Empanelled Information Security Auditing Organisations

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 309
At a glance
Powered by AI
The document lists various organizations that have been empanelled by CERT-In as information security auditing organizations. It provides contact details like address, website URL, phone numbers, and points of contact for each organization.

Organizations like AAA Technologies Pvt Ltd, AUDITime Information Systems (I) Ltd, AKS Information Technology Services Pvt Ltd, Aujas Networks Pvt Ltd and others are listed on pages 1-2 as CERT-In empanelled information security auditing organizations.

For each organization, details like address, website URL, phone numbers, fax numbers, contact person name, mobile number and email are provided.

EMPANELLED INFORMATION SECURITY AUDITING ORGANISATIONS by CERT-In

The List of IT Security Auditing Orgnisations, as given below, is up-to-date valid list of CERT-In
Empanelled Information Security Auditing Orgnisations. This list is updated by us as soon as there is
any change in it.

1. AAA Technologies Pvt Ltd

278-280, F-Wing, Solaris-1,


Saki Vihar Road, Opp. L&T Gate No. 6,
Powai, Andheri (East),
Mumbai – 400072.
Website URL : http://www.aaatechnologies.co.in
Ph : 022-28573815
Fax: 022-40152501
Contact Person : Mr. Anjay Agarwal, Chairman & Managing Director
Mobile : +91 09322265876, 9821087283
E-mail : [email protected]

2. AUDITime Information Systems (I) Ltd.

A-504, Kailash Esplanade,


L B S Marg, Ghatkopar (West),
Mumbai – 400086
Ph: 022 40508210
Fax: 022 40508230
Contact Person :Mr. Madhav Bhadra, Director
Mobile : +91 9320253902
E-mail: [email protected]

3. AKS Information Technology Services Pvt Ltd

E-52, Sector-3,
Noida – 201301.
Website URL : http://www.aksitservices.co.in
Ph: 0120-4545911, 0120-2542253
Fax : 0120-4243669
Contact Person : Mr. Ashish Kumar Saxena, Managing Director
Mobile : +91 7290058951
E-mail : [email protected]

4. Aujas Networks Pvt Ltd

#595, 4th floor, 15th Cross, 24th Main, 1st Phase,


JP nagar,
Bangalore, Karnataka- 560078.
Website URL : http://www.aujas.com/
Ph : 080-26087878
Fax: 080-26087816
Contact Person : Mr. Jaykishan Nirmal, Vice President
Mobile : +91 9980238005
E-mail : [email protected]
5. AGC Networks

2nd Floor, Equinox Business Park,


Tower 1, (Peninsula Techno Park),
Off Bandra Kurla Complex, LBS Marg,
Kurla (West), Mumbai – 400070, INDIA
Ph : +91 2266617490 Ext. 490
Fax: +91 22 6704 5888
Contact person : Mr. Pravin Shinde (VP-Service Delivery)
Mobile: +91 9930132092
E-mail: [email protected]

6. ANB Solutions Pvt. Ltd

901,Kamla Executive Park, Off Andheri-Kurla Road,


J. B. Nagar, Andheri East, Mumbai 400 059
Ph :+91 (22) 4221 5300
Fax:+91 (22) 4221 5303
Contact Person :Preeti Raut
E-mail :[email protected]

7. ALLIED BOSTON CONSULTANTS INDIA PVT. LTD.

2205, Express Trade Towers 2,


Sector 132, Noida - 201301, INDIA
Ph : +91-120-4113528 / 4113529
Contact Person : Mr. T. GANGULY
E-mail : [email protected]

8. AQM Technologies PvtLtd.


A 401, Raheja Plaza, LBS Rd, Nityanand Nagar,
Ghatkopar West, Mumbai, Maharashtra 400086.
Phone number :022 4050 8200
Contact Person: Sanjay PARIKH
E-mail:[email protected]
Contact No :+91-8291858027
Contact Person:Madhav Bhadra
E-mail:[email protected]
Contact No :+91-9320253902

9. BDO India LLP

The Ruby, Level 9,, 29, Senapati Bapat Marg,


Dadar West, Dadar, Mumbai, Maharashtra 400028
Ph :022 3332 1600 , +91 9819024009
Fax:24393700
Contact Person : Ashish Gangrade
E-mail : [email protected]
10. Briskinfosec Technology and Consulting Pvt. Ltd.

No.21,2nd Floor, Krishnamachari Rd, Tirumurthy Nagar,


Nungambakkam, Chennai, Tamil Nadu 600034
Ph: +91 860 863 4123 044 4352 4537
Contact Person: Mr.Arulselvar Thomas, Director
Email: [email protected]

11. BHARAT ELECTRONICS LIMITED

Office of the GM/Software,


BEL Software Technology Centre
Bharat Electronics Limited
Jalahalli, Bengaluru - 560013, Karnataka
Ph :080-22197197, or 080-28383120
Fax:080-28380100
Contact Person : Mrs. Anna Peter, Sr.DGM (Software), BSTC
E-mail : [email protected]
Mobile : +91 9844296344
Ph :080-22195563

12. CMS IT Services Pvt. Ltd.

No. 236, Venkatadri IT Park,


Konappana Agrahara, Electronic City Phase-1,
Bangalore, Karnataka – 560100
Ph : +91-80-30430300/400
Fax: +91-80-30430488
Mob: +91-7259621296
Contact Person : Ms. Amulya Shetty
E-mail : [email protected]

13. Cyber Q Consulting Pvt Ltd.

622 DLF Tower A,Jasola


New Delhi-110044
Website URL: http://www.cyberqindia.com
Ph : 011-41077560
Fax : 011-41077561
Contact Person : Mr. Debopriyo Kar, Head-Information Security
Mobile: +91 9810033205 / 9968846947
E-mail : [email protected]

14. Control Case International Pvt Ltd

203, Town Center-1, Andheri-Kurla Road,


Saki Naka, Andheri(E)
Mumbai-400059
Ph: 91-22-66471800
Fax: 91-22-66471810
Contact Person :Mr. Satyashil Rane
Mobile : +91 919769812324
E-mail : [email protected]
15. Centre for Development of Advance Computing (C-DAC),

Plot No. 6 & 7, Hardware Park,


Sy No. 1/1, Srisailam Highway,
Pahadi Shareef Via Keshavagiri (Post)
Hyderabad - 500005
Ph: 040-23737124
Fax: 040-23738131
Mobile :9248920122
Contact Person: Shri Ch.A.S. Murthy, Principal Technical Officer
Email: [email protected]

16. Cyber Security Works Pvt. Ltd.

Shri M.Ram Swaroop , President


No.3, III – Floor, E- Block,
599, Anna Salai,
Chennai – 600 006
Email:[email protected]
Mobile:9790702222

17. Cigital Asia Pvt Ltd

Prestige Blue Chip TechPark,


3rd block 4th floor, No.9 Hosur Road,
Bangalore – 560 029
Contact Person: Mr. Amarnadh Kolli (Director Operations).
Mobile : +91 99001 92727
E-mail : [email protected]
[email protected]

18. CyberRoot Risk Advisory Pvt. Ltd.

023, 5th Floor, Tower A, Emaar Digital Greens,


Sector 61, Gurugram - 122102, Haryana
Contact Person: Mr. Chiranshu Ahuja
Email: [email protected]
Phone : +91 124 4960229/30/31

