17. 5. 2024
Analysis of the state of cybersecurity
We will examine how your company is really doing in terms of cybersecurity
Prevention must constitute an integral part of defending and protecting against cyber attacks. We will determine how resilient your IT is and propose and plan your next security steps.What this analysis will bring you
Information about the current grant programme
Presently, the grant title DIGITAL ENTERPRISE – VIRTUAL ENTERPRISE – CALL I is open. Applications are accepted from 3 July 2023 until 2 November 2023, 10:00 a.m. The amount of the subsidy is up to 40%, depending on the type of enterprise.
Do you want to use our cybersecurity services for subsidies? If so, please contact us. We will find out what subsidies are currently available for you.
What our clients say
Roman Hošek
Corporate ICT Manager, PRO.MED.CS Praha a.s.
We have decided to cooperate with CRA based on our prior experience and extended cooperation. We particularly appreciate CRA’s expertise and excellent communication, which has proven itself especially in an analysis of our existing systems and the design of customised solutions for us. We have chosen CRA as a long-term partner to provide our internal and external IT with the potential to expand our cooperation further.
Services included in the analysis
The basic analysis of the state of cybersecurity includes:
- Determining the actual state of information and cyber security from the ISMS perspective.
- Examination of the quality of processes, safety tools, and documentation.
Analysis of the current state of cybersecurity.
Identification and quantification of assets, threats, and vulnerabilities and determination of the resulting risk level.
External scanning for known vulnerabilities of assets that are accessible from the internet.
External security testing of the perimeter, Wi-Fi, web applications, and portals:
- Comprehensive simulation of an attack on network components by an external attacker.
Advanced analysis of network traffic with a focus on malware:
- Identification of the threats and attacks using artificial intelligence and machine learning tools.
- Detection of known, unknown, and targeted attacks.
- Verification using security principles and policies.
- Evaluation of the performance of the network and applications.
- Network visualisation.
- Forensic analysis.
.svg)
- Simulation of a DDoS attack.
- Simulation of a fraud campaign.
We hold the necessary certificates and security is our top priority
- NBÚ certificate
We hold a valid certificate from the National Security Authority for access to classified information. - Physical security
Physical security at BT3 level according to the National Security Authority methodology. - Proven technologies
We use and offer only proven technologies to ensure cyber security. - Active support
We provide active support, 24 hours a day.
- ANSI-TIA942
The technology is operated from an ANSI-TIA942 certified DC TOWER data centre - Common Criteria Certification for Information Technology (IT) Security (ISO/IEC 15408)
Certification at CC EAL 4+ level - ISO 9001
Quality management systems - ISO 14001
Environmental management systems - ISO 19011
Standard for the certification of internal auditors - ISO/IEC 20 000-1
Information technologies – Service management system requirements - ISO/IEC 27001
Information security management systems - ISO/IEC 27017
Information technologies – Security techniques – A set of guidelines for cloud environment security and for minimising the potential risk of security incidents - ISO/IEC 27018
Information technologies – Security techniques – A set of procedures for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors - SOC Type 1 and Type 2
SOC 2 Type 1 and Type 2 certifications, issued in accordance with American Institute of Certified Public Accountants (AICPA) standards and requirements, cover information management and security in organizations - ISO 50 001
Energy management systems - PCI-DSS
Compliance with the requirements of PCI-DSS for data centre operators - NBÚ
Certificate for access to classified information up to the classification level ‘CONFIDENTIAL’ - GDPR compliance
The infrastructure is fully compliant with GDPR requirements
More detailed information
- Basic cybersecurity analysis
A basic service used to determine the actual state of information and cybersecurity from an ISMS perspective in order to determine the quality of processes, security tools, and management documentation.
The service is based on the criteria of the CIS v8 methodology. The service is provided in the form of a simple interview based on the completion of a simple questionnaire covering each of the areas concerned. - GAP analysis
This is an analysis of the current state of cybersecurity. The investigation consists of analysing internal documents (guidelines), tools, and processes, and analysing and processing of data from questionnaires and guided online interviews with the company’s employees and IT specialists.
A GAP analysis is performed on the basis of CIS v8 standards as well as on the basis of the ISO 27001 and NIST standards and of ZoKB or NIS 2.0, GDPR, and TISAX requirements. The product is a final report that presents a view from four perspectives, the description of which represents the main objectives of the analysis. - Risk analysis
This is an analysis of the security of information assets with the current state of cyber security. The investigation consists of analysing internal documents (guidelines), tools, and processes, and analysing and processing of data from questionnaires and guided online interviews with the company’s employees and IT specialists.
The product is a comprehensive risk analysis report including BIA (Business Impact Analysis) and mapping of the degree of compliance with ISO/IEC 27001 requirements, taking into account ISO/IEC 27002 and 27005 in the form of an SOA, i.e., an analysis of the applicability of the requirements in the entity’s environment or in the environment of the supply chain. - Vulnerability Scanning
The CRA Vulnerability Scanning service comprises external scanning for known vulnerabilities, i.e., scanning of subscriber assets that are accessible from the internet.
The scanning scenarios in this service include a choice of assets, scan types, scanning intervals, and other information relevant to their execution. The scope of the scanning is defined upfront, during the preparation of the scanning scenarios. The list of known vulnerabilities tested for is updated regularly. We use our proprietary tool – Nessus – to scan for vulnerabilities. - Penetration testing
- Perimeter
An external perimeter security test involving a comprehensive simulation of an attack on network components by an external attacker. The goal is to determine how easily identifiable a target the network component infrastructure that is being tested is, and what information that can be subsequently exploited to gain unauthorised access can be obtained from the outside. - Wi-Fi
An internal security test of Wi-Fi technologies involving a comprehensive simulation of an attack on them by an external attacker. The goal is to determine how easily identifiable a target the network component infrastructure that is being tested is, and what information that can be subsequently exploited to gain unauthorised access can be obtained from the outside. - Web applications and portals
An external or internal security test of a web application involving a comprehensive simulation of an attack by an external or internal attacker. The goal is to determine how easily identifiable a target the network component infrastructure that is being tested is, and what information that can be subsequently exploited to gain unauthorised access can be obtained from the outside.
- Perimeter
- Advanced traffic analysis with a focus on malware
This analysis uses artificial intelligence and machine learning to identify cyber threats and attacks that other technologies cannot detect. The goal of the analysis is to verify the state of an organisation’s IT infrastructure through network traffic auditing and to recommend measures for improving security.
This includes detection of unknown and targeted attacks and threats, detection of known attacks and threats, verification of compliance with security principles and policies, network and application performance testing, network visualisation, and forensic analysis.
- A European directive aimed at improving the security of networks and information systems in the EU.
- It applies to critical infrastructure providers (e.g., energy, transport or financial services), providers of digital services (e.g., cloud services or e-commerce platforms), and to government administration and local authorities that manage data pertaining to citizens.
- It obliges companies to identify and assess the risks involved in their communication systems, data networks, and information systems. They must implement appropriate risk mitigation measures.
- It obliges companies to ensure that their networks and information systems are able to quickly respond to and recover from an attack or another cyber threat.
- It requires companies to report any cyber incidents that could compromise the functionality of their networks or information systems. They must be able to document and evaluate each incident.
- It requires EU member states to set up a national entity (such as the NÚKIB) to monitor companies and organisations and work with them on risk minimisation.
- It requires EU member states to actively monitor the implementation of and compliance with the NIS2 Directive.
- It introduces obligations for entities related to incident management, including reporting, implementation of incident management tools, and business continuity management.
- It requires entities to conduct security audits and to continuously monitor the status of their information system and communication technologies.
- It sets out obligations regarding information security and defines penalties for non-compliance (CZK 10,000,000 or 2% of a company’s total worldwide annual turnover).
.svg)
.svg)
.svg)
.svg)
.svg)