IT Consulting
Statement of Work
Initial evaluation of the client’s statement-of-work, contrasting the requirements in this document against a preliminary evaluation carried out by Dominio.
The result will be a calibrated statement-of-work and a work agreement between the client and Dominio.
Digital Maturity
Initial diagnosis of the client’s digital maturity level with regards to the project and risk assessment (capacity, know-how, information flows, resistance to change, cybersecurity, etc.).
The result will be a technology maturity report and a risk assessment report to guide the project’s implementation.
Baseline
Definition of the initial baseline of the process (or system, or business unit) the project is about, emphasizing instances that are potential points of economic value or dependencies of potential economic value points.
An economic value point is an instance of a process where an opportunity for automation to achieve greater productivity, greater efficiency, or to reduce a risk exists.
The definition will use both “hard” (quantitative) metrics and “soft” (qualitative) metrics to obtain a comprehensive picture of the initial state.
Having described its initial state in detail, we will have a clear idea of the speed of progress and the quality of results as the project moves forward. This information will serve as input for the reflection and feedback meetings (workshops) to be held at critical moments (milestones) of the project.
Processes
Evaluation of the processes to find points of economic value to build the list of processes to be automated.
Formulate Strategic Plan
Formulate, alongside with the client, the strategic plan to implement enhancements or automation to the processes.
This plan should include critical moments (milestones) in which formal pauses will occur to evaluate the progress of the project and to make any necessary adjustments.
These critical moments are determined on:
- The natural stages of the project from a technical implementation perspective – technical progress.
- The additional productivity, increased efficiency, or risk reduction that occurs at potential economic value points as the digital transformation project progresses – value progress.
The result is a strategic process automation plan focused on generating economic value and executed with technical rigor.
Implementation of Strategic Plan
Advisory on the implementation of the strategic process automation plan, including the use of proven methodologies (best practices), transfer of know-how, review and feedback points, and quality assurance.
As a result, risks in the project implementation are reduced due to a higher level of management quality.
Optimization
Project Portfolio Optimization: Help to optimize technology projects efficiently, ensuring that resources are used in a way that delivers higher returns on investment given the available capabilities and business priorities.
The deliverable is a prioritized project schedule.
Management
IT Project Management: Project Manager outsourcing service. Management of IT projects from planning to final delivery.
Deliverable: Projects completed on time, within budget, and achieving their planned objectives.
Contract Reviews
Review of IT Service Contracts: Evaluate whether contracts contain all the necessary elements and whether they take into account the complexities required to acquire IT products and services.
Deliverable: Improved contracts.
Assessment
Advising on the adoption of cloud services, facilitating the transition from traditional infrastructures to more flexible and scalable environments.
- Cloud Adoption Strategy
- Workload Analysis
- Architecture
- Cost Optimization
- Security
Based on the doctrine of the Centre for Internet Security (CIS), Dominio offers 14 out of the 18 cybersecurity controls that make up this doctrine.
1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Asset type: Devices
Security function: Identify
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include end-user devices (including portable and mobile), network devices, non-computing/ IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
1.2: Address Unauthorized Assets
Asset type: Devices
Security function: Respond
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network or quarantine the asset.
2.1: Establish and Maintain a Software Inventory
Asset type: Software
Security function: Identify
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.
2.2: Ensure Authorized Software is Currently Supported
Asset type: Software
Security function: Identify
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.
2.3: Address Unauthorized Software
Asset type: Software
Security function: Respond
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Today, information has moved beyond company facilities, which requires thorough control not only at the encryption level between origin and destination, but also to ensure the destination is correct and assess if it poses any risks to sensitive company information.
Although the data is considered essential for daily business operations, it remains sensitive and carries a high risk of loss.
Through specialized consulting, the company can determine the access points and sensitive areas. Remember, attackers aim to find and extract sensitive information, and often, without a monitoring system for information outbound, this risk is imminent.
It is necessary to have an inventory of external accesses, remote workers, suppliers, and operators who have access, to ensure they meet the requirements and systems that protect the company's information, as well as maintaining a record of their access.