19. Code Decode Labs Pvt. Ltd.

A - 02, ‘Cassiopeia Classic’,


Opp. Pancard Clubs Baner,
Pune - 411045, (MAH) India.
Contact Person: Mr. Sachin Singhai,
Email: [email protected]
Website: www.codedecodelabs.com
Mobile: +91 9545852578 / +91 7887801188
Tel:(020) 20251477
20. Crossbow Labs LLP

Head Office: #146, Level-5, Gopal Towers,


Ramaiah St, ISRO Colony, Domlur, Bengaluru,
Karnataka 560008

Registered address: 143/A/12, E-ward,


15 Shivneri Behind Mahavir Garden,
Assembly Road, Kolhapur
Maharashtra - 416001
Ph: +91-7259385006
Contact Person: Rosan Thomas, Sr. Consultant
E-mail :[email protected]

21. CyRAAC Services Private Limited

Postal address:73/3, 2nd Floor, Brigade Corner,


S.Kariyappa Road, Yediyur, Jayanagar,
Bangalore, Karnataka, India, 560082
Ph : +919886210050
Contact Person : Murari Shanker
E-mail :[email protected]

22. Deccan Infotech Pvt. Ltd.

Shree Dilip H Ayyar , Director


13 J, Jakkasandra Block.
7th Cross ,
Koramangala ,
Bangalore - 560 034
Email:[email protected]
Mobile:096864-55399
Tel: 080 - 2553 0819
Fax:080 - 2553 0947

23. Digital Age Strategies Pvt. Ltd.

Shri Dinesh S Shastri , Director


No. 28 , Om Arcade "3"rd Floor,
Thimmappa Reddy Layout,
Hilimuavu Gate,
Bannerghatta Road ,
Banglore-560076
Email: [email protected], [email protected]
Mobile: 9448088666 , 9448055711

24. Deloitte Touche Tohmatsu India Limited Liability Partnership*

Address: 12, Annie Besant Road,


Opposite Shiv Sagar Estate,
Worli, Mumbai - 400018
Contact Person: Srivatsan Parthasarathy
Designation: Partner (National Leader – Cyber Risk Services)
Mobile No.: +91-9871722243
Email ID: [email protected]
25. Ernst & Young LLP

Tidel Park, 6th floor (601), A block, 4, Rajiv Gandhi Salai,


Taramani Chennai- 600113, Tamil Nadu
Website URL: www.ey.com/india
Ph : +91 124 6121380
Contact Person: Mr. Vidur Gupta, Director – Advisory Services
Mobile : +91-9650711300
E-mail : [email protected]

26. Esec Forte Technologies Pvt Ltd

Corporate Office (Mailing Address): Level 2, Enkay Centre, Vanijya Kunj,


Udyog Vihar, Phase - V, Gurgaon -122016 (Opp. Cyber Hub)
Tel: +91 124 4264666, +91 9871699555
Contact Person: Mr. Kunal Bajaj, Chief Business Officer
Mobile : +91- 9871699555
E-mail : [email protected]

27. e.com Infotech I Ltd

Level 3 Neo Vikram, New Link Road,


Andheri West Mumbai 400058
Ph :9004031956
Contact Person : Ashwin Chaudhary CEO
E-mail : [email protected]

28. Finest Minds Infotech Pvt Ltd

#90, 2nd floor, 17th cross, 14th Main,


HSR Layout, Bangalore-560102
Ph :9886546262
Fax:
Contact Person : Akshat Kumar Jain
E-mail :[email protected]

29. Grant Thornton India LLP

L 41, Connaught Circus, Outer Circle,


New Delhi. PIN - 110 001
Ph : 0124-4628000 (Ext. 277)
Fax: +91 124 462 8001
Contact Person : Mr. Akshay Garkel, Partner Advisory
Mobile:+91 9820208515
E-mail : [email protected]

30. HCL Comnet Ltd

A-104, Sector 58, Noida - 201301


Ph: 0120-4362800
Fax: 0120-2539799
Contact person : Mr. Sreekumar KU, AVP
Mobile : +91 9650263646
E-mail : [email protected]
31. Haribhakti & Company LLP, Chartered Accountants

701, Leela Business Park, Andheri Kurla Road,


Andheri (E), Maharashtra India 400059
Contact Person:Rhucha Vartak,Director, Risk and Advisory Services
Email:[email protected]
Phone: 9821472740, 022 - 66729686

32. HKIT Security Solutions

#36, 1st floor, Corner Stone Building,


Jeevanahalli main road, Sanjeevappa Layout,
Bangalore-33
Ph : 9845568869 / 9980906440
Contact Person : Dr. Harsha
E-mail : [email protected]

33. isec Services Pvt. Ltd

607-608 Reliable Business Center, Near Heera Panna Mall,


Anand nagar, Oshiwara, Jogeshwari (West) - 400102
Contact Person: Mr. Naman Chaturvedi, Information Security Analyst
Mobile: 9167188483
Email: [email protected]

34. Indusface Pvt. Ltd

A-2/3, 3rd Floor, Status Plaza,


Opp. Relish Resort, Atladara Old Padra Road,
Vadodara - 390020, Gujarat, India
Contact Person: Harsh Malkan
Mobile No.: +91 265 6133000
Email ID: [email protected]

35. Imperium Solutions

B4 Laxmi Niwas, Opp Gokhale Hall (Bedekar School), BPD Road, Naupada, Thane (W)
400602, Maharashtra, India
Ph : +91-9870484240 / +91-9324210232
Fax: Not available
Contact Person : Ms Tasneam V / Mr Murtuza Laheri
E-mail : [email protected] / [email protected]

36. IBM India Pvt. Ltd

EMBASSY LINKS, EMBASSY CYPRESS PT , IBM D Block


INDIRANAGAR-KORAMANGALA, INTERMEDIATE RING RD
BANGALORE, KA 560071, INDIA
Fax:Fax: +91-80-4068 4225
Contact Person : Aloke Kumar Dani
Ph :+91-9740688488
E-mail :[email protected]
Contact Person : Mreetyunjaya Daas
Ph :+91-9902484206
E-mail :[email protected]
37. Kochar Consultants Private Limited

302, Swapnabhoomi A Wing,


S.K. Bole Road, Nr Portuguese Church,
Dadar (W), Mumbai 400028.
Telefax: 24229490 / 24379537 / 24378212
Contact Person : Pranay Kochar - Director
Mobile: 9819846198 / 9869402694
E-mail : [email protected]

38. KPMG

8th floor, Tower B, DLF Cyber City,Phase-II, Gurgaon- 122002


Website URL: www.kpmg.com
Ph : 0124-3074134
Fax: 0124-2549101
Contact Person: Mr. Atul Gupta, Director
Mobile : +91 09810081050
E-mail : [email protected]

39. LTI (A Larsen & Toubro Group Company)

L&T House, Ballard Estate, Mumbai 400 001, India


Ph : 022 61687724/ 022 67767478
Fax: 022 28581130
Contact Person : Abhishek Kapoor- Head - Security Presales Lead
Pradeep Mahangare - Project Manager
E-mail : [email protected]
[email protected]
Mobile: +91 9819598227 , +91 9004855121

40. Lucideus Tech Private Limited

NSIC Campus,
Software Technology Park Extn,
Okhla Phase III,
New Delhi - 110020
Contact person:Mr. Srivathsan Sridharan, Vice President- Sales
Mobile: 9599057764
Email: sri.s@ lucideustech.com

