The current practice we are following

ITGC--- IAM which has

1.Access security
2.Change Management
3.Disaster Recovery

There's something that we can add ino this ITGC controls

A.S--- Disabling unneeded sys features and ports

Proteting Audit Logs
Physical Security

we're gonna start the Security Services

How to start ITSS?

Types of ITSS?
what to Include in ITSS?

So the first question how to start the ITSS?

Starting the security services is'nt a big thing but delivering it with proper
resources matters.

What are the Security Services?

1. ISO27001 Audit
2. Cyber & Infrastructure Security Audits ---- Intruding in clients DB
3. Governance Risk and Compliance Audit
4. Vulnerability Assessment And Pen Test (VAPT) ---- Intruding in clients DB
5. Process and Policy review Services
5.1 Review the company's IT policies and procedures
5.2 Evaluate the company's IT budget and systems planning documentation
5.3 Review the data center's disaster recovery plan (Till now we are doing Off
site storing of backup data / safe storage)

6. Network Audits ------- Intruding in cients DB

7. Data Center Audits
7.1 Physically reviewing their offsets by visiting there, checking their security
management.

And the major question what to include in ITSS?

We are starting a service, so lets start with which we can make a profit out of it
considering the major issues around Info Sec

ANY IDEAS?

Let's pitch it for ISO27001, wait you may ask why not other?

Perfect, I will tell you why this.

ISO27001 doesn't intrude in the clients DB

whereas in the rest of services we need to get the appovals before getting into the
complete structure of their security system,
which the client may not be interested in doing so Plus the rest of security
services needs the tools of higher cost.

Don't worry we are just begining this process, we will go ahead and intrude in the
clients DB after successfull ISO Audits.

Ok so we're now performing the ISO Audits Great!!

Now the big question!!

How do we get a client?

There are two meathods to get a client to sign over a security service and
generally what client requirement is

1. Either the company should have the official certificate from the british council
to perform audits. Plus all the frameworks and
the counter measures should be satisfied by the ISO Policy. (Frame Works 22)

OR

2. The company should have the certified ISO Auditors to perform the audit which is
cost saving and an early start to our services.

ALWAYS REMEMBER Client will never compromise on security issues, He will definetly
pitch for the Verified Auditors.

So Lets start ISO Audits and then get into the Infrastructure Security.