4ET Cybersecurity

Understanding the different types of common cyber attacks that can occur across the OSI layers is essential for implementing robust security measures. It is crucial to adopt a multi-layered security approach that includes prevention, detection, and response mechanisms running in parallel.

👀

Third-Party Risk Management (TPRM) Third-Party Risk Management includes all the processes of evaluating suppliers, partners, and vendors to ensure they meet certain requirements⁠⁠. What is TPRM? TPRM is an assessment of the risk introduced by a firm’s third-party relationships along the whole supply chain. It involves identifyi...

👀

What is DNS Hijacking and how to avoid it DNS hijacking manipulates the transaction and makes users unaware of the servers that they are using during an internet session. It is a malicious exploit where an user is redirected to a wrong server(s) with the help of a rogue DNS server. DNS Hijacking, also named DNS redirection, is a type of att...

Frameworks > IT Security

We provide security assessments based on the following acceptable frameworks and standards:

* ISO/IEC 27000

This international standard provides a series of best practices to help organizations improve their information security.
- ISO/IEC 27001 is a key element of the series. It explains the best practices in information security and is the only element in the series that organizations can be audited and certified against.
- ISO/IEC 27002 is a supplementary standard to that discusses the information security controls that organizations might choose to implement.
- ISO/IEC 27017 and ISO/IEC 27018 are supplementary standards explaining how organizations should protect sensitive information in the Cloud. ISO 27017 is a code of practice, providing extra information about how to apply security controls to information stored in the Cloud. ISO 27018 works in essentially the same way but with extra consideration for personal data.
- ISO 27701 is also another supplementary standard covering what organizations need to do when implementing PIMS (Privacy Information Management Systems)

* NIST Special Publication 800-53

Although the NIST Special Publication 800 series is not specifically an information security framework, other frameworks have evolved from the NIST SP 800-53 model. Even though it is specific to U.S. government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program.

* The NIST Cybersecurity Framework

The NIST Cybersecurity Framework for Improving Critical Infrastructure is yet another framework option from NIST. It differs from the other NIST frameworks in that it focuses on risk analysis and risk management. The security controls included in this framework are based on the defined phases of risk management: identify, protect, detect, respond and recovery. These phases include the involvement of management, which is key to the success of any information security program. This structured process allows the NIST Cybersecurity Framework to be useful to a wider set of organizations with varying types of security requirements.

* CIS Controls (formerly the SANS Top 20)

The CIS Controls exist on the opposite spectrum from the NIST Cybersecurity Framework. This framework is a long listing of technical controls and best practice configurations that can be applied to any environment. It does not address risk analysis or risk management like the NIST Cybersecurity Framework, and is solely focused on hardening technical infrastructure to reduce risk and increase resiliency.

Frameworks > Risk Assessments

We provide risk assessments based on the following accepted frameworks.

NIST Special Publication 800-30 rev1 Guide for Conducting Risk Assessments

This NIST publication provides guidance for carrying out risk assessments and describes the interrelationships between the various components of the organizational risk management process. This publication also provides guidance regarding the ongoing monitoring of risk within the organization.

ISO/IEC 27005

This international standard provides guidance for assessing and evaluating risk as part of an overall risk management process and is aligned with other related standards for risk assessment, management, and mitigation. ISO/IEC 27005 is a key element in the development of the Information Security Management System (ISMS) defined in ISO/IEC 27001.