41. Locuz Enterprise Solutions Ltd

401, Krishe Sapphire, Main Road,


Madhapur, Hyderabad – 500081.
Phone: +91-40-45004600
Fax: +91-40-45004601.
Contact person: Mr. M Srikanth, Vice President
Mobile:- +91 9246599600
Email:[email protected]

42. Mahindra Special Services Group

212, 2nd Floor, Rectangle One, Commercial Complex D4,


Saket, New Delhi-110017
Ph: 022-24984213
Fax: 022-24916869
Contact person :Mr. Dinesh K Pillai, Chief Executive Officer
Mobile : +91 9769693764
E-mail : [email protected]
43. Madhya Pradesh Agency for Promotion of Information Technology
(A Regt. Society of Department of Science & Technology,
Government of Madhya Pradesh)

State IT Center, 47-A Arera Hills,


Bhopal 462021 (M.P.)
Contact person : Mr. Vinay Pandey
Mobile:+91-0755-2518710
Email: security . audit @ mapit . gov . in Website:
http://www.mapit.gov.in

44. Maverick Quality Advisory Services Private Limited

123 RADHEY SHYAM PARK P.O SAHIBABAD


Ghaziabad, U.P, INDIA – 201005
Ph :9871991928
Contact Person : Ashok Vardhan,Director
E-mail :[email protected]

45. Mirox Cyber Security & Technology Pvt Ltd

4th Floor, Nila , Technopark Trivandrum 695581


Kerala India
Ph :+91-471-4016888
Fax:+91-471-4000545
Contact Person : Rajesh Babu
E-mail : [email protected]

46. Netmagic IT Services Pvt. Ltd

Lighthall 'C' Wing, Hiranandani Business Park,


Saki Vihar Road, Chandivali, Andheri (East)
Mumbai 400 072
Website URL: www.netmagicsolutions.com Ph : 022-40099099
Fax: 022-40099101
Contact Person: Mr. Yadavendra Awasthi, Chief Information Security Officer
Mobile: +91 09987172584
E-mail : [email protected]

47. Network Intelligence India Pvt Ltd

204-Ecospace IT park, Off old Nagardas road,


Near Andheri Sub-way, Andheri East, Mumbai- 400069
Website URL: www.niiconsulting.com/
Ph : 1800 2700 374 (Toll Free)
Fax: 022-40052628
Contact Person: Mr. K K Mookhey, Director
Mobile: 1800 2700 374 (Toll Free)
E-mail : [email protected]
48. Net-Square Solutions Pvt. Ltd.

1,Sanjibaug, Nr. Parimal Crossing


Paldi, Ahmedabad-380007 , India
http://www.net-square.com
Contact Person :
1. Ms. Prerna Nikam
Mobile : +91 79778 90081
E-mail : prerna@net-squa re.com , [email protected]
2. Mr. Haresh Vanju
Mobile : +91 99309 50045
E-mail : [email protected]

49. Netrika Consulting Pvt Ltd.

Postal address: Plot no.-2, Industrial Estate,


Udyog Vihar, Phase – IV, Gurugram – 122015, Haryana, India.
Ph : +91 124 2883000
Contact Person : Mr. Sanjay Kaushik, Managing Director
E-mail : [email protected] ; [email protected]

50. NSEIT Ltd.

NSEIT Ltd, Trade Globe, Ground Floor,


Andheri-Kurla Road, Andheri (E), Mumbai - 400 059
Ph :Tel No. : +91 22 2827 7600 / 4254 7600
Fax:+91 22 2826 8855
Contact Person : Khushboo Sharma, Project Manager – Cyber Security
E-mail : [email protected]

51. Paladion Networks

Shilpa Vidya 49, 1st Main, 3rd Phase, JP Nagar, Bangalore- 560078
Website URL: www.paladion.net
Ph : 080-42543444
Fax: 080- 41208929
Contact Person: Mr. Amit Tewari, Sales Manager
Mobile: +91 09910301180
E-mail : [email protected]

52. PricewaterhouseCoopers Pvt Ltd

Building 8, 7th & 8th floor, Tower- C,


DLF Cyber city, Gurgaon- 122002
Website URL: www.pwc.com/in/en
Ph : 0124-4620000
Fax: 0124-4620620
Contact Person: Mr. Rahul Aggarwal,Director
Mobile : +91 09811299662
E-mail : [email protected]
53. Payatu Technologies Pvt. Ltd.

Shree Murtuja Bharmal , Director


502,Tej House,
5 MG Road,Camp,
Pune-411001
Email: [email protected]
Mobile:- 9850998411

54. Panacea InfoSec Pvt Ltd.

226, Pocket A2, Pocket B, Sector 17 Dwarka,


Dwarka, Delhi, 110075
Mobile Number:
1- +91-9650028323 (Prefered) - Apurva
2- +91-9810944187 (Alternative) - Ajay
3- +91-7007246077 (Alternative) - Chandani
Landline Number: +91 11 49403170 (Office)
Contact Person :
1- Apurva Krishna Malviya
2- Ajay Kaushik
3- Chandani Gupta
E-mail :
1- [email protected]
2- [email protected]
3- [email protected]

55. Protiviti India Member Private Limited

15th Floor, Tower A, Building No 5, DLF Phase III,


DLF Cyber City, Gurgaon-122002, Haryana, India
Ph: +91 9821229027
Contact Person: Nikhil Donde (Managing Director)
E-mail: [email protected]

56. Pyramid Cyber Security & Forensic Pvt. Ltd.

FB-05, NSIC Software Technology Park Extension,


Okhla Industrial Estate, New Delhi-110020, India
Ph : +91-11-41078091, +91-9650894671
Fax: +91-11-26322980
Contact Person: Sunil Bhalla, Manager - Operations
E-mail : [email protected], [email protected]

57. ProgIST Solutions LLP

102, B3 Wing, Rosa Gardenia,


Kasarvadavli, Ghodbunder Road, Behind HyperCity,
Thane – West, 400615
Ph :9004947776
Contact Person :Mr. Bhavin Bhansali
E-mail : [email protected], [email protected]
Mobile : +91 9004947776
58. Qadit Systems & Solutions (P) Ltd.

1st Floor, Balammal Buildings, 33 Burkit Road,


T. Nagar, Chennai 600017
Ph: 4442791150
Fax: 4442791149
Contact Person : Mr. V Vijayakumar, Director
Mobile: 9444019232
Email : [email protected]

59. Qseap InfoTech Pvt Ltd

Office No. 101, Building No. 06, Sector No. 03,


Millennium Business Park, Kopar Kharine, Navi Mumbai, Maharashtra 400710.
Contact Person: Mr. Praveen Singh,Chief Technical Officer
Email: [email protected]
Mobile: 91-9923804245

60. RSM Astute Consulting Pvt. Ltd.

3rd Floor, A Wing, Technopolis Knowledge Park,


Mahakali Caves Road, Andheri (East), Mumbai – 400093
Tel: 91-22- 6108 5555
Fax: 91-22-61085556
Contact Person :Mr. Iqbal Zafar, Associate Director
Mobile: 9867443769
Website : www.rsmindia.in
E-mail :[email protected] , [email protected]

61. Recon Business Advisory Pvt. Ltd.

Shree Capt. Satya Yadav , CEO & MD


F-8, 3rd Floor,
Kalkaji Main Road, New Delhi - 110019.
Contact Person: Ankush Batra (Director)
Email: [email protected] / [email protected]
Mob: 9205019013
Web: www.reconglobal.in

62. Robert Bosch Engineering and Business Solutions Private Limited

Electronic City Phase 1, Bangalore - 560100


Contact Person: Rency Abrahan, Sr. Program Manager- Cyber Security Center
Email - [email protected]
Telephone - +91(80)679-91235

63. Sumeru Software Solutions Pvt Ltd

1st Floor, SAMVIT”,.


