greenmethod

IT Service Management

A Multinational It Company With Branches In UAE, EGYPT, USA, CANADA & QATAR

For the Company, certification accreditation to ISO 20000 plays a central role in having the competitive edge clearly identifiable by the ISO Certificate. In ISO 20000, the idea of quality and costs plays a central role:

“At IT Service Management Accreditation to ISO 20000 brings about improving IT processes, documenting and then avoiding nonconformities, preventing double work and optimally observing agreements with customers. This enables increase in efficiency and improvement of quality.

Green Method Approach

Green Method perceives ISO 20000 as a tool for integrating processes conforming to ITIL in an ISO based management system.

While ITIL is a collection of best practices, the ISO 20000 Standard summarizes the key requirements placed on a professional IT Service Management System in a focused manner. By focusing on the key requirements for the individual processes, important influencing factors, such as company size, service offer or customer structure, can definitely be considered when designing the service management system.

Green Method followed a phased approach of the processes piloting in one country and rolling out throughout the organization in all the countries.

Application Secure Code Review

A Leading Corporate Bank In The UAE

With worldwide cyber crime losses creating havoc in financial industries, financial institutions are focusing considerable attention towards the security of their outward facing web applications. There are many critical security vulnerabilities in the majority of web applications.

The bank relies heavily on a number of third-party commercial software and outsourcing providers to help drive its core banking systems. Application vulnerabilities and security breaches are very steadily on the rise. According to Gartner, 75% of new attacks target the application layer, and software vulnerabilities have reached an all-time high. Against this backdrop, the bank was justifiably concerned about potential security issues arising from these third-party providers and decided to take a proactive approach to software assurance.

Green Method Application Source Code Review Services provides the innovative testing methodology of Veracode, a world leader in SAAS testing. Veracode provided the patented binary testing of the application code. Veracode Security Review, a subscription-based application security testing solution, underpins Bank’s implementation of secure procurement practices and enables them to manage both their own and their customers’ risk profile.

Green Method Approach

To initiate the project the bank quickly identified 15 applications to be verified from different product vendors. Since Veracode is the only provider that can inspect software executables (binary code), the external supplier was able to upload its code to Veracode’s on-demand code assurance platform without exposing any of its intellectual property in the form of source code. This is an absolute breakthrough.

Veracode performed its fully automated analysis and assigned a security rating for each application in the form of a letter grade from A (best) to F (worst) to determine the security level of the supplier’s applications. Veracode’s ratings are based on internally established industry standards such as the Common Weakness Enumeration (CWE), the Common Vulnerability Scoring System (CVSS) and the National Institute of Standards and Technology (NIST).

These three standards help provide context around the vulnerability type, the score and the business criticality of each application.In addition to providing high-level security ratings, Veracode delivered very detailed remediation roadmaps back to the software vendors to help outline a path of achieving software assurance. This remediation roadmap is based on a prioritized list of software vulnerabilities that are ranked depending on ease of remediation and level of severity. Based on this roadmap, the pilot vendor fixed the flaws that were found in the initial analysis within two weeks of receiving the initial report, re-submitted the applications for another scan, and received a score that was well within the Bank’s range of code acceptance.

Key benefit for the bank and all vendors is that Veracode’s rating system provides a common and consistent benchmark that can be used to clearly determine security risk levels and thresholds as well as tracking progress over time. In the case of the bank, the bank determined that third-party applications had to achieve a pre-defined minimum rating to meet software acceptance criteria by the bank.

PCI DSS Compliance

The Largest Credit Card Acquiring Company In The Middle East and AFRICA

In the second half of 2010, the company was faced with a decision about whether to approach a consulting company to provide necessary Gap Assessment and remediation work or retain the international QSA as an auditor and conduct internal remediation to become compliant to PCI DSS. The challenge was to have the all encompassing internal capabilities to provide the readiness for the strict timelines given by VISA and MASTER for the audit by the end of the year.

The remediation could have included restructuring its existing but inadequate information security framework for fulfilling the changing information management needs. The continued dependency on the internal capabilities and the dependence on the large QSA based from the UK were bringing about many delays and added an extensive increase in the cost for compliance.

Green Method Quick Win Approach

Green Method formed a project team of experts including QSAs, Information Security Process Experts, Network Security Experts and Application Security experts managed by proven and qualified project management professional.

The Following Project Was Divided Into The Following Phases:

  • Remediation Process & Policies review and alignment with Group Info sec Policies Clear Network Diagram with relevance to optimized PC DSS Scope Network Vulnerability Assessment & Penetration Testing Application Penetration Testing Defining Compensatory controls Management Presentations for technology implementation Supervision of technology implementation QSA re-assessment on the remediation – offline
  • Discovery
  • Scope Optimization
  • Gap Assessment – Conducted by QSA & Sr. Info Sec Consultant
  • Validation
    ASV Scan
    Handholding Organization to guide the QSA through evidences
    QSA Audit & ROC Preparation
    Management presentation