20161021 js cybersecurity service proposal

Proposal to provide cybersecurity services

Accra & Abidjan

Content

Background

Your requirements

Our Promise

About Afrik Santa Cruz

Our differentiating factors

Our key clients

Team experiences

Quality assured

Clear and continuous communication

Our team and affiliates

Contact details

Annexure I – Our methodology

Annexure II – Why you need cybersecurity

Annexure III – Service Catalogue

Afrik Santa Cruz is an indigenous engineering service company with affiliates in Africa, Americasand Asia. It offers wide range of services in the petroleum, housing and IT sectors.

It is managed by highly experienced professionals focused on tailored engineering solutions for optimum customer satisfaction.

About us

Highly practical and advanced hybrid delivery model.

Strong delivery capability to take on any complexproject as far as it is cybersecurity related.

We prefer holding hands to shaking hands.

Cybersecurity solution is our main focus.

Theory of change We are a true local company but with our global

reach, we offer a very high level practical experience, know-how, contacts, and confidentiality.

Reasonably priced fees commensurate with high quality delivery.

Professional delivery as would be expected of alarge multinational.

Value proposition

Our goal is to change the engineering landscape in the Sub-Region by bringing, well-thought-out, innovative and expert driven solutions to our clients.

ASC aims to be an emerging market leader in engineering services. This is evident in its strategic alliance with top firms like, Alphabet Energy International and WaterFX, Tectonas Softsolutionsetc.

Mission

Background… know us better…

Your requirements

You require a firm with not only demonstrable skills and experience in your sector,

but also the ability to deliver seamless information security system and business

support services that match your development plans;

You also want a solution provider that operates on a professional and personal level

resulting in solutions tailored to your needs. While we operate in an environment

that demands honed technical ability and a degree of formality, arising from the

professional standards we observe, we regard ourselves as a flexible and responsive

team that has client relationships at its heart; and

You need cybersecurity solution relevant for tomorrow's environment

You want experts who know their trade/specialty and are sincere about projects that do not fall within the bounds of their capabilities.

Our Promise

Our professionalism is demonstrated in our;

Commitment; our management and staff are absolutely committed to client

satisfaction. We are dedicated to the provision of unique, quality and distinguished

client services. We do this by channeling our best resources to meet clients’ needs.

Understanding; our approach to services is driven largely by our ability to obtain a

clear understanding of our clients’ specific needs. Our philosophy is to provide only

services beneficial to our clients.

Support; our unique strength lies in drawing on a pool of specialists worldwide to supplement skills unavailable at specific locations to ensure total client satisfaction.

Efficiency; we provide services by riding on efficiency in a co-operative environment.

About Afrik Santa Cruz Ltd (ASC)

ASC is a Ghanaian company that provides expert services by localizing international engineering solutions…

To make life easier, it is a well-documented fact that humans are altering the usual ways of communicating at all scales and unprecedented rate. For this reason, everyone is a major stakeholder in the cyberspace.

Enterprises rely on IT infrastructure to expand operations and enhance productivity. The increasing reliance on IT systems brings about many challenges from sophisticated IT support system requirement to increasing IT spending. To tackle these problems ASC adopts an innovative and no-nonsense engineering centered approach to solving problems.

IT security can be defined as data breach/loss or reduced information system workflow that can adversely affect the achievement of organisation’s objectives.IT security issue can be both internally and externally generated. Unlike time past, security issues these days are fueled by economic reasons. When greed overtakes need, it spells trouble. These can stem from corrupt employees to shady investors seeking ways to exploit information systems for their advantage.

About Afrik Santa Cruz (cont…)

Increased dependence on IT will only enhance the risks of doing business. In today’s world, IT security risks are not few. The reason companies so often fail to systematically manage these risks is rooted in the way they define and manage them.

ASC has strong alliance with companies in the US and India to meet IT infrastructure problems. Together with its affiliate partners, ASC has a team of more than 130 dedicated and highly trained systems engineers who work on Kernel level modules, Mini Filter drivers, File Systems Drivers, Network drivers to deliver easy to use and highly secure systems.

We are staffed with qualified professionals viz. BSc, CA, ACCA, CS, CISCO, CISSP, CISA, CRISC, and MSc etc.

About Afrik Santa Cruz (cont…)

Products & ServicesOur product portfolio encompasses the following broad services;

Under the above broad services, we proffer more than 25 specific cyber security related services. These explicit solutions are tailored suit clients’ environments. Our comprehensive service catalogue which spells out service deliverables is available upon request(Refer to appendix II for the abridged version).

