 |
Our Offer bound to IT System Security : |
Our company, @CTIS-Ingénierie, developed a real Know-how and many references in the IT System Security, relying on a recognized methodology and patented tools (MARI@), and on a normative reference frame at the same time ISO and ITIL about the security.
Our experts, of whom Pierre SAGNIERES, in charge of Consulting and IT Security at @CTIS-Ingénierie, also interpose in Round-Table conferences, in articles on the topic, ... in more of their missions of Consulting and Audit :
Our missions around the IT security systems are as follows :
Definition of the Security policy of the IT systems :
A Security Policy is a set, formalized in an applicable document, of strategic elements, directives, proceedings, codes of management, organisational and technical rules, which objective is to protect the IT system(s) of the organization.
Building a Security Policy is a long-range project aiming at implementing an adapted security for uses, economically viable and in accordance with legislation.
Mostly, the company has to value internal and external risks, as well as the typology of the IT system, and the security must respect the specificity of each type of communication. Above all, it is necessary to answer these three questions :
The complete Security Audits of IT Systems :
Studies bound to the security of the Company and its IT System :
Definition of Actions Plans and of Continuation in case of disaster
The control and the Assistance to Conformity for normative references ISO on the Security (ISO 27001, ...) : for our Consultants is a question of assisting companies in the implementation of reference frames ISO 17799 (Best Practices) et BS 7799-2 (recently changed by ISO 27001).
The Methodological Expertise on the application of the standards ITIL (IT Infrastructure Library) and CMM (Capability Maturity Model Integration) : ITIL contains a Process "Security Management" describing in particular the best practices conform to the IT Systems Security.
Finally, to be effective in this type of services, we rely on :
A methodological approach, using concepts of an adapted and recognized method such as MEHARI of the Clusif, fitted to our Customers' context : basic concepts, analytical, global approach, ...
A normative reference frame, as propose the ISO standards, for the security management (ISO 13335), but also for the good practices of the various subsystems constituting security (ISO 17799, good practice of MEDEF, all the Security services described in ITIL, ...) :
- Structural : Security Policy, organization, assets, ...
- Static : security bound to the team, physical, logical, ...
- Dynamics : development, maintenance, continuity of activity, ...
an implement of quantification and restoration of the levels of Security, of vulnerabilities and risks, in order to have precise measures and indicators (patented tool MARI@ by @CTIS-Ingénierie),
A sound experience in Project Management, based on the COPR@ method (COntrol of PRoject @CTIS-Ingénierie), to manage the implementation of the tests of intrusion "White Box" et "Black Box" on the production networks.
@CTIS-Ingénierie wants to be pragmatic and uses this Security reference frame :
Our experts, of whom Pierre SAGNIERES, in charge of Consulting and IT Security at @CTIS-Ingénierie, also interpose in Round-Table conferences, in articles on the topic, ... in more of their missions of Consulting and Audit :
Our missions around the IT security systems are as follows :
Definition of the Security policy of the IT systems :A Security Policy is a set, formalized in an applicable document, of strategic elements, directives, proceedings, codes of management, organisational and technical rules, which objective is to protect the IT system(s) of the organization.
Building a Security Policy is a long-range project aiming at implementing an adapted security for uses, economically viable and in accordance with legislation.
Mostly, the company has to value internal and external risks, as well as the typology of the IT system, and the security must respect the specificity of each type of communication. Above all, it is necessary to answer these three questions :
- What must I protect in priority ? What is my informative asset ?
- Which are the risks which I run (external, internal risks)?
- Which factors may worsen the risks?
The complete Security Audits of IT Systems :- Exploration of the system, in order to collect information about the system : machines, Operating Systems, IP adresses, low level software, application software, versions, parameter setting, ... - Use of network scanners such as Look@Lan, and of utility systems ...
- Vulnerability Tests : targeting of IT system components and description of the vulnerabilities : security holes, parameter settings allowing possible outlets, ...