Near Art of Living International Center
Next to Udayapura Bus Stop,
Behind Sri Anjeneya Temple / Anganawadi School,
21st KM Kanakapura Main Raod,
Udayapura, Bangalore – 560082
Website URL: http:// www.sumerusolutions.com
Mobile:+91 9739255055
E-mail : [email protected]
64. Sysman Computers Pvt Ltd

312, Sundram, Rani Laxmi Chowk,


Sion Circle, Mumbai- 400022
Website URL: www.sysman.in
Ph : 022-24073814
Contact Person: Dr. Rakesh M Goyal, Managing Director
Mobile: 91-99672-48000 / 99672-47000
E-mail : [email protected] �ससमै न@�ससमै न.भारत

65. SISA Information Security Pvt Ltd

SISA House, No. 3029B, Sri Sai Darshan Marg


13th Main Road,HAL II Stage, Indiranagar,
Bangalore - 560008,India
Ph: 91-80-4910 4100
Fax: 91-80-4910 4125
Contact Person : Mr. Abhijeet Singh
Mobile : 91-99000 62038
E-mail : [email protected]

66. STQC Directorate

Electronics Niketan, 6 CGO Complex,


Lodhi Road, New Delhi- 110003
Website URL: www.stqc.gov.in
Ph : 011 24301361
Contact Person: Mr. Gautam Prasad, Scientist 'B',
E-mail : [email protected]

67. Suma Soft Pvt. Ltd.

Shri Milind Dharmadhikari , Practice Head - IT Risk & Security Management Services
2nd Floor, SumaCenter,
Opposite Himali Society,
Erandwane,
Near Mangeshkar Hospital ,
Pune, Maharashtra 411004
Email: [email protected]
Mobile: 9870006480 , 9822600489

68. Security Brigade InfoSec Pvt. Ltd.

Shri Yash Kadakia , Chief Technology Officer


165 A to Z Industrial Estate,
Ganpatrao kadam marg,
Lower Parel(W), Mumbai,
Maharashtra 400013
Email: [email protected] , [email protected]
Mobile: 9833375290
69. Sify Technologies Limited

II Floor, Tidel Park, No 4 Canal Bank Road,


Taramani, Chennai - 600113
Contact Person:Mr Palaniraja muthukumarasamy, Associate General Manager
Mobile: 9677083666
Email: [email protected]

70. Sandrock eSecurities Pvt Ltd

E-46, Rani Garden Extension,


Shastri Nagar, Delhi - 110031
Contact Person: Rachna Agarwal, Head – Business Operations
Mobile: 9560211616
Email: [email protected]

71. SecurEyes Techno Services Pvt. Ltd.

#3S, 3rd Floor, Swamy Towers,


Chinapanahalli, Marathahalli,
Outer Ring Road,
Bangalore - 560037
Ph : +91- 9449035102,080-69999107
Contact Person : Ms. Uma P,Head, Business Operations
E-mail :[email protected]

72. SecureLayer7 Technologies Private Limited

104, Suratwala mark plazzo, Hinjewadi - wakad road,


Hinjewadi, Pune - 411057, Maharashtra, India
Ph : +91-9762001337
Contact Person : Sandeep Kamble
E-mail : [email protected]

73. Sonata Software limited

1/4, APS trust Building, NR Colony,


Bull Temple Rd, Bangalore 560019.
Ph :91-80-6778 1999
Fax:08026610972
Contact Person : Balaji Veeraragavan K
E-mail :[email protected]

74. Torrid Networks Pvt. Ltd.

Torrid Networks Private Limited C-


171, 2nd Floor, Sector-63
Noida-201301 Uttar Pradesh
Ph: +91-120-4270305, +91-120-4216622
Fax: 012-04235064
Contact Person :Mr. Salil Kapoor
Mobile : + 91 92 666 666 91
E-mail : [email protected]
75. TAC InfoSec Private Limited

E190, 4th Floor, Quark City, Industrial Area


Phase-8B, Mohali-160055
Ph :9876200821, 9988850821
Contact Person : Trishneet Arora,Founder and CEO
E-mail :[email protected]

76. TATA Communications Ltd

C-21 and C-36, G Block,


Bandra Kurla Complex
Mumbai 400098
Ph :91-9845289021
Contact Person : Avinash Prasad – VP Managed Security Services
E-mail :[email protected]

77. TÜV SÜD South Asia Private Limited

Shiv Ashish, 2nd Floor,


Andheri - Kurla Road, Behind Lathia Rubber Factory,
Saki Naka. Andheri (East),Mumbai - 400 072, Maharashtra, India.
Ph :+91 (22) 4903 5555
Fax:+91 (22) 4903 5599
Contact Person : Mr. Aman Malhotra
E-mail :[email protected]
Mob: +91 7391061005

78. TCG Digital Solutions Private Limited

Bengal Intelligent Parks, Omega Building, 16th Floor


Block EP & GP, Sector V, Salt Lake Electronics Complex,
Kolkata – 700 091
Contact Person: Mr. Joydeep Bhattacharya, Chief Operating Officer
Email: [email protected]
Website: www.tcg-digital.com
Mobile: +91 9830184530

79. Tech Mahindra Ltd.

Sharda Centre, Off Karve Road


Pune - 411004 (Maharashtra) India
Ph : +91 20 66018100
Contact Person : Rajiv Singh
E-mail :[email protected]

80. Talakunchi Networks Pvt. Ltd.

505, Topiwala Center, Off S.V. Road,


Goregaon West Mumbai 400104
Ph : +91-9920099782
Contact Person : Vishal Shah
E-mail : [email protected]
81. Trusted Info Systems Private Ltd.

B-4, GF, Kailash Apartment,


(Near Kailash Colony Metro station, Opp Metro Pillar 71)
Lala Lajpat Rai Marg, New Delhi - 110048
Ph: 91-011-29248058
Contact Person : Vijender Kaushik
Mobile :+91-9810259365
E-mail : [email protected]

82. Varutra Consulting Private Ltd.

Corporate Office :A-302 & A-303, Oxy Primo, Gate No. 599, Bakori Phata,
Pune-Nagar Highway,Opp. Jain College, Wagholi, Pune-412207, Maharashtra, India.
Ph: 2040222891
Fax: 2040222891
Contact Person : Shrushti Sarode
Email : [email protected]
Mobile: 840 8891 911

83. ValueMentor Consulting LLP

'Chandanam' Infopark Thrissur


Koratty,
Kerala- 680308
Ph No: 4872970700
Contact Person : Mr. Binoy Koonammavu, CEO & Principal Consultant
Email : [email protected]
Mobile :91 974 5767 949

84. Vista Infosec Pvt. Ltd.

VISTA InfoSec, 001, North Wing, 2nd Floor, Neoshine House,


Opp. Monginis Factory, Link Road, Andheri (West), Mumbai,
Maharashtra, India.
Contact person :Mr. Narendra S Sahoo, Director
Mobile : +91 9820223497
E-mail : [email protected]

85. Wipro Ltd

Wipro Infotech,
480-481, Udyog Vihar, Phase-III,
Gurgaon, Haryana
Ph No: 0124-3084000
Fax : 0124-3084269
Contact Person : Mr. Prabir Kumar Chaudhuri
Mobile : +91 9818600990
Fax: 0124-3084269
E-mail : prabir.chaudhuri @wipro.com
86. Wings2i IT Solutions Pvt. Ltd.

