Enterprise Vulnerability Analysis - 2012, 2014, 2016 & 2018
Over 15.000 active assets out|inside 10 companies belonging to the group, the biennium recurrent project mapped the real situation, in paralel with a photography of IT/Security maturity through three main domains: processes, people and technology.
2012 - 1 TOE (Target of Evaluation): Infrastructure assets only
2014 - 5 TOEs: Infrastructure, SAP (using Onapsis X1), Databases (SQL and Oracle in deep), Connectivity (Routers, Switches and Firewalls against/based CIS) and Web Application instances (partial pen-testing).
2016 - 3 TOEs: Penetration Test (against critical application), Internet Branding (Reputation, News & Critical Tags) and Phishing Scam (from CIO to interns).
2018 - Probably IGA/IdM/Credentials for the 5 most critical systems: SAP, AD, Unix, DBs and Telecom devices (webservices, sockets and APIs in the 2nd-Wave).
This project, endossed by Holding, assessored/designed by internal iSecTeam and executed impartially and externally by some Big4 (one by RFP), outlines how organizational Governance, Risk and regulatory Compliance inside ITO/BPO needs will be addressed through a "Plan-Do-Check-Act" approach to a Vulnerability and Continual Service Improvement Mgmt Program.
It would reduce complexity and the initial scope (for faster corrections and partial deliveries).