The company must identify the data it considers sensitive and determine the protection levels required. Additionally, the company must determine what assets are crucial.
To establish a set of procedures and software tools, they must align with the client's standards. The consulting service involves collaborating with different company departments to determine access levels and identify sensitive information areas.
Safeguard 3.1: Establish and Maintain a Data Management Process
Asset Type: Data
Security Function: Govern
Establish and maintain a documented data management process. This process should address data sensitivity, data ownership, data handling, retention limits, and disposal requirements based on the company’s sensitivity and retention standards. Review and update the documentation annually or when significant changes occur that may affect this security measure.
Safeguard 3.2: Establish and Maintain a Data Inventory
Asset Type: Data
Security Function: Identify
Establish and maintain an inventory of data based on the company’s data management process. At a minimum, inventory sensitive data. Review and update the inventory annually, with a priority on sensitive data.
Safeguard 3.3: Configure Access Control Lists for Data
Asset Type: Data
Security Function: Protect
Configure access control lists for data based on user need-to-know. Apply access control lists (permissions) to local and remote file systems, databases, and applications.
Safeguard 3.4: Enforce Data Retention
Asset Type: Data
Security Function: Protect
Retain data according to the company’s documented data management process. Data retention should include both minimum and maximum retention periods.
Safeguard 3.5: Securely Dispose of Data
Asset Type: Data
Security Function: Protect
Dispose of data securely as described in the company’s documented data management process. Ensure that the disposal process and method are appropriate for the data's sensitivity.
Safeguard 3.6: Encrypt Data on End-User Devices
Asset Type: Data
Security Function: Protect
Encrypt data on end-user devices that contain sensitive data. Examples of implementations include Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Control and inventory of configurations have become critical due to the number of agents and attacks that can affect various devices with network access, including personal phones that access the company network but have no configuration controls.
Therefore, it is essential to have systems and procedures in place to manage inventory configurations properly and ensure the necessary controls are in place.
It is considered a risk any device connected to our network, or any network point without an inventory. Even unused network points should be powered off as they could serve as a means of access to unauthorized devices.
The consulting service creates a set of guides and helps determine which software tools allow the deployment of controls. It is necessary to have an updated manual outlining how updates should proceed to avoid attacks on outdated systems, leaving room for potential attacks.
Additionally, companies should take preventive actions for developments that, when not updated by providers, leave security gaps. This evaluation becomes crucial, so the role of consultants is to identify all improvements, updates, and risks the company is exposed to.
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Asset Type: Documentation
Security Function: Govern
Establish and maintain a documented secure configuration process for the company's assets (end-user devices, including portable and mobile devices, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update the documentation annually or when significant changes occur that may affect this security measure.
Safeguard 4.2: Establish and Maintain a Secure Configuration Process for Network Infrastructure
Asset Type: Documentation
Security Function: Govern
Establish and maintain a documented secure configuration process for network devices. Review and update the documentation annually or when significant changes occur that may affect this security measure.
Safeguard 4.3: Configure Automatic Session Lock for Company Assets
Asset Type: Devices
Security Function: Protect
Configure automatic session lock for company assets after a defined period of inactivity. For general-purpose operating systems, the period should not exceed 15 minutes. For end-user mobile devices, the period should not exceed 2 minutes.
Safeguard 4.4: Implement and Manage a Firewall on Servers
Asset Type: Devices
Security Function: Protect
Implement and manage a firewall on servers, where compatible. Examples of implementations include a virtual firewall, operating system firewall, or third-party firewall agents.
Safeguard 4.5: Implement and Manage a Firewall on End-User Devices
Asset Type: Devices
Security Function: Protect
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default deny rule that blocks all traffic except those services and ports explicitly allowed.
Safeguard 4.6: Securely Manage Company Assets and Software
Asset Type: Devices
Security Function: Protect
Securely manage company assets and software. Examples of implementations include configuration management through Infrastructure as Code (IaC) controlled by versions and accessing administrative interfaces via secure network protocols like Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols like Telnet or HTTP, unless operationally essential.