Postal address: No 80, 3rd Floor, BOSS SQUARE, 1st Cross, 2nd Main, BTM 2nd Stage,
Bangalore, Karnataka, INDIA 560076
Ph : +91 80 50271700/01
Contact Person : Reena Ramachandran, Director
E-mail :[email protected]

87. Xiarch Solutions Pvt Ltd

352, 2nd Floor Tarun Enclave,


Pitampura, New Delhi-110034
Ph: 011-45510033
Fax:011-66173033
Contact Person:Utsav Mittal, Principal Consultant
Email: [email protected] / [email protected]
Mobile :9810874431

88. Xysec Labs Private Limited

Salarpuria Magnificia, WeWork,


78 Old Madras Road, 13th Floor KR Puram,
Bengaluru Karnataka 560016
Ph : +91-9739320700,
Landline - 080-370-125-38
Contact Person: Harshit Agarwal
E-mail: [email protected]

89. Yoganandh & Ram LLP

G-1, SHREE VISHNU APARTMENTS,


#12, 12TH CROSS STREET,
DHANDEESWARAM NAGAR,
VELACHERY, CHENNAI – 600 042
Contact Person: T Manoj Kumar Jain,Partner; R. Chandrasekhar,Head-IS Audit
Email: [email protected]
[email protected]
[email protected]
Mobile: 9940156515

90. Zulon Consulting

2/203,Vahatuk Nagar, Amboli, Andheri(W) Mumbai- 400058.


Ph: 9987244769
Contact Person: Mr. Clarence Alvares, Account Manager
E-mail: [email protected]
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

AAA Technologies Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

AAA Technologies Private Limited, Mumbai, Delhi, Bangalore, Lucknow

2. Carrying out Information Security Audits since : 2000

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 160+
PSU : 75+
Private : 20+
Total Nos. of Information Security Audits done : 255+

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 75+


Web-application security audit : 200+
Wireless security audit : 25+
Compliance audits (ISO 27001, PCI, etc.) : 25+

6. Technical manpower deployed for information security audits :

CISSPs : 4+
BS7799 / ISO27001 LAs : 25+
CISAs : 12+
DISAs / ISAs : 5+
Any other information security qualification : 30+
Total Nos. of Technical Personnel : 60+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information Security to Information
security
1) Anjay Agarwal 16 22 ISMS LA, CISA, ISA,
CEH, ECSA, LPT,
COBIT Certified
Assessor
2) Venugopal M. 15 14 ISMS LA, ISA
Dhoot
3) Ruchi Agarwal 12 12 ISMS LA

4) Venugopal 10 20 CISSP, ISMS LA,


Iyengar CISM, CISA
5) D.K.Agarwal 13 14 CISA
6) Vidhan Srivastav 12 12 CISSP, ISMS LA

7) Sudhir Lad 5 15 CISA

8) Supriya Moni 5 7 ISMS LA

9) Rajesh Sharma 5 8 ISMS LA, CEH

10) Ravi Naidu 6 9 ISMS LA, CEH

11) Harpreet Singh 3 3 CEH


Dhanjal
12) Bharati Pawar 3 3 CEH

13) Rahul Verma 3 4 ISMS LA

14) Raja Yadav 1 3 ISMA LA, CEH

15) Shailendra Rawat 1 3 ISMA LA, CEH

16) Atul Raj 1 3 ISMS LA, CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Information Security Audit including SAP Audit for a Municipal Corporation for above Rs. 1
Crore

Consultancy for Implementing ISO 27001 for 17 Data Centers across India including
Vulnerability Assessment and Penetration Testing for Rs. 54.57 Lakhs

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial
i. Acunetix
ii. Core Impact
iii. Nessus Pro
iv. Nipper
v. Burp Suite

Freeware

i. Nmap
ii. DOMTOOLS - DNS-interrogation tools
iii. Nikto - This tool scans for web-application vulnerabilities
iv. Firewalk - Traceroute-like ACL & network inspection/mapping
v. Hping – TCP ping utilitiy
vi. Dsniff - Passively monitor a network for interesting data (passwords, e-mail, files,
etc.). facilitate the interception of network traffic normally unavailable to an attacker
vii. HTTrack - Website Copier
viii. Tools from FoundStone - Variety of free security-tools
ix. SQL Tools - MS SQL related tools
x. John - John The Ripper, Password-cracking utility
xi. Paros - Web proxy for web application testing
xii. Wikto - Web server vulnerability assessment tool
xiii. Back Track
xiv. Meta Sploit
xv. Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
xvi. NetCat - Swiss Army-knife, very useful
xvii. Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
xviii. Brutus – password cracking for web applications, telnet, etc.
xix. WebSleuth - web-app auditing tool
xx. HTTPrint – detect web server and version
xxi. OpenVas
xxii. W3af
xxiii. Owasp Mantra
xxiv. Wire Shark
xxv. Ettercap
xxvi. Social Engineering Tool Kit
xxvii. Exploit database
xxviii. Aircrack-Ng
xxix. Hydra
xxx. Directory Buster
xxxi. SQL Map
xxxii. SSL Strip
xxxiii. Hamster
xxxiv. Grimwepa
xxxv. CAIN & Able
xxxvi. Rips
xxxvii. Iron Wasp
xxxviii. Fiddler
xxxix. Tamper Data

Proprietary

i. AAA - Used for Finger Printing and identifying open ports, services and
misconfiguration
ii. Own developed scripts for Operating System and Database Audit

10. Outsourcing of Project to External Information Security Auditors / Experts : No

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by < AAA Technologies Private Limited> on <24/11/2016>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

AUDITime Information Systems (India) Limited

1. Name & location of the empanelled Information Security Auditing Organization :

AUDITime Information Systems (India) Limited


Registered Address:
A-504, Kailash Esplanade,
LBS Marg, Ghatkopar (W)
Mumbai 400 086
Tel: 022 40508210
Fax: 022 40508230

Communication & Correspondence Address:


A-101, Kailash Industrial Complex,
Park Site, New Hiranandani Road
Vikhroli (West), Mumbai 400079)
Tel.: (022) 40508200
Fax: (022) 40508230

2. Carrying out Information Security Audits since : 12 Years

3. Capability to audit , category wise (add more if required)

 Network Security Audit : Yes


 Web Application Security Audit : Yes
 Wireless Security Audit : Yes
 Compliance Audits (ISO27001, PCI, etc.) : Yes
 IT Policy Drafting : Yes
 IT Risk Assessment : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 6
PSU : 2
Private : 33
Total Nos. of Information Security Audits done : 41

5. Number of audits in last 12 months , category-wise

Network Security Audit 6

Web-Application Security Audit 3

Compliance Audits - ISO 27001 1

Compliance Audits - SOX IT General 1


Control Testing
Regulatory Compliance Audits - Exchange 22
Members Annual Compliance System
Audit, etc.
Regulatory Compliance Audits - CVC 1
Guidelines Compliance Audit
Application Audit 2

Billing Audit 1

IT Consultancy Projects - Consultancy for 1


CBS, Data Migration and Load Testing
Pre & Post Migration Audit of Core 1
Banking Solution
Payment Gateway Audit 1

Third Party Security Audit 1

Wireless Security Audit Nil

Total 41

6. Technical manpower deployed for information security audits : Refer Annexure I

Total Nos. of Technical Personnel: 18 Nos.