• Secure Remote Management

• Data Leak Protection• Forensic and Security• Patch Management• Vulnerability assessment

• IT Infrastructure Management

• Desktop Monitoring• Asset Management• Change Management• Green Management

• Firewall • IPS• Anti-Virus • Content Filtering • Surveillance System

Management

Our Differentiating Factors

• Value for Money• Strengths in relation to Business Model and Objectives – Track Record of Ethical Practice• Unique combination of international, senior, hands on industry experience, across all areas of

requirement• Building enduring relationships with all our clients as trusted business partner• Strengths in relations to requirements – Track Record in geographical, Professional and Business

areas• Adding value to client and protection their business is paramount • Strength in relation to Implementation Plan – Track Record in geographical, Professional areas

Our highly analytical team will help:• Protect applications implemented on your IT systems• Protect your data or system’s ability to function• Enable safe collection and usage of data• Safeguard technology assets in use

Some of our Clients

Our Experiences

Quality Assurance

Quality control and quality management is of paramount importanceOur team is sufficiently resourced through our rigorous ethical values to develop and deliver quality services to our clients. Criminal background checks are conducted on employees by the Criminal Investigation Department of Ghana Police Service.

Personnel adhere to standards of Integrity, Independence, Confidentiality and Objectivity.Our professionals are required to attend business specific continuing education courses, internal and external industry trainings.

CONTINUOUS IMPROVEMENT

Quality culture

Analysis &

Planning

Our operating policies are based upon and are fully compliant with International Standards.In addition, there is a Quality Review Programme which ensures that our review process is in compliance with documented policies and procedures. Quality performance reviews are an integral component of our system of quality control.

DeliveryMeasure Results

HRM

Processes

Order

Clear Continuous Communication

We are well aware of your confidentiality requirements hence we are committed to maintaining strict code of confidentiality.Our firm policy requires that affairs of clients be confidentially kept at all times.

At ASC, open and honest communication is a Core Value. Our experience leaves us in no doubt that a successful relationship is based on trust and candid, proactive communication.

Regular and open two-way communication is fundamental to all aspects of our services. As an initial priority, we will agree with you the Communication Plan for all our key meetings. This will help ensure there are formal and informal opportunities for all key stakeholders to be kept informed on issues of importance.

Our Team CredentialsB

rad

ley

Pat

e International Director – Afrik Santa Cruz Accomplished Petroleum Engineer and a businessman. More than 33 years Project Management and Petroleum Engineering More than 25 international experience in every continent except Australia and Asia. Led Projects with budget exceeding US$700 million

Joh

n S

elo

rm

Principal – Afrik Santa Cruz Accomplished Chartered Accountant. Strong IT background and worked with top accounting firms in the world on client systems. Worked with clients in a wide variety of industries including trading, retail and consumer goods, NGO,

manufacturing and banking and finance. Major clients include banks, investment companies, manufacturing organizations etc

Our Team CredentialsC

har

les

Kan

e

Chief Information Officer – Afrik Santa Cruz Highly experienced IT professional Over 13 years in IT resource management experience Managed Information System’s projects on oil fields in Ghana, Cote D’Ivoire, Sierra Leonne etc. Harvard college trained with diverse IT skills and professional qualification including; CISA, Red hat os/mail,

web, satellite operation and installation, Cisco CCNA etc.

Pe

rry

Gre

en

e

Principal Consultant – Santa Cruz Energy Highly accomplished IT security professional with experience across various industries in USA. More than 11 years information security and compliance experience Strong in vendor audits on ISO27001 and 27002 control and other compliance frameworks like COSO,

COBIT, NIST, ISO etc. Professional trainings include; six sigma, Cisco CCNA, CISSP, CISA, VMWare, Qualys, Archer, Qradar, CRISC,

MCP, Arcserv, SAP PCI HIPAA SOX etc.

Our Team CredentialsS

hru

tiP

un

dal

ik Chief Consultant – Santa Cruz Energy Accomplished IT security professional with experience in India and USA across various industries. Designed and implemented effective and efficient projects similar to Uber booking systems Conducted architecture and interface design on the admission system for University of Baltimore, Maryland

and other projects such as Bitcoin. Professional trainings include; Matlab, Keil Uvision, Verilog, Khazama, CodeVisionAVR, C++, C, PL/SQL, Eagle

5.6, Multisim etc.