Safeguard 4.7: Manage Default Accounts on Company Assets and Software
Asset Type: Users
Security Function: Protect
Manage default accounts on company assets and software, such as root, administrator, and other vendor-preconfigured accounts. Implementations may include disabling or rendering default accounts unusable.
The implementation of a comprehensive Identity and Access Management (IAM) program is necessary.
It is easier for an external or internal threat to gain unauthorized access to a company’s assets or data by using valid user credentials than by "hacking" the environment. There are many ways to gain covert access to user accounts, including: weak passwords, accounts still active after an employee leaves the company, inactive or persistent test accounts, shared accounts that haven’t been changed in months or years, service accounts embedded in applications for scripts, a user using the same password as an online account that was compromised in a public password dump, social engineering to obtain a user’s password, or using malware to capture passwords or tokens in memory or through the network.
The development of periodic validation protocols and systems should be developed by multidisciplinary teams that not only allow technological management but also instill awareness within the user layer. These protocols should be supported by tools that allow for gathering information for proper management.
Procedures and Tools
For proper control, a series of procedures have been developed that must be implemented to audit and control potential security gaps. These procedures should be supported by system tools that provide automated control points:
- Account Inventory
- Use of a single password
- Disable inactive accounts
- Restrict administrative access
- Inventory of services and accesses (including Wi-Fi and printing)
- Centralize user management
Safeguard 5.1: Establish and Maintain an Account Inventory
Asset Type: Users
Security Function: Identify
Establish and maintain an inventory of all accounts managed by the company. The inventory should include, at a minimum, user accounts, administrator accounts, and service accounts. The inventory must include at least the name of the person, the username, start and end dates, and the department. Validate that all active accounts are authorized on a recurring basis, at least quarterly or more frequently.
Safeguard 5.2: Use Unique Passwords
Asset Type: Users
Security Function: Protect
Use unique passwords for all company assets. Best practice implementations include, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.
Safeguard 5.3: Disable Inactive Accounts
Asset Type: Users
Security Function: Protect
Delete or disable any inactive accounts after 45 days of inactivity, where possible.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts
Asset Type: Users
Security Function: Protect
Restrict administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as internet browsing, email, and use of productivity suites, from the user’s main account, which does not have administrator privileges.
6.1: Establish an Access Granting Process
Asset type: Documentation
Security function: Govern
Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.
6.2: Establish an Access Revoking Process
Asset type: Documentation
Security function: Govern
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user.
Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
6.3: Require MFA for Externally Exposed Applications
Asset type: Users
Security function: Protect
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
6.4: Require MFA for Remote Network Access
Asset type: Users
Security function: Protect
Require MFA for Remote Network Access.
6.5: Require MFA for Administrative Access
Asset type: Users
Security function: Protect
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.
7.1: Establish and Maintain a Vulnerability Management Process
Asset type: Documentation
Security function: Govern
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
7.2: Establish and Maintain a Remediation Process
Asset type: Documentation
Security function: Govern
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
7.3: Perform Automated Operating System Patch Management
Asset type: Software
Security function: Protect
Realizar actualizaciones del sistema operativo en los activos empresariales a través de la gestión de parches automatizada de forma mensual, o con mayor frecuencia.
7.4: Perform Automated Application Patch Management
Asset type: Software
Security function: Protect
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
8.1: Establish and Maintain an Audit Log Management Process
Asset type: Documentation
Security function: Govern
Establish and maintain a documented audit log management process that defines the enterprise’s logging requirements. At aminimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
8.2: Collect Audit Logs
Asset type: Data
Security function: Detect
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
8.3: Ensure Adequate Audit Log Storage
Asset type: Data
Security function: Protect
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
9.1: Ensure Use of Only Fully Supported Browsers and Email Clients
Asset type: Software
Security function: Protect
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
9.2: Use DNS Filtering Services
Asset type: Devices
Security function: Protect
Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains.
10.1: Deploy and Maintain Anti-Malware Software
Asset type: Devices
Security function: Detect
Deploy and maintain anti-malware software on all enterprise assets.
10.2: Configure Automatic Anti-Malware Signature Updates
Asset type: Devices
Security function: Protect
Configure automatic updates for anti-malware signature files on all enterprise assets.