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations Refer Annexure II

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value. Refer Annexure_III & Purchase order copies attached.

S. No. Client Name Scope Title PO Value


1 Federal Bank IS Audit of Branches Rs.33,25,000/
2 Infocepts  ISO 27001 & SAS 70 controls Rs.6,00,000/
Technologies Pvt. Preparation
Ltd.  Training one batch of ISMS Internal
Audit
3 Hindustan  ISO 27001 Implementation Rs.64,00,000/-
Petroleum  Quarterly vulnerability Assessment &
Corporation Penetration Testing
Limited. (IBM)  Security Operation Centre Management
 ISMS and Information Security
Awareness Training
4 Bayer Business IBM Rational Appscan & Consultancy Rs.17,38,810/-
Services Services of Intranet Web Application
Vulnerability Assessment
5 Vijaya Bank IS Audit of Core Banking Solution Rs.7,90,000/-
6 Andhra Bank IS Audit of Critical Areas in CBS Rs.3,00,000/-
7 Andhra Bank IS Audit of Smart Card Project for Rs.4,50,000/-
Government Benefit Distribution
8 The Oriental Comprehensive Audit of CBS Application Rs.99,27,000/-
Insurance Co. Ltd. and Data Migration Audit

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):


Refer Annexure IV

10. Outsourcing of Project to External Information Security Auditors / Experts : No

(If yes, kindly provide oversight arrangement (MoU, contract etc.))

Information as provided by AUDITime Information Systems India Limited on 22nd May


2013

Back
ANNEXURE – I

S. No. Employee Name Designation Certification

1. Mr. Paresh Desai Managing Director CA, CISA, CISM, CGEIT


2. Mr. Madhav Bhadra Director CA, CISA, CISM
3. Mr. Chetan Director CA, CISA, CISM, CRISC
Maheshwari
4. Mr. Deepesh Chitroda Asst. Vice CEH, CHFI, ECSA, CCISO, CCSECA, IBM
President
5. Ms. Dhruti Patel Asst. Vice CISA
President
6. Mr. Narendra Singh Asst. Vice CISA, LA27001
Badwal President
7. Mr. Ritesh Kotecha Asst. Vice CA, CISA
President
8. Mr. Deval Kapadia Asst. Vice CISA
President
9. Ms. Jayabharthi M. Sr. Manager CISA, CISM, CISSP, LA27001,CEH
10. Mr. Hiren Shah Sr. Manager LA27001
11. Mr. Shomiron Sr. Manager CISA, CISSP, LA27001, CEH
Dasgupta
12. Mr. Balamurugan Sr. Manager CISA, CISM, CISSP, LA27001, CEH
13. Mr. Deepak Yadav Manager CISA,CS-MARS,CSM, CEISB, CCSA, CCNA
14. Ms. Swati Dhamale Audit Executive GNIT
15. Mr. Adish Karkare Audit Executive CISA, LA27001, CEH, SWAT, RHCE, JNCIA-SEC,
CCSA
16. Mr. Nikhil Parashar Audit Executive CEH
17. Mr. Satyasandeep Audit Executive JNCIA-SEC, CCNA, MCSA
18. Mr. Laxmi Narayan Audit Executive CEH,CCNA

Back
ANNEXURE – II

Details of technical manpower deployed for information security audits in Government and
Critical sector organizations

S. No Name of Duration Experien Qualifications related to Information


Employee with ce in security
<organiza Informati
tion> on
Security
1 Deepesh Chitroda +7.5 Years Yes. + 13  Certified Ethical Hacker (CEH)
years  Computer Hacking Forensic Investigator
(CHFI)
 Eccouncil Certified Security Analyst (ECSA)
 Certified Chief Information Security Officer
(CCISO)
 Cambridge Certified Security Associate
(CCSECA)
 IBM Technical Professional
 Jetking Certified Hardware & Networking
Professional
2 Jaya Bharathi M. +5 years Yes. + 24  MCA
years  Post Graduate Diploma in Computer
Applications (PGDCA)
 ISO 27001 implementer and lead auditor
 CEH
 CISA
 CISM
 CISSP
3 Hiren L Shah +6 years Yes. + 9  ISO27001 Implementer
years
4 Deepak Yadav +2.5 years Yes.  MCA
 CISA
 ITIL V3 Foundation Certification
 CCSA
 CCNA
 CEISB
 CSM
 CS-MARS
5 N Lakshmi +1.5 years Yes.  CCNA
Narayana  CEH
 Post Graduate Diploma in
 Networking & Telecommunications
 Bachelor of Technology in
 Electronics & Communications
6 Swati Prakash +1.5 years Yes. +3.5  GNIIT
Dhamale years
7 S. Satyasandeep +1.5 years Yes.  B.Tech
 CCNA
 JNCIA
 MCSA
8 Adish Karkera +1 years Yes. +7  B.E.,
years  CISA
 LA 27001 Implementer
 Certified Ethical Hacker
 Star Web Application Security
 Red Had Certified Engineer
 Juniper Networks Certified Internet Specialist
 Check Point Certified Security Administrator
9 Nikhil Parasher +0.5 years Yes. +2.5  B. Tech - IT
years

Back
ANNEXURE - III

Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value.

Sr. Client Name Project Title Particulars of Projects


No.

1. Federal Bank Branch IS Audit IS Audit of Branches


 Finacle and related applications such as ATM and
other payment systems, interfaces to CBS etc.
 Internet Banking
 Mobile / Tele Banking
 HR software (peoplesoft)
 Email
 Treasury - LaserTX
 We covered all the key applications under IS
Audit
 Finacle and related applications such as ATM and
other payment systems, interfaces to CBS etc.
 Internet Banking
 Mobile / Tele Banking
 HR software (peoplesoft)
 Email
 Treasury - LaserTX

Scope includes
1. IS Audit of Application Controls - Evaluating the
adequacy and effectiveness of controls in a
particular application
2. IT Environment Review - Evaluation of controls
addressing the general risks associated with the
operation of information technology viz. change
control, disaster recovery, physical upkeep of the
surroundings such as cleanliness, physical access to
the computers, fire-fighting readiness, etc.;
3. IT Technical Review - Evaluation of the network
architecture and the vulnerability of the IS
environment to the risks such as unethical hacking,
etc.
a) Information System Security Policy
(ISSP)
b) Implementation of ISSP
c) Physical Access Controls
d) Operating System Controls
e) Database controls
f) Network Management
g) IS Audit Guidelines
Sr. Client Name Project Title Particulars of Projects
No.

