Methodology and Standard

Area of Intervention

The intervention requested will focus on the technology structure used by the Client, namely:

  • the computer system
  • internal and external infrastructure
  • networks
  • hardware/software devices
  • web applications used by the Client

Methodology

The INSIDE Cyber Security Division has a group of experts specialised in the field, with a series of internationally accredited certifications.

Nello specifico, svolge la propria attività professionale nel più ossequioso rispetto dei seguenti riferimenti normativi:

  • ISO/IEC 19011:2003 - Guidelines for qualità and/or environmental management
  • ISO/IEC 20000-1:2005 - Service management - Part 1: Specification
  • ISO/IEC 27002:2005 - Code of practice for information security management
  • ISO/IEC27004:2009 - Information security management - Measurement
  • ISO/IEC 27005:2008 - Information security risk management
  • BS25999-2:2007 - Business continuity management - Specification
  • COBIT v4.1 - Control Objectives for Information and related Technologies
  • OSSTMM v3 - Open Source Security Testing Methodology Manual
  • OWASP Testing Guide v3 - Open Web application Security Project Testing Guide
  • CC v3.1 - Common Criteria
  • CEM v3.1 - Common Methodology for Information Technology Security Evaluation
  • ITIL v3 - Information Technology Infrastructure Library
  • PCI-DSS v2.0 - Payment Card Industry Data Security Standard
  • Basilea2 - International Convergence of Capital Measurement and Capital Standards
  • SOX of 2002 - Public Company Accounting Reform and Investor Protection Act
  • D. Lgs. 231/2001 - Disciplina della responsabilità amministrativa delle persone giuridiche, delle società e delle associazioni anche prive di personalità giuridica
  • D. Lgs. 196/2003 - Codice in materia di protezione dei dati personali
  • D. Lgs. 262/2005 - Tutela del risparmio e disciplina dei mercati finanziari
  • D. Lgs. 81/2008 - Tutela della salute e della sicurezza nei luoghi di lavoro

Methodological References

OSSTMM

The OSSTMM (Open Source Security Testing Methodology Manual) is a certification provided by ISECOM (the Institute for Security and Open Methodologies), an international community for research and collaboration on security, established in January 2001.

It is a peer-reviewed methodological approach used in the field of computer security systems and is based on performing security tests and analysis on infrastructure and IT assets to arrive at verified facts; these facts provide useful information in measurable terms for the improvement of operational security.

The use of the OSSTMM standard, in compliance with relevant regulations, allows the achievement of consistent and repeatable results, providing an understanding of the countermeasures to be implemented, the extent to which the system is exposed to possible attacks, and therefore how to achieve maximum security.

OWASP

The OWASP Testing Guide is a framework for testing the security of applications and network infrastructure developed by OWASP (The Open Web Application Security Project), a non-profit foundation whose activities are centred on the production of resources, articles and material related to information security issues.

OWASP has compiled a classification of the security threats considered most critical:

  • SQL Injection
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Insicure Direct Object Reference
  • Security Misconfiguration
  • Sensitive Date Exposure
  • Missing Function Level access Control
  • Cross Site Request Forgery
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards