An investment/asset management company headquartered in NY brought INSC in to perform two separate rounds of assessments for their company. They have 3 offices spanning the US, Europe, and Asia with approximately 1,000 employees.
Upon engagement with the end client, INSC completed third-party security assessments to satisfy the customer. This customer required a full assessment of all information security practices prior to engaging in a relationship with the client. In the following engagement, the client brought INSC in to run a risk assessment and code review.
In the initial engagement, a customer required the client to evaluate their information security risks. The customer was subject to strict information security standards and regulations, and they required any business partners to meet their standards before continuing a business relationship.
In the second engagement, following the acquisition of a smaller company, the client discovered problems with their systems. When integrating the two companies’ information systems together, the client found harmful code in the acquired company’s environment. The client halted the integration process to prevent infection of their own systems and brought INSC in to fully assess the acquired company.
What we did
For the first engagement, INSC conducted technical testing looking at the client’s network from the outside in. Penetration tests were run to find out how easily (and how deeply) their network could be accessed from the outside by unauthorized individuals and vulnerability scans were used to find the technical areas where the client was leaving themselves exposed.
In the second engagement, INSC performed a risk assessment of the smaller acquired company to provide the client with a full understanding of their information security practices. As part of this assessment, INSC provided a code review to look for, and remove, any further harmful code before it entered the client’s systems.
- Risk Assessment
- Vulnerability Assessment
- Penetration Testing
During the Penetration and Vulnerability scanning, INSC noted high, medium, and low-risk findings along with suggested ways to reduce these risks. Some risks found within the client’s environment included:
- Outdated software or hardware versions
- Weak login credentials
- Website vulnerability to manipulation
- Ability by unauthorized individuals to view non-public content
- Insufficient user access control
Through the risk assessment in the second engagement, the client learned that the acquired company did not have in place many of the controls and processes in line with information security standards. Additionally, the code review revealed further harmful code in their environment. The assessment allowed the client to adjust their agreement with the acquired company and fix the problems in their systems before integrating them into the larger environment.
The Road Ahead
INSC’s report to the client in the initial engagement allowed them to fix the existing risks within their environment and satisfy the requirements of their customer, allowing them to enter a lucrative business relationship. Moving forward from that engagement, the client maintained a risk management process to continually identify and fix any risks that emerged, allowing them to proactively discover the risks in their acquired company. Following the second engagement, the client was able to work with their acquired company to remove the noted risks and integrate their systems into their environment and risk management process.