2. Infocepts  ISO 27001 & I. PREPARATION FOR ISO 27001 ISMS


Technologies SAS 70 controls 1. Ascertaining structure of organization and scope of
Pvt. Ltd. Preparation Information Security (IS)
 Training one requirement
batch of ISMS 2. Establishing the extent of compliance with the
Internal Audit mandatory requirements of ISO/IEC 27001
3. Using 133 controls listed in ISO/IEC 27002 (the Code
of Practice) as a framework, Identifying preliminary
GAPs in Information Security controls in place within the
organization
4. ISMS Over Training and IS Security Awareness
Training
5. Assessing Policy / Procedures / Technical IS
improvements that would be necessary to achieve
compliance with the ISO/IEC 27001 standard
6. Report on findings of GAP Analysis and make
recommendations for remedial action / strategy to
achieve compliance requirements of ISO/IEC 27001
7. Assistance in Stage I & II Audit
II. SECURITY AWARENESS TRAINING FOR 300
EMPLOYEES
1. Information Security and its Concepts
2.Company’s IT Security Policies
3.Countermeasures against IT Risks and Threats

III. PERIODIC AUDIT – 6 AUDITS


Covering Core Three IT Domains:

 IT Management Controls
 Certification, Accreditation and Security Assessment
 Planning
 Risk Assessment
 System and Services Acquisition
 IT Operations Controls
 Awareness and Training
 Configuration Management
 Contingency Planning
 Incident Response
 Maintenance
 Media Protection
 Physical and Environmental Protection
 Personnel Security
 System and Information Integrity
Sr. Client Name Project Title Particulars of Projects
No.
 IT Technical Controls
 Access Controls
 Audit and Accountability
 Identification and Authentication
 System and Communications Protection

IV. SAS 70 TYPE II AUDIT PREPARATION


Analysis of existing control structure
Gap identification. Documentation and training on SAS
70 controls
Internal audit of SAS 70 requirements
Support during SAS 70 Type 2 Audit
3. Hindustan  ISO 27001 Security assessment of HPCL’s web site jobs.hpcl.co.in
Petroleum Implementation as per the following vulnerabilities indicated by open
Corporation  Quarterly web application security project (OWASP).
Limited vulnerability a. Cross site scripting (XSS).
Assessment & b. Broken authentication and session
Penetration management.
Testing c. Insecure direct object references.
 Security
d. Cross site request forgery.
Operation Centre
Management e. Security misconfiguration.
 ISMS and f. Failure to restrict URL access
Information g. Invalidated redirects and forwards.
Security h. Injection flaws.
Awareness i. Insufficient transport layer protection.
Training
2. Gap analysis report of the application as compared to
the Application Security best practices suggested by
OWASP.
3. Provide specific remediation / mitigation
recommendations to the gaps identified. The
recommendations would suggest implementable
solutions, which would mitigate the application security
risk. Remediation Recommendations will be
implemented by HPCL.
4. After implementing mitigation recommendation by
HPCL, Vendor will again do the security assessment and
provide the required compliance certificate to HPCL.
5. During the remediation phase Vendor will provide
support for implementing remediation measures
suggested
6.Information related to HPCL website will be provided
by HPCL
4. Bayer IBM Rational To provide Internal Vulnerability Assessment Service for
Business Internal / Intranet Web Based Applications
Services
5. Vijaya Bank IS Audit of Core 1. Introduction
Banking Solution Core Banking Application Suite

As on 31-12-2011 there are 1417 service outlets


including branches, extension counters and offices on
the Core Banking Platform using the ‘Finacle’ solution of
M/s. Infosys Technologies Limited (and 669 networked
ATM’s). The following application packages have been
covered under the Core Banking Solutions Project.
i. Core Banking Solution
ii. Trade Finance solution
iii. Internet Banking solution
iv. Government Business Module
v. New products and services such as
Sr. Client Name Project Title Particulars of Projects
No.
Electronic Bill Payments, Pilgrimage
services, Electronic Ticketing, Collection
/ Payment services, Utility Bill Payment
etc as part of the Internet Banking
Services.
vi. Availability of interfaces of the following
modules with the Core Banking
Solutions:-
a. Anti-money laundering solution
b. Credit appraisal solution –RLOS
& CLAPS
c. Customer Relationship
Management Solution
d. Internally developed and
outsourced /procured third
party systems
e. ATM Interfaces
f. Mobile Banking – SMS / WAP
g. Tele Banking Solution

1.2. Products and Services

The Bank has a rich portfolio of Deposits, Loans,


Remittances, Bills, Foreign Exchange Business and other
fee based products. An illustrative list is given below.
i. Demand deposits (Domestic as well as foreign
currency)
 Current Deposits
 Savings Bank Deposits
 Flexi deposits
 Capital Gains Deposits
 NRO/NRE Deposits

ii. Time deposits


 Fixed deposits
 Simple interest
 Cumulative interest
 Units Based Deposits
 FCNR/NRE/NRO
 Capital Gains
 Recurring deposits (Domestic)
 Fixed installment
 Variable installment
 Daily Deposits

iii. Working Capital Finance


 Cash credit accounts against stocks and book
debts (CCH)
 Cash credit against Immovable Properties and
Govt. Securities (CCM)
 Packing Credit/Export Finance
 Post Shipment Credit
 iv. Term Lending (Domestic as well as foreign
currency)

 Short term
 Medium Term
 Long Term
 Consortium/Syndicated Loans
v. Trade Finance – non-fund based
 Letter of credit
 Bank Guarantee
 Deferred Payment
Sr. Client Name Project Title Particulars of Projects
No.
vi. Bills Business
 Collection of bills and cheques - Inward and
outward
 Purchase/Discounting of sales/drawee bills (clean
and documentary) / Cheques
 Bills Related Advances
 Retail Loans

 Vehicle loans – Simple Interest, Compound


Interest & EMI Based facilities.
 Housing loans – Simple Interest, Compound
Interest, & EMI Based facilities.
 Consumer loans - EMI Based facilities.
 Education loans–Simple Interest, Compound
Interest & EMI Based facilities.
 Personal loans - EMI Based facilities.
 Schematic Lending Activities
 Product based loans like V-Equip, V-Cash, V-Rent
– EMI Based etc.
 Commercial Loans to
Trade/Industry/Service/Profession

viii. Industrial/Corporate Loans


ix Remittances
 Demand Draft – Issue/payment
 Banker’s Cheque/Pay Orders – Issue/Payment
 Fund Transfer – NEFT/RTGS
 Inter-branch Transactions –
originating/responding

x. Government Business
 Pension payments (State / Central / Railways)
 Direct Tax collection
 RBI Relief Bonds
 Indirect Tax - Excise

xii. Miscellaneous Services


 Locker Services
 Merchant Banking Services
 Dividend/Interest/Refund Warrants
 Agency Arrangement with other Banks

1.3. Modules in core banking


 Savings Products
 Current Products
 Overdraft Products
 Cash Credit Products
 Term Deposits Products
 Term Loans Products
 Inland Bills Products
 Foreign Bills Products
 Trade Finance Activities
 Forward Contracts
 Remittance Products
 Packing Credit Products
 Service Branch Functions
 Government Business Products
 Various Office Accounts Functions
2. AUDIT OBJECTIVE
The Bank is presently using the ‘Finacle’ (Version
7.0.13) Core Banking Solution of M/s. Infosys
Sr. Client Name Project Title Particulars of Projects
No.
Technologies which was earlier audited by one of the IS
Auditors, during the year 2007-2008. The Bank
proposes to migrate to Version 7.0.25 of Finacle Core
banking Solution. The Bank wishes to appoint a
competent Service Provider (SP) for conducting
Information Systems (IS) Audit of the Core Banking
application, as per the scope defined elsewhere, before
moving this version to the production systems. IS audit
shall, inter-alia, include the following activities:-

a) Confidentiality, integrity and availability of the


applications
b) Perform required functionality test of the
application to test the end-to-end
functionality and its usage
c) The security / controls are efficient and effective
in the Core Banking application.
d) To get independent assurance over effectiveness
of controls exercised by out-sourced Service
providers for technology services
e) IT operations are carried out in a controlled
environment
3. SCOPE OF IS AUDIT PROJECT:
The Bank expressly stipulates that the SP’s selection
under this RFP is on the understanding that this RFP
contains only the principal provisions for the entire
assignment and that delivery of the deliverables and the
services in connection therewith are only a part of the
assignment. The SP shall be required to undertake to
perform all such tasks, render requisite services and
make available such resources as may be required for
the successful completion of the entire assignment as
per the fulfillments / deliverables required in the RFP.
The SP’s involvement is expected to be spread across a
period of, at least, 60 days from the date of
commencing the audit.

