DATA & NETWORK SECURITY

P & P INVESTIGAZIONI S.r.l. is an agency properly authorized by the Home Office with the issue of the prefect’s license according to art. 134 under the Consolidated Act Of Public Safety Laws, in Italian "Testo Unico Legge Pubblica Sicurezza" (R.D. 18th of June 1931 n. 773) for the activity of investigations, information and research on behalf of natural person and legal person all over the country and abroad.

The Data & Network Security Department of P & P INVESTIGAZIONI S.r.l. is committed to fight the cyber crime and to give its own assistance not only in support to the activities of the police forces but also in aid of the companies.

The attention towards the Cyber Security is in great expansion, since it is nowadays impossible to protect the company’s activities without the support of information systems, by now an essential instrument within the production processes of companies.

For this reason it is necessary to identify of professionals that protects from the cyber attacks that could seriously put in danger the most important assets, your Know How.

Through the Data & Network Security Department of P & P INVESTIGAZIONI S.r.l. it is possible to detect the degree of vulnerability of Your systems and to identify, after an a accurate diagnostic analysis, the suitable interventions for the safety regulations of your computer property.

DATA & NETWORK SECURITY SERVICES

VAPT - PENETRATION
TEST

Security Assessment Service of a system or a network, by the simulation of a threat agent attack

WAPT - WEB APPLICATION
PENETRATION TEST

Scanning and monitoring all sections present on the web application, with special attention to those protected by username and password

VAM - VULNERABILITY ASSESSMENT
AND MITIGATION

non-invasive activities to evaluate the effectiveness and the degree of strength of the your company's security systems, identifying vulnerabilities

OTHER SERVICES OF
CYBER SECURITY

Various testing and debugging services of computer vulnerabilities of your system, such as IT Risk Management, Threat Detection & Analysis, ...

STANDARDS AND METHODOLOGIES

In the provision of services, the Digital Security Department of P & P INVESTIGAZIONI S.r.l. adheres to the basic benchmarks on the market:

ISO/IEC 27001

ISO/IEC 27001

Is the unique international standard subjected to control and certifiable that defines the requirements for a ISMS (Information Security Management System), designed to guarantee the selection of appropriate and proportionate safeguards.

In order to protect the security of your company it is necessary to put in place several cyclical processes, that can be summarised in this way:

  • first and foremost it is necessary to identify the aims that should be achieved and the strategy to follow, paying particular attention to the risk assessment;
  • afterward the risks and the correct trend of the ISMS are analysed;
  • then we pass to the evaluation of the suitability of the solutions that have been adopted and to a second control of the ISMS;
  • lastly the operations of contrast and prevention are applied.

Finally we point out that in order that the mechanism, just now described, is valid, it is necessary its repetition over time; only in this way it is possible to guarantee a degree of stability and reliability to the safeguards of your IT infrastructure.

OSSTMM1

OSSTMM

The OSSTMM (Open Source Security Testing Methodology Manual, pronounced as "awstem") is a certification supplied by ISECOM (Institute for Security and Open Methodologies), International Community of research and collaboration on the Security, founded in January 2001. It is a methodological approach of peer-reviewed, used within the field of IT security systems, that foresees the fulfilment of security and analysis tests on infrastructures and IT assets, that are expressed in proved facts; these facts supply useful information that could improve, in terms of measurability, the operative security.

The use of the standard OSSTMM, with due regard to the legislation, consents to obtain reliable and repeatable results and to understand which countermeasures should be adopted, how much the system object of the analysis is subjected to possible aggressions, and so in which way it is possible to achieve the highest possible level of security.

OWASP

owasp

The OWASP Testing Guide è is a framework for the test of the application and network infrastructure security, developed by OWASP (Open Web application Security Project), a not-for-profit Foundation, that focused its activities on the production of resources, articles and materials related to many problems directly connected to the application security.

