Information Security Management

Today there is no company whose infrastructure is not based on TIC systems.

The growing need for companies to guarantee the security of the information they handle is a challenge when it comes to guaranteeing the integrity, confidentiality and availability of such data.

Inprosec uses the ISO 27001 standard as a reference for carrying out the audit of the information assets of its clients. The results of the audit allow to know the existing risks and define action plans to correct them.

Fully aware and involved with its area of expertise, Information Security Management, Inprosec is certified in ISO 27001: 2016.

Through a Director Plan, our team carries out the comprehensive advice, maintenance and improvement of the Security Management of a company on an ongoing basis during the provision of the service.

During this period, the existing security levels are maintained, improvable aspects of the company are identified and the lines of action (actions, projects and / or services) that can increase the security level of the company are defined. In addition, Inprosec takes into consideration the solution implementing costs, always offering the company the option which best meet its needs at minimum costs.

The duration of these services is around a year, during which Inprosec takes an active role in defining priorities, goals and objectives and achieving them.

The Business Continuity Plan of a company consists of several contingency plans (IT, human resources, physical facilities, …). Inprosec offers the development of a complete Continuity Plan or focus on those contingency plans that the company considers a top priority to ensure the continuity of its business processes facing any type of incident.

As an initial step of this type of project, it is always necessary to carry out the BIA, which comes from the acronym Business Impact Analysis, and allows the company to identify the main dependencies of its business processes. Taking these results as a reference, the technical, human and organizational actions which are necessary to guarantee the continuity of the business and operations of a company will be defined.

Did you know that between 80-90% of companies without a continuity plan do not outlast a disaster?

The definition of a regulatory framework includes the elaboration of the company policies, regulation and procedures and any other document that is used as a frame of reference within the company. It also establishing the security measures applicable to the company’s information system, establishing ways of process the information and delimiting user´s rights obligations regarding the use of corporate technology. The main purpose of the company policy framework is to manage the risks that the organization faces up, allowing to take the accurate measures to mitigate the risks.

The company framework of Information Security is usually based on the international standard ISO 27001 and its good practices defined in ISO 27002.

Both, in the Spanish and international legislation, there are different laws such as LOPD, ENS, PCI-DSS, GDPR, which represent good practices or, in some cases, depending on the type of company we are, their compliance is mandatory.

Our consultants and collaborators are specialized in each of these regulations, which ensures our helping to clients in its compliance, through a high standard adaptation process.

The constant evolution of the regulations that apply to new technologies means a challenge for companies which need to ensure its constant adaptation to them. Inprosec can assist your company to achieve the fulfilment of the legal requirements.

The penetration test is an auditing method which is carried out in order to check your systems resistance level to intruders (“hacking”).

It can be:

• • • Black box: The client gives no information at all about the system which is going to be audited.
    • White box: The client provides us with source codes, administrator accesses and all the information available.

Web applications are increasingly present and have greater complexity and importance within companies.

This implies a growing threat, since a web platform uses a multitude of technologies that are not free of risks.

Through OWASP methodologies, a platform analysis is carried out, checking technical vulnerabilities, such as  SQL code injection, Public Exploits, systems management, information discovery, Cross Site Scripting (XSS), etc., as well as the identification of vulnerabilities based on an inappropriate functional design.

There seems to be a widespread agreement on the fact that the weakest link in a security chain is the human component. However, the vast majority of companies do not actively work on this issue.

Whether you want to test the reliability of your employees, the effectiveness of the training given, or just want to have a real sample of the impact that would cause a crypto-locker virus on your system, the best way to find it out is to perform a Social Engineering attack or a Phishing test.

This service, which can be customize to client specifications, provides a lot of information about the current situation, and train users directly so as not to fall into these increasingly common traps.

Smartphones, tablets, APPs … As time goes by, there are more mobile components which are used on a daily basis.

Usually, this kind of mobile devices are not given the attention they require in terms of security. Inprosec analyzes both, the target applications and the web services they attack.

The configurations of business devices, policies or MDM can also be reviewed.

Wireless networks are as comfortable as dangerous, since they extend the capability of a local attack up to kilometers away.

This, and the greater specialization of the hacking tools, have increased the difficulty in finding secure setups for WiFi networks, so as business security is increasingly threatened due to those vulnerabilities.

Inprosec can perform penetration test to Wifi networks, where the weaknesses existing in the standard WiFi algorithms are searched, and, also attempts to penetrate or weaken the wireless system of the company are made.