10.3: Disable Autorun and Autoplay for Removable Media
Asset type: Devices
Security function: Protect
Disable autorun and autoplay auto-execute functionality for removable media.
11.1: Establish and Maintain a Data Recovery Process
Asset type: Documentation
Security function: Govern
Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
11.2: Perform Automated Backups
Asset type: Data
Security function: Recover
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
11.3: Protect Recovery Data
Asset type: Data
Security function: Protect
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
11.4: Establish and Maintain an Isolated Instance of Recovery Data
Asset type: Data
Security function: Recover
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
12.1: Ensure Network Infrastructure is Up to Date
Asset type: Network
Security function: Protect
Ensure network infrastructure is kept up to date. Example implementations include running the latest stable release of software and/or using currently supported network as a service (NaaS) offering. Review software versions monthly, or more frequently, to verify software support.
13.1: Centralize Security Event Alerting
Asset type: Network
Security function: Detect
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
13.2: Deploy a Host-Based Intrusion Detection Solution
Asset type: Devices
Security function: Detect
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/ or supported.
13.3: Deploy a Network Intrusion Detection Solution
Asset type: Network
Security function: Detect
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example: implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
13.4: Perform Traffic Filtering Between Network Segments
Asset type: Network
Security function: Protect
Perform traffic filtering between network segments, where appropriate.
13.5: Manage Access Control for Remote Assets
Asset type: Devices
Security function: Protect
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date.
13.6: Collect Network Traffic Flow Logs
Asset type: Network
Security function: Detect
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
15.1: Establish and Maintain an Inventory of Service Providers
Asset type: Users
Security function: Identify
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard.
- Diagnosis of the IT State of Affairs: Infrastructure, networks, communications, security, organization, alignment with business. Analysis, diagnosis, recommendations, and action plan.
- Network Design and Implementation: Planning and assistance in the implementation of robust and secure data networks, suitable for the expansion and growth of mid-sized companies.
- Optimization of Existing Infrastructure: Review and optimization of current technological systems and equipment to improve performance, reduce operational costs, and increase scalability.
- Server Virtualization and Consolidation: Assistance in reducing the complexity of infrastructures by implementing virtual servers that optimize resource usage.
Proper Distribution and Capacity
In today’s world, it is essential to have a proper distribution of technological resources within data centers. This not only involves redundancy levels but also the capacity to accept new services or to expand their reach to support growing demands.
Given our experience constantly evaluating emerging technologies, Dominio Consultores can offer consulting that provides our clients with a broad range of vendor-agnostic solutions. This allows us to not only meet your current needs but also to be prepared for your future growth.
A correct design and proper implementation require an accurate translation of business requirements into technology. This goes beyond just hardware and software schematics — it also considers the business’ cost-effectiveness.
Every system needs a level of contingency to ensure its operation across all firing lines. Nowadays, it is critical to not only consider traditional issues such as power outages or equipment failures but also to consider the challenges posed by cyberattacks and other emerging risks.
Analysis and Support Processes for Change Management
Dominio offers a service aimed at supporting organizational change processes.
In a change management process, everything that is necessary for the transition to the new condition is prepared, organizational support for the change is gained, and the change process is rolled out in time and as planned.
A key aspect of the service is the analysis of the impacts the new condition will have on all entities and teams within the company.
As part of the process, Dominio adopts a change management methodology to guide the technological implementation in companies.
We follow these stages:
- Change Awareness: Business need
- Change Strategy: Concept, plan design
- Implementation: Dissemination, communication, training
- Measurement: Feedback, reinforcement
Supervising and Controlling the Implementation of a Project
Dominio offers a consulting service that supervises and controls the proper progress of an IT and communications technology implementation project.
Value Proposition:
- Ensuring the successful implementation of an IT project on time and within budget.
- Proper adoption of the tool by the many business areas as to achieve a shared vision aligned with company objectives.
- Supporting the IT department and acting as a liaison in project management.
The service includes the validation of: the quality of the IT project execution, compliance with the scope (statement-of-work), platform acceptance criteria, and identification of any deviations that may impact users. All of these are reviewed in executive QA sessions.