General Questions
1What isTier3 Cyber Security Assessment?
Tier3 Information Security Assessments provide a comprehensive evaluation of an organization's existing security policies, procedures, controls and mechanisms in relation to best practices and industry standards, such as ISO 27002 and NIST 800-53. Our Security Assessment are performed by security experts (SMEs) to identify risks and outline specific, actionable steps to improve security posture.
2What is Third-Party Risk Management?
Anytime your company does business with another company, you’re at risk. Whether it’s medical to support healthcare for your employees, human resources to provide administrative functions, or wholesalers you purchase products to run your business, sensitive data sits everywhere. How you protect that information is your responsibility, and the risk of doing little or nothing outweighs the potential catastrophe you may face.
3What is Information Security Engineering?
Our experts understand the networking technologies of routers, switches, firewalls, intrusion detection systems (IDS), servers, workstations, authentication, encryption, end-point protection, and how they are used to deliver business value. This operational perspective allows us to design a network flexible enough to meet your needs while maintaining a secure and stable system.
4What is Regulatory Compliance and why do I need it?
Our certified IT Auditors help federal and state government, financial and banking institutions perform compliant assessment, and help address cyber security issues to ensure that all systems are in compliance with federal and state regulations.
ISO 27001 / ISO 22301 / BS 25999’2s
1What is ISO 27001?
ISO 27001 is an international standard issued by the International Standardization Organization (ISO), which defines information security management systems. Its full title is ISO/IEC 27001:2013. This standard was developed from British standard BS 7799-2; it was first published as ISO/IEC 27001:2005 and has now become a leading international standard for information security.
2What is achieved by implementing ISO 27001?
Implementation of ISO 27001 reduces risks related to confidentiality, availability, and integrity of information in an organization. It also helps the organization to achieve conformity with legislation regulating protection of confidential information, protection of information systems, personal data protection, etc., which are already in place in most countries. Finally, implementation of the standard should reduce business costs due to fewer incidents, and improve marketing because of the publicity that can be gained with the standard.
3What is the difference between ISO 27001 and ISO 27002?
The international standard ISO 27002 (full name: ISO/IEC 27002:2013) defines guidelines for the implementation of controls listed in ISO 27001. ISO 27001 specifies 114 controls that can be used to reduce security risks, and ISO 27002 provides details on how to implement these controls. Organizations can become certified against ISO 27001, but not against ISO 27002. ISO 27002 was previously referred to as ISO/IEC 17799, and emerged from the British standard BS 7799-1.
4How long does it take to implement ISO 27001/ISO 22301?
This really depends on a large number of factors, but generally, smaller organizations may need 3 to 6 months, organizations with up to 500 people will need 8 to 12 months, and larger organizations 12 months or more.
5Are IT security and information security one and the same thing?
No. IT security is part of information security – IT security includes, for example, backup procedures or the use of a firewall, whereas information security also includes definition of security roles and responsibilities, operating procedures, training and awareness, legal relations with employees and suppliers, physical security, etc. IT security is usually 50% of information security.
6How much does it cost to implement ISO 27001?
It is almost impossible to calculate the cost before completing the risk assessment and the Statement of Applicability. The majority of expenses are not usually related to hardware or software, but to developing procedures and getting them up and running, raising of employee awareness and training of employees, certification, etc. The costs also depend on the size of the company, but it is good to know that not all security controls have to be implemented immediately, and that implementation of some of them may be postponed.
Network Security Audit
1What is network discovery?
Network discovery consists of the processes Qualys performs to identify each device that resides on your network. The result of the network discovery process is a map of all devices found. This map can be viewed in graphical or text format. In particular, the network map depicts:
Network topology
Access points to the network
Machine names
IP addresses
Operating Systems
Discovered services, such as HTTP, SMTP, Telnet, etc.
The network map can be downloaded in multiple formats, including PDF, ZIP (HTML), XML, MHT and CSV. Tier3 also provides a tool for importing a network map from XML to Microsoft Visio.
2What is an Inference-Based Scanning Engine?
Tier3 conducts audits using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to the host being scanned. Depending on the host profile discovered for each device (for example, operating system and version, ports and services), Tier3 selectively runs tests applicable to the target device.
3How does Tier3 find vulnerabilities and characterize network systems?
Tier3 uses a unique inference-based scan engine to find vulnerabilities. Each scan begins with a pre-scan module which accurately fingerprints a host. The fingerprinting is performed by sending a series of specially crafted packets to the host and by interpreting the results.
Tier3 is able to, with a degree of accuracy exceeding 99%, identify the host operating system, services running and ports opened. Once this information has been captured, the inference-based scan engine selects only the appropriate vulnerability checks to run, runs them, and interprets the results. This approach, consisting of the pre-scan and the inference-based scan engine, accelerates the scanning process, minimizes traffic load on your network and touching your systems, and improves overall accuracy.
4What types of devices does Tier3 analyze during a scan?
Tier3 assesses the security risk of all networked, IP devices. This includes all routers, switches, hubs, firewalls, servers (all common operating systems), workstations, desktop computers, printers, and wireless access devices.
5How many different types of vulnerabilities do you detect?
Tier3 scans for more than 20,000 vulnerabilities across hundreds of applications and operating systems. Tier3 maintains the industry's most comprehensive Vulnerability KnowledgeBase. New vulnerability signatures are added to the Tier3 Vulnerability KnowledgeBase every day. These signature updates are seamlessly made available to all our users automatically. Also, to further promote our high standard for accuracy, a complete Vulnerability KnowledgeBase regression test is performed each time the KnowledgeBase is updated.
6What happens after Tier3 detects a vulnerability? Do you provide information to help me correct the problem?
For each vulnerability detected, Tier3 reports detailed information, including:
Host Information: IP address, hostname & Fully Qualified Domain Name (where available), operating system, and asset group(s).
Vulnerability Information: vulnerability severity, description of the threat posed by the vulnerability, recommendation for correcting the problem (including links to vendor sites), and the result, if available, which shows how Tier3 verified the vulnerability. These fields can be customized for every signature in the Tier3 Vulnerability KnowledgeBase.
Tier3 reports can be customized so the user only views and/or prints the vulnerability assessment data that is of interest to them.
Didn`t found answer you looking for?