Man

a C

hu

ri

Chief Consultant – Santa Cruz Energy Highly experienced IT security specialist with experience in India and USA across many industries. Worked with Dell on security system projects including managing and mentoring different teams. Worked as an engineer at CISC Source responsible for remote on-site engineers etc. Professional skills include; Kerberos, SSL, IPSec, IDS, IPS, Firewalls, Application Proxy, Wireless Security,

Cisco CCNA, CCNP Routing & Switching, DHCP, DNS, Cisco CCNA, CCNP Routing & Switching, DHCP, DNS, C++, C, Python etc.

Partners CredentialsJo

ach

im N

ess

ere Chief Consultant – Afrik Santa Cruz

Highly skilled IT security trainer and consultant. Served as the IT security training consultant for GIMPA, IPMC, Zentech Ghana etc. Designed and implemented advanced server infrastructure across different systems Professional accreditations include: Novell Certified Linux Administrator , Net IQ Identity, security etc.

expert, MSPRP member, IAMCT Member etc.

Raj

esh

Tri

pat

hy CEO/COO – Tectonas Softsolution

Accomplished IT security engineer and a businessman. Established and run IT security company in India for the past 17 years Executed large IT security infrastructure solutions across Asia, Africa and the United States. Developed IT security software across key industries in India, Asia etc.

Contacts

Afrik Santa Cruz 2nd Fl00r Chataeu Dieu,

Adenta, EstateAccra, Ghana

Phone: +233 208 703 [email protected]

Santa Cruz Energy124 Dickens Dr

Coppell, Texas 75019-2104United States


Afrik Santa Cruz Abidjan, Cote d’Ivoire


[email protected]

www.afriksantacruz.com

THANKS

mailto:[email protected]










http://www.afriksantacruz.com/

ANNEXURE I – OUR METHODOLOGY

Our Methodology

Our methodology is comprehensive and systematic which focuses on meeting clients’ organisational objectives. We fully recognise the need to provide assurance on your system stability.

The key benefits of our approach are:o Comprehensive & systematic;o Focus on areas considered as potentially & most likely to lead to breach in

data or system malfunction;o Our procedures are based on project planning techniques, including the use

of automated processes and document templates, and the agreement of objectives, timetables, responsibilities and careful resource planning;

o The focus of our reports are to generate constructive and value added advice; and

o Identifies performance improvement and cost reduction opportunities

Understanding Your Business

Risk Assessment

Planning

Field Work

Critical Issues

Reporting/Implementation

Our Methodology (Cont..)UNDERSTANDING THE BUSINESS

Our top-down risk-based approach ensures that the focus is on the issues that are of greatest importance to you and that we are in the most appropriate position to respond to them. Our system audit starts with a detailed understanding of your industry and business.

Our approach is based on a top-down examination of the key drivers and system workflow of your business. The output is a balanced picture of how the company interacts with customers and external industry forces. We consider the implications of this analysis and use it to identify significant risks.

We use industry specific business models to gain information on:• industry background including major players, regulatory changes and trends,• risks and drivers,• geographic issues,• descriptions of business processes,• benchmarks and best practice and• system risks.

Our Methodology (Cont..)

RISK ASSESSMENTIn order to run your business, you develop processes in IT systems to manage the factors that drive performance and help meet your objectives. We focus on those processes and systems to help yield meaningful results. This phase of our work enables us to obtain information on the processes supporting the achievement of the company’s goals.

STRATEGY AND PLANNINGBased on the understanding of a client’s business we devise a strategy. We then develop detailed programs to improve and guard your systems.

FIELD WORKThe work flows from strategic planning and risk assessment. The key element is to review and test the high level controls embedded in your processes, as significant weaknesses in your key processes could cost, both in terms of data loss and reputational damage.

REPORTING AND IMPLEMENTATIONWe identify and discuss all critical issues with management. We then determine whether the Company’s system stability meet our expectations. We provide report and any other deliverables to management.


Our focused IT audit methodologies and tools also help to evaluate and test whether the Company’s information systems are configured for data integrity, are secure and are effectively managing the business needs. Our highly skilled business and IT personnel help identify aspects of IT that pose the highest risk to the Company.

We then conduct a systematic, detailed review of those areas in which we:o identify appropriate IT control objectives that map to key business processes;o identify relevant IT policies and procedures and/or industry IT standards; ando evaluate the design of controls and test whether they are in place and operating effectively.