Use of vulnerability scanners such as Nessus, ATK, Tenable, ... - Virus analysis of the stations and the supports : analysis by using several antivirus softwares, on customers' computers, master, on line services ...
- Intrusion Tests : use of the updated vulnerabilities to get private information which can be used for the release of threats (non-destructive by default, destructive at explicit request).
- Drafting of a report : results of vulnerability, results of anti-virus system, results of intrusion, classification of the vulnerabilities according to the consequences for the organization, proposal for technical and organisational solutions, action plan, cost analysis, assistance, ...
Studies bound to the security of the Company and its IT System :- Security Policy and Charter of Security Users
- Studies of Risk / Potentialities (Risks Analysis in MEHARI sense)
- Studies of System Vulnerability
- Strategic Security Plan (PSS)
- Operational Security Plan (POS)
- Company Operational Plan (POE)
- ...
Definition of Actions Plans and of Continuation in case of disasterThe control and the Assistance to Conformity for normative references ISO on the Security (ISO 27001, ...) : for our Consultants is a question of assisting companies in the implementation of reference frames ISO 17799 (Best Practices) et BS 7799-2 (recently changed by ISO 27001).The Methodological Expertise on the application of the standards ITIL (IT Infrastructure Library) and CMM (Capability Maturity Model Integration) : ITIL contains a Process "Security Management" describing in particular the best practices conform to the IT Systems Security.Finally, to be effective in this type of services, we rely on :
A methodological approach, using concepts of an adapted and recognized method such as MEHARI of the Clusif, fitted to our Customers' context : basic concepts, analytical, global approach, ...A normative reference frame, as propose the ISO standards, for the security management (ISO 13335), but also for the good practices of the various subsystems constituting security (ISO 17799, good practice of MEDEF, all the Security services described in ITIL, ...) :- Structural : Security Policy, organization, assets, ...
- Static : security bound to the team, physical, logical, ...
- Dynamics : development, maintenance, continuity of activity, ...
an implement of quantification and restoration of the levels of Security, of vulnerabilities and risks, in order to have precise measures and indicators (patented tool MARI@ by @CTIS-Ingénierie),A sound experience in Project Management, based on the COPR@ method (COntrol of PRoject @CTIS-Ingénierie), to manage the implementation of the tests of intrusion "White Box" et "Black Box" on the production networks.@CTIS-Ingénierie wants to be pragmatic and uses this Security reference frame :
ITIL = Information Technology Infrastructure Library. The IT System (internal or external) of a Company can be estimated in comparison with the new international reference frame dedicated to the management of IT service department, and named ITIL. Globaly, ITIL describes all the services which can be provided by an IT services department under the shape of good practices gathered in processes. |
 |
 |
MARI@ = Method of Analysis of the IT RIsks of @CTIS-Ingénierie. It is a specific methodology of audit, which enables to estimate the level of security of the company studied (the risks) through questionnaires concerning precise fields, and giving indicators according to various topics concerning the security of the Company. The level of security is evaluated according to 27 standardized indicators, divided into 6 broad topics. Each indicator is noted from 0 to 4, level 3 being the level to reach to ensure a security considered to be correct for the studied company. Following this analysis, a more detailed analysis of risk is carried out in order to identify the risks more precisely (threats and vulnerabilities) which hang on the company. A graphic representation of the noted indicators enables a fast exploitation of the results and the identification of the Major Risks (MR) to deal with in priority and of the Simple Risks (SR) with less impact. |
 |
MEHARI = Harmonized MEthod of Analysis of RIsks. Developped by the CLUSIF METHODS committee, this method enables, by a rigorous analysis and a quantitative evaluation of the factors of risk adapted to each situation, to conciliate strategic objectives and new operating modes of the company with a policy of security and of maintenance of the risks at an agreed level.  CLUSIF : Club of the Security of French IT Systems 30, rue Pierre Sémard - 75009 Paris |
 |
 |