts, for instance, look for suppliers to achieve ISO27001 certification, as well as to carry out an initial penetration test, and then to maintain an acceptable level of technical information security. We are not just looking to provide short-term analysis and remediation, therefore. We want to support organisations in the long term with a comprehensive suite of security services, ensuring their information assets continue to be protected from today’s evolving information security threats.”
The pen testing portfolio of services offered by ITG Security Testing includes:
- external testing, to assess the effectiveness of Internet-facing security controls;
- internal testing, to assess the effectiveness of system-level security controls, including assessing compliance with ISO27001 technical security requirements;
- website security testing, to assess the vulnerability of websites – in areas including e-commerce – to attacks, disruption and poisoning, and;
- annual scanning contracts, to regularly review the current strength of an organisation’s IT technical security controls in the light of the latest threats and vulnerabilities; a vital process given how rapidly these factors change and develop.
ITG Security Testing only deploys trained, certificated and experienced security testers, who are screened through extensive background checks and regular ongoing internal checks. These processes ensure all testing is carried out by ethical and client-focused experts.
Calder continues: “Initially, we will talk to companies and organisations by telephone to establish a basic understanding of their current security standards, as well as the overall business and security objectives. We’ll then issue a full security testing proposal, customised on a company-by-company basis. Ultimately, we want to produce results on which a business can build and move forward.
“Our security testing service is delivered in line with the best practice Open Source Security Testing Methodology Manual (OSSTTM) for performing security tests and metrics.”
The OSSTTM methodology has been developed and published by the Institute for Security and Open Methodologies (ISECOM). The objective is to achieve accurate reports and metrics by ensuring security testing is carried out through a structured, effective and technically appropriate process.
Full details of the IT Governance penetration testing service, including an extensive ‘frequently asked questions’ document, can be found at: http://www.itgovernance.co.uk/penetration-testing.aspx.