METHODOLOGIES

• Continuity management• System capabilities & availability• Back and recovery• Data storage

• Network penetration testing• Information security assessment• Enterprise security architecture &

integration• Ongoing monitoring

• Process documentation• Control risk analysis• Control & design implementation

• Project risk assessment• Quality assurance• Project management methodology• Programme management processes


INTELLIGENT USE OF TECHNOLOGYTechnology is only one component of an integrated approach that combines methodology, knowledge and technology into our tailored service to you. We deliver our system audit services using a fully automated audit software. This software is designed specifically to integrate knowledge management into the audit process. Technology can never be a substitute for face-to-face communications and we continue to rely on meetings with management to identify, resolve and communicate issues.

Technology

Knowledge

Methodology

ANNEXURE II – WHY YOU NEED CYBERSECURITY

Why you need cybersecurity

In today’s global, digital world, data rule. Many of our daily activities involves data paths. Safeguarding intellectual property, financial information, and your company’s reputation is a crucial part of business strategy.Cybercrime has become a big business. Cybercrime is costing the global economy up to $450 billion annually and it is expected to exceed 1 Trillion by 2020 (Report by Hamilton Place Strategies).

The report also warns that “if you’re in business today, it’s nearly a guarantee you’ll be hacked at some point over the next couple of years”, which makes these findings all the more significant.

The TRUTH IS, YOUR DATA HAS PROBABLY BEEN BREACHED WITHOUT YOUR KNOWLEDGE…you will only be confronted with the consequences in the future.

IT security is about defense in depth. Providing such a security involves physical security as well as a well-designed network, control over the users and processes on the host itself, and regular maintenance.

Why you need cybersecurity (Cont..)Some cyber threats your organisation maybe exposed to without cybersecurity include:

Categories of Threat Examples

Deliberate software attacks Viruses, worms, macros, denial-of-service

Technical software failures or errors Bugs, code problems, unknown loopholes

Technological obsolescence Antiquated or outdated technologies

Deliberate acts of information extortion Blackmail of information disclosure

Deliberate acts of espionage or trespass Unauthorised access or data collection

Compromises of intellectual property Piracy, copyright infringement

Acts of human error or failure Accidents, employee mistakes

Forces of nature Fire, flood, earthquake, lightning

Deliberate acts of sabotage Destruction of system or information

Deliberate acts of theft Illegal confiscation of equipment or information

Why you need cybersecurity (Cont..)Some attack replication vectors your organisation maybe exposed to without cybersecurity include:

Vector Description

Web browsing If an infected system has write access to any web page, it makes all web content files (.html, .asp, .cgi, etc.) infectious, so that users who browse to those pages become infected.

Simple Network Management Protocol

Attacking program gaining control of a device due to widely known and common password employed in early version of protocols.

Virus Infection through common executable files through virus code

Mass mail If an infected email runs through an address book, infected machine infects many users. Subsequently, mail-reading programs also automatically run the program and infect other systems.

Unprotected shares Using vulnerabilities in file systems and the way organisations share configure them, the infected machine copies the viral component to all locations it can reach

IP scan and attack The infected system scans random or local range of IP addresses and targets any of several vulnerabilities known to hacker from previous exploits such as Code Red, Back Orifice, or PoizonBox.

ANNEXURE III – OUR SERVICE CATALOGUE

Service Description When to be Proposed to Customer/Client

Activity

Incident Tracking and Audit Customer has had a major cyber-security incident where they may have had data loss, data corruption or systems not being available to the users/customers/partners

Investigate incident and provide Survey Reports for; affected users and systems

Cyber Security AuditCustomer wants to implement Cyber Security Policy as per their defined Policies in the organization.

Survey of;• End Points (PCs),• Servers• Network Equipment• BOYD Patterns• Shadow IT• User Behaviour

Service catalogue


Activity

Cyber Security Policy Rollout Customer wants to implement Cyber Security Policy as per their defined Policies in the organization.

• IT Systems Survey• End User Training• Delivery of Audit Systems

Cyber Security Policy CreationCustomer has no Cyber Security Policy and wants to start new.

• Detailed Survey of IT Systems• Identify IT & User Control Points• Identify Compliance Check

Points

Forensic Audit Customer has no idea of their current Cyber Security Posture or if they are compromised or not compromised.

