Vigorous Security provides the following services (and we are also open to hear from you about services you need and are not listed below – contact us!):
Information Security Management
vCISO service – vCISO means Virtual CISO, which refers to an information security manager who is not an employee of the organization but is in fact in charge of maintaining, improving and promoting the organization’s information security. Depending on the different characteristics of the organization (such as size, location, layout, maturity level of the IT and information security, budget and so on) – the vCISO performs the activities mentioned in this page and more, in person and/or with the assistance of the IT employees and the organization’s information security team
Assistance to veteran vendors, startups and venture capitalists in the development and improvement of products and services
Aspects of information security in product and service – Perform a review of the product or service in aspects of information security such as the existence and quality of authentication mechanisms, permissions and audit logs; Existence and quality of encryption and hashing of information “At Rest” (e.g. files, databases) and “In Transit” (networking); Compliance with standards required by law, regulations, suppliers and customers
“Reality Check” for products and services – Assessing the practical need for the relevant product or service; Market examination and comparison with competing products and services; Practical examination of the product in the final customer’s view and suggestions for change and improvement
Existing status check, mapping and auditing
Risk Survey – Comprehensive examination of all the IT risks of the organization, or only in a particular system, so that the organization is aware of the amount and quality of risks and will receive a detailed risk report which will also offer practical solutions, including cost estimates, resources and schedules needed to reduce risks and close gaps
Mapping the organization’s passive exposure level – Checking the access points towards the organization from the Internet and services exposed to the world, with the aim of reducing their amount as much as possible and testing their defenses, to reduce the risk as much as possible
Mapping the organization’s active exposure level – Checking the organization’s access points to the Internet and directly to other foreign entities, with the aim of reducing their amount as much as possible and testing their defenses, to reduce risk as much as possible
Penetration Testing – Practical technical attempts to break into the organizational computing system (obviously – without causing any damage), using real attackers’ tools and techniques, to get a practical understanding of how vulnerable the organization is
Audit – An organization that seeks to ensure its existence must periodically verify, through an external professional perspective, that the organization’s IT systems, as a whole or in some parts thereof, maintains adequate information security in face of the relevant risks, and for that purpose a process is required.
Using the process of audit of the organizational information security systems, through various types of questioning (filling out questionnaires, face-to-face interviews, etc.), by a practical review of the systems (in a read-only mode so that there is no risk of damage to the systems) and in some cases using robustness tests that simulate real but safe attack (see the “Penetration Testing” section above in this page).
We carry out these control activities for our client’s audit departments and sometimes even on the basis of special requests from senior management who wish for a professional and independent external review
Maintenance and improvement
Maintaining existing information security systems – In the first phase, the organization and its needs will be studied regarding business and IT (with emphasis on information security) and at the following phase a meeting will be held with the organization to decide which systems, products and services the organization wish to maintain and the desired schedule
Improving an existing information security system – It is desirable that this activity should begin after a risk survey as mentioned above, but not always organizations wish to conduct a risk survey, which is a relatively extensive activity, but prefer to focus on improving specific areas.
In the first phase, the organization and its needs will be studied regarding business and IT (with emphasis on information security) and an examination will be made of the gaps between the current status and what is needed in the relevant systems; In the second phase, a recommendations document will be written, detailing work plans, procurement, budget and schedule; And finally, when the plans are approved – we will move on to the implementation phase
Preparing and responding to emergencies
Unfortunately, 100% protection cannot be guaranteed, neither in the physical world nor in the digital world, so we must prepare ourselves in advance for a hostile attack that will succeed at one level or another.
We will help you prepare the organization for various attack scenarios in advance by examining and improving the survivability of the information and the systems, preferably also conducting various attack exercises against the organization, to prepare and test our readiness.
In case of, god forbid, an attack against the organization – we will personally accompany you throughout the event to the end, with the goal of reducing the amount and level of damage.
After the event, we will prepare for you a report about the incident, along with recommendations for improvement and prevention measures
Policies, procedures, compliance with regulatory requirements and preparation for certification
Writing a corporate information security policy – Good corporate governance requires the preparation of a document that will form the basis upon which all information security activities in the organization will be performed, and this document is the “information security policy” of the organization, which we will write for you, uniquely tailored to your organization
Writing procedures – Procedures are the organizational method of ensuring uniformity in the activities of people and systems during the ongoing work and conforming to organizational information security policies. We will write the procedures you need, uniquely tailored to your organization
Authorization for standards and compliance with regulation – Standards are the common way to show the world that your organization meets uniform information security requirements. Sometimes these are necessary requirements for the organization’s business (such as PCI for an organization that accept credit card based payments, or state or professional regulatory requirements) or that the organization wishes to ensure that it is operating properly and according to accepted standards (such as ISO standards).
We will advise you on what certifications are required and/or desirable to you, what they mean and what is required to achieve them, and we will guide you through the process of obtaining the certification and the length of the process required to hold the qualification in effect over time
Establishing an information security infrastructure – establishing a new IT system? New office or branch? The smartest thing will be to integrate information security right from the start, together with the IT, to ensure integrated protection from the very beginning.
After a questioning to help us understand the goals of your organization, the composition of people and systems, the necessary connections with the world, and more – we will present to you the components that we believe will give you the best information security protection, and help you realize installations and settings
Introducing a new system or service – During the life of an organization, a new system or service is required, hence it will require its own security reference and we will help you configure the change securely, from procurement and establishment to transfer to ongoing operations
Intelligence and Knowledge
Open source information intelligence (OSINT) – Information is the most valuable asset of our era and information is the basis of knowledge, and knowledge, as it is known – is power.
Your ability to be informed and aware about new risks in the world and of their potential defenses – will gives you a significant advantage in realizing effective protection for your organization, based on a realistic priorities that takes into account current and real risks.
– We will help you to understand the trends in the world of information security in general and especially those related to your business field and the systems you use
– We will update you regularly about Information Security news and trends
– We will perform market surveys of technologies, products and services – including comparisons
– We will prepare in-depth reports based on specific topics you are interested in