Cyber Security Testing

Position: Cyber Security Testing Resources/ProfessionalNo. of openings: 4Contract: 1 yearLocation: Can work anywhere in IndiaExperience Required: 7-10+ years & 10- 15yrs

Key skills mandatory/required:

Candidates are required with keywords/tools/frameworks like

Stride /

Dreed

/ Threat testing / cyber security from each section of the requirements table.

Please indicate your Yes and relevant years of working experience required in the Response & Comment field.CategorySub- CategoryRequirementResponseCommentsCybersecurity RiskThreat modellingList all identified threats based on STRIDE/DREAD methodology

Risk analysisPerform threat to risk analysis and list all respective risks associated with the IS, its operational model, deployment and intended use cases

Malicious Insider / Insider ThreatDescribe the considerations made to protect from malicious insider either within the company, a 3rd party supplier or managed service provider

Privileged Accounts Compromise / Abuse of Privileged AccessDescribe the considerations made to protect from unauthorized access by privileged users and special protections detect/prevent/response/

Malware and Ransomware ResilienceDescribe the considerations made to protect from malware and ransomware

Data Leakage ProtectionDescribe the considerations made to protect from data leakage

Applicable ICS ControlsList all applicable controls from SC ICS standards and map the selected controls to the respective risks i.e. threats -- risks -- controls

Vulnerability ManagementDescribe the considerations made to ease vulnerability management

Access control

Describe the IAM, RBAC/ABAC/DAC/etc, and MFA solutions in this design

Describe the automated mechanism to manage the service accounts including temporary and / or emergency accounts used to operate the system

Describe how the access management controls implemented by the system in accordance with the ICS standards and which mandatory access management controls arent, especially in cases where a self-built application or 3rd party service is used

Describe privileged account access, types used by the system, service provider and their access to the respective IS components and underline data

Describe if and how Separation of Duties and least privileged access are enforced

Describe if and how the system manages remote access

Describe how the respective controls prevent unauthorized access

Identification and Authentication

Describe the use of MFA solutions in this design for privileged and non-privileged users

Describe the use of SSO solutions in this design for privileged and non-privileged users

Describe the systems protection against replay attack (replay resistance)

Describe the use of cryptographic Authentication

Describe the use of federated credential management (if used)

Describe if and how the service uses / consumes cross-organization identities of users

Describe how Device/Component Identification & Authentication e.g. in microservice / SOA based architecture if preformed

Audit and AccountabilitySecurity Event LoggingDescribe the key events in the architecture that must be logged for security incident response

Describe the protection of the security logs against malicious / accidental modifications/deletions/

Audit LogsDescribe the creation and protection or Audit logs and audit log information, session audits, including audit-log retention compliance with applicable regulations)

Security Event MonitoringDescribe the key security events in the architecture that must be monitored

Describe the protection of the security logs against malicious / accidental modifications/deletions/

Describe how the IS monitor and control communications to interfaces of the system external and at key internal managed interfaces within the system, Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture

Non-repudiationDescribe what measures are taken to prevent repudiation for the IS

Describe what measures are taken to ensure chain of custody for the IS

Penetration TestingDescribe the scope and frequency of penetration tests regime and its compliance with regulatory and ICS requirements

Configuration Management

Describe the system baseline configuration as well as if there is a configuration change control in place, its scope and capabilities\

Describe cryptography management of the system

Describe how unauthorized software execution is prevented on the IS and authorized software is explicitly allowed/enabled

Describe how system components inventory is maintained and updated by the service owner / supplier

Describe if the system allows only signed components to be installed / executed

Software Updates And PatchesDescribe how the system supports the deployment of security updates and patches, as well as the process of software patching, possible risks in case of failure and mitigation / recovery associated plans

Secrets ManagementDescribe how secrets in this design are protected

Non-Personal & Personally Identifiable Information (PII) Processing

Describe the data tagging, tracking and enforcement of the IS for PII

Describe how the system manages Consent and Specific/Special Categories of Personally Identifiable Information

Describe how the system protects Personally Identifiable Information throughout the data lifecycle and complies with regulatory requirements e.g. GDPR

Describe all data controllers and processors involved in the processing of PII data, their responsibilities, obligations, and scope consider GDPR, as well as other regulations in the scope of your assessment

Describe the data lifecycle, where and which data is stored, processed, communicated in the IS and between the IS and external IS systems

System and Communications Protection

Describe how the IS separates users and systems functionality

Describe how the IS isolates security functions

Describe how the IS Prevent unauthorized and unintended information transfer via shared system Resources e.g. cloud environment, shared memory, cache, etc.

Describe how the IS protects against denial of service and how the system ensures the availability of its resources

Describe what types of networks and boundary isolation have been employed

Describe what controls are in place to prevent data exfiltration e.g. DLP/RMI

Describe what controls are in place to prevent/restrict incoming communication, protect against unauthorized physical connections, fail secure and provide host protection

Transmission Confidentiality and IntegrityDescribe which cryptographic mechanisms are in place and where to prevent unauthorized disclosure of information; detect changes to information during transmission

Describe the cryptographic key management i.e. how the IS establishes and manage cryptographic keys when cryptography is employed within the system

Describe how the system protects against spoofing and impersonation attacks as well as DNS related attacks

System and Information IntegritySoftware, Firmware, and Information IntegrityDescribe how the system protects the SW/FW and information integrity

Third Party Risk Assessment

If/when using a 3rd party vendor/SP e.g. IaaS/PaaS/SaaS/SP provide the TRSM assessment and SCM assessment of the respective tools/services/vendors used in the solution

Provide a detailed accounting of all security assurances provided by the supplier to prove it (i) maintains good cyber-security hygiene, (ii) obligation to comply with existing and future regulations (iii) obligations to grant access to the regulators with undue delay in case such access is warranted, (iv) agreement to subject to external audits conducted by an agreed 3rd party, (v) contractual agreement which provide sufficient assurances as defined by the organization risk appetite as well as regulatory requirements secure the company systems and or consumed services against (vi) contractual obligation to notify the company when a vulnerability / misconfiguration and / or malicious activity have been identified by the supplier with undue delay even if those dont have direct impact on the consumed services, (vii) contractual obligation to notify the company if its systems or services have been / or will be accessed by a nation exercise its rights under local legislation e.g. Germany / US using CloudAct to gain access to company data stored in AWS Frankfort data centres

---