• Log Analysis• ID Presence of internal/external

malicious agents• Forensic analysis to assess if IT

systems are compromised or IT system availability analysis

Service catalogue (Cont…)


Activity

Cyber Defence Integration Customer has many cyber defense systems like anti-virus, firewalls etc. And, these systems are not working in an integrated manner.

• Integrate disparate systems to single Dashboard

• Identify Cyber Security Chock Points.

Firewall Induction.Client does not have a firewall and wants to implement a firewall.

• Identify make and model of Firewall that best suits the Clients needs. Acquire, install and commission the firewall.

Firewall Review and Configuration

Client has an existing firewall and has performance and security issues.

• Capacity/Performance of the firewall. • Check firewall addresses i.e. security +

performance needs of the client. • Upgrade, changes and recommission the

firewall.



Activity

Intrusion Prevention System (IPS) Induction.

Client does not have a IPS and wants to implement a IPS.

• Identify make and model of IPS that best suits the Clients needs. Acquire, install and commission the IPS.

IPS Review and Configuration.

Client has an existing IPS and has performance and security issues.

• Identify make and model of Firewall that best suits the Clients needs. Acquire, install and commission the firewall.

Firewall Review and Configuration

Client has an existing firewall and has performance and security issues.

• Do a capacity + performance of the IPS, and check whether the same IPS addresses the security + performance needs of the client. If yes, identify changes to IPS configuration. Upgrade the changes and recommission the IPS.



Activity

Patch Management Induction.

Client does not have a Patch Management and wants to implement a Patch Management.

• Identify make and model of Patch Management that best suits the Clients needs. Acquire, install and commission the Patch Management.

Patch Management Review and Configuration.

Client has an existing Patch Management and has performance and security issues.

• Do a capacity + performance of the Patch Management, and check whether the same Patch Management addresses the security + performance needs of the client. If yes, identify changes to Patch Management configuration. Upgrade the changes and recommission the Patch Management.

Proxy Induction. Client does not have a Proxy and wants to implement a Proxy.

• Identify make and model of Proxy that best suits the Clients needs. Acquire, install and commission the Proxy.



Activity

Proxy Review and Configuration

Client has an existing Proxy and has performance and security issues.

• Do a capacity + performance of the Proxy, and check whether the same Proxy addresses the security + performance needs of the client. If yes, identify changes to Proxy configuration. Upgrade the changes and recommission the Proxy.

Singly Sign-on (SSO) Induction.

Client does not have a SSO and wants to implement a SSO.

• Identify make and model of SSO that best suits the Clients needs. Acquire, install and commission the SSO.

SSO Review and Configuration.

Client has an existing SSO and has performance and security issues.

• Do a capacity + performance of the SSO, and check whether the same SSO addresses the security + performance needs of the client. If yes, identify changes to SSO configuration. Upgrade the changes and recommission the SSO.



Activity

Anti-Virus Induction. Client does not have a Anti-Virus and wants to implement a Anti-Virus.

• Identify make and model of Anti-Virus that best suits the Clients needs. Acquire, install and commission the Anti-Virus.

Anti-Virus Review and Configuration

Client has an existing Anti-Virus and has performance and security issues.

• Do a capacity + performance of the Anti-Virus, and check whether the same Anti-Virus addresses the security + performance needs of the client. If yes, identify changes to Anti-Virus configuration. Upgrade the changes and recommission the Anti-Virus.

Data Loss Prevention (DLP) Induction.

Client does not have a DLP and wants to implement a DLP.

• Identify make and model of DLP that best suits the Clients needs. Acquire, install and commission the DLP.



Activity

Data Loss Prevention (DLP) Review and Configuration

Client has an existing DLP and has performance and security issues.

• Do a capacity + performance of the DLP, and check whether the same DLP addresses the security + performance needs of the client. If yes, identify changes to DLP configuration. Upgrade the changes and recommission the DLP.

Threat Intelligence System.

Client has existing Security Policy and Audit Framework and wants pro-active Cyber Security Threat Information.

• Security Posture Study of the Organization and Business Vertical.

• Complete capability assessment of Key Cyber Security Team.

Ransomware Mitigation Client perceives that they can be targeted or other peer organizations of the client have been targeted using Ransomware.

• IT Systems Survey• User IT usage profile• User Critical Data/Process Survey



Activity

Vulnerability Assessment and Penetration Testing

Client wants to have a regular Vulnerability Assessment and Penetration Testing done of their IT Infra-structure..

• IT Systems Survey.• Network Survey


Thanks

20161021 js cybersecurity service proposal

Documents