OWASP has drawn up a list of the threats to the security considered mainly critical:

  • SQL Injection
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Insicure Direct Object Reference
  • Security Misconfiguration
  • Sensitive Date Exposure
  • Missing Function Level access Control
  • Cross Site Request Forgery
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

MAGERIT

The methodology MAGERIT (in english Methodology of Analysis and risk management of information systems), developed by the Spanish Government since the ’97 and today adopted globally, offers the following aims:

  • ascertain the existence of risks in which the information infrastructures is exposed;
  • offer a systematic method to analyse such risks;
  • identify the necessary measures to keep the risks under control, using a standard in terms of cost benefit

OTHER REFERENCES

The Data & Network Security Department of P & P INVESTIGAZIONI S.r.l. pursues its professional activity in the most obsequious respect of the following legislative frames of reference:

  • ISO/IEC 19011:2003 – Guidelines for quality and/or environmental management
  • ISO/IEC 20000-1:2005 – Service management – Part 1: Specification
  • ISO/IEC 27002:2005 – Code of practice for information security management
  • ISO/IEC27004:2009 – Information security management – Measurement
  • ISO/IEC 27005:2008 – Information security risk management
  • BS25999-2:2007 – Business continuity management – Specification
  • COBIT v4.1 – Control Objectives for Information and related Technologies
  • OSSTMM v3 – Open Source Security Testing Methodology Manual
  • OWASP Testing Guide v3 – Open Web application Security Project Testing Guide
  • CC v3.1 – Common Criteria
  • CEM v3.1 – Common Methodology for Information Technology Security Evaluation
  • ITIL v3 – Information Technology Infrastructure Library
  • PCI-DSS v2.0 – Payment Card Industry Data Security Standard
  • Basilea2 – International Convergence of Capital Measurement and Capital Standards
  • SOX of 2002 – Public Company Accounting Reform and Investor Protection Act
  • D. Lgs. 231/2001 – Discipline of the administrative responsibility of legal persons, companies and associations even without legal personality
  • D. Lgs. 196/2003 – Code on the protection of personal data
  • D. Lgs. 262/2005 – Protection of savings and discipline of the financial markets
  • D. Lgs. 81/2008 – Health and Safety at Work Protection

Training e Professionals

TRAINING COURSES

The Data & Network Security Department of P & P INVESTIGAZIONI S.r.l. guarantees the training of experts specialised in the Security Field, through the organisation of courses on that subject.

In the specific, there will be organised course of Offensive, in which there will be described the techniques suitable to violate and/or damage the operating system, and course of Defence, based, instead, on the processes of safeguard of them.

At the end of each course, structured in theory and practise, the participants will have to pass some tests and after that they will receive the related Certificate of Participation.

PROFESSIONALS

The Data & Network Security Department of P & P INVESTIGAZIONI S.r.l. has at its disposal highly specialised experts, in possession of several awards and certifications in the field of the security assessment, attesting qualifications of technical professionalism as well as the ethic importance of them:

  • CISSP (Certified Information System Security Professional)
  • CISA (Certified Information Security Auditor)
  • CISM (Certified Information Security Manager)
  • OPSA (OSSTMM Professional Security Analyst)
  • OPST (OSSTMM Professional Security Tester)
  • OWSE (OSSTMM Wireless Security Expert)
  • GCFA (GIAC Certified Forensics Analyst)
  • ITV3F (ITIL Foundation v3)
  • ISFS (Information Security based on ISO/IEC 27002)
  • ISO/IEC 27001:2005 Lead Auditor (various schemas)
  • PCI-QSA (Payment Card Industry Qualified Security Assessor)
  • PCI-ASV (Payment Card Industry approved Scanning Vendor)

SENIOR SECURITY ADVISOR

This figure has technical and organizational experience in the security industry of at least 5 years, and therefore has the necessary requirements to identify the work activities and plan the strategies that customer needs.

He knows exactly the services of security and the procedures adoptable for the resolution of each single problem on security; because of such competences and of its constant being updated, he is so able to intervene in an active way in training and research activities.

SECURITY ADVISOR

This figure can boast of a 5 years technical-organisational experience, in the security field and therefore has the necessary requirements to identify the activity of work and to plan the strategies that the Customer requires.

SECURITY EXPERT

With 2 years technical-organisational experience in the security field, the Security Expert offers consultancy and assistance on that subject, in support of the work of the Security Advisor. He is regularly involved in activity of updating and research.