Service Provider has to cover the following aspects


while auditing the CBS application:-

A. Functionality perspective:

o Service provider shall take into account Final Audit


Report of the earlier auditor for current version,
who have conducted earlier IS audit, as one of
the inputs.
o Study the implemented functionality of the Core
Banking Application as per the scope of this
audit tender.
o Perform Application Functionality & Controls
Review
o Development of suitable testing methodology /
testing strategy document
o Conduct various tests to verify existence and
effectiveness of the controls for all
functionalities, schemes and products supported
by the applications under review
o Perform a test of controls and functionality setup
in the Finacle core banking application.
o Identify ineffectiveness of the intended controls in
the software and analyze the cause for its
ineffectiveness
Sr. Client Name Project Title Particulars of Projects
No.
o Controls over automated processing /updations of
records, review or check of critical calculations
such as interest rates, etc., review of the
functioning of automated scheduled tasks,
output reports design, reports distribution, etc.
o Audit-ability both at client side and server side
including sufficiency and accuracy of event
logging, SQL prompt command usage, Database
level logging etc.
o Extent of parameterization.
o Internal control built in at application software
level, database level, server and client side
o Backup/Fallback/Restoration procedures and
contingency planning.
o Suggestion on segregation of roles and
responsibilities with respect to application
software to improve internal controls.
o Adequacy, Accuracy, Data Integrity of the MIS
Reports and Audit Reports
o Manageability with respect to ease of
configuration, transaction roll backs, time taken
for end of day, day begin operations and
recovery procedures
o Special focused audit is to be made on following
items:-
o Hard coded & Virtual user-id and password
o Interfaces with CBS software of many other
applications / services both in house and third
party systems / solutions – security,
confidentiality, integrity , accuracy and non-
repudiation of the data between systems
o Recovery and restart procedures
o Review of customizations done to the software
and the SDLC policy followed for such
customizations.
o Proposed change management procedure during
conversion, migration of data, version control,
application replication, etc.
o Suggest any application specific Audit tools or
programs
o Adequacy of Audit trails and Logs
o Adherence to Legal and Statutory Requirements.

B. Controls perspective

As part of the scope, following controls have to be


thoroughly analyzed
a. Input Controls
b. Output Controls
c. Processing Controls
d. Interface controls
e. Authorization controls
f. Data integrity
g. Database controls
h. Volume Test
i. Server Controls – Application, Web,
Database, Firewall, etc.
j. Backup/ Fall Back/Restoration Procedures
Sr. Client Name Project Title Particulars of Projects
No.
k. Authentication mechanism
l. Security checks/controls
m. Access controls & Logical Access Controls
n. Operating system controls
o. Management controls
p. Change Management
i. Incident Management
ii. Logs management
q. Aspects related to Segregation of Duties
r. Adequacy of audit trails
s. Adherence to legal, statutory requirements
Performance controls
Controls on Parameter Setup /Verification/Testing, etc.,
Regression Testing
Prevalence of proper version controls
C. Security Controls perspective:-
Application Security Controls Review inter-alia, cover
following:-
a) Review the application security setup supported by
the Finacle core banking solution to ensure :
b) Access level controls are appropriately built into the
application
i. Only authorized users should be able to edit, input or
update data in the application.
i. Access on a ‘need-to-know’ and ‘need to-do basis’
i. Appropriate user maintenance and password policies
being followed
b. Benchmark the application security parameters and
setup to the Bank’s Security Policy and leading practices
c. Identify gaps in the application security parameter
setup in line with the bank’s security policies and leading
practices
d. Provide a report highlighting gaps in application
security controls with options for improving application
security.
e. Provide a report highlighting the gaps in the
application security setting with respect to the security
policy defined by the Bank
Review:
After first audit there may be some modifications
required as per suggestions. Once these are
implemented over a period of two months, auditor has
to review the system again and give review audit report.
General:
No module or segment should be left out on the plea
that it is not specifically mentioned under the scope.
However, the Bank reserves its right to change the
scope of the RFP considering the size and variety of the
requirements and the changing business conditions
4. Deliverables:
 Audit Plan and procedure for each of the CBS
application packages as per the scope.
 Interim report covering all the points as mentioned
under the Scope of Work including specific observations
on the previous IS Audit Report. All observations will be
thoroughly discussed with the process owners before the
finalization of the report
 Final Audit reports with sign off by the Bank and the
Service Provider IS Auditor. (To be submitted within 6
working days of completion of audit and the report
should be submitted in soft copy as word document and
pdf format document besides a signed hardcopy). This
should also include report on the regression test. The
Final report shall , inter-alia, contain:-
Sr. Client Name Project Title Particulars of Projects
No.
o Present status of the pending observations of the
previous audit.
o List of bugs found and key functionalities not
supported, as per the current audit assignment,
segregating them as ‘Critical’, ‘Medium’ and ‘Minor’.
o List of enhancements required & feasibility analysis of
these requirements in the CBS.
o Suggestions for improvement in the performance of
the software audited.
o Report highlighting gaps in input, processing and
output controls with recommendations to remedy the
gaps.
o Screen Dumps of testing and testing reports
o Security Process Audit Report and recommendations
against best practices
 Report on Risk Analysis and Risk Mitigation
Methodologies
 Review Audit Report – covering the latest status at the
time of review, of all the observations made in the Final
Audit Report.

6. Andhra Bank IS Audit of Critical Sl. Audit Points


Areas in CBS No
1 Proper maintenance of Visitor Register at the
DIT Main Entrance
2 The Data Center is installed with Surveillance
System to monitor
the movement of the Personnel and activities in
and out of the data center.
The continuity of the recording is ensured at
periodic intervals.
3 Maintenance of Access Permissions and Register
for entry into
Data Center.
4 Access to Internet, Limited access vs Unlimited
access etc.,
5 Whether users with administrative privileges are
forced to
change password at periodical interval .
6 Whether user management standard operating
procedure are
in place and the same are being followed
7 Maintenance of Users List (Active Directotry),
disabling
redundant users, periodical review of Users etc.,
8 Periodical review of activities of privileged users.
9 Adequacy of procedures followed at the time of
providing
access to Data Center and other sensitive areas.
10 IT Asset Management - Maintenance and Review
of IT Assets database.
11 Maintenance of documents and records with
respect to Hardware.
12 Comprehensive Insurance covering for critical IT
Assets
13 UPS for backup supply of electricity including
batteries.
14 Whether Air-conditioning, ventilation and
humidity control was
found adequate and the same is monitored and
reviewed on a regular intervals.
15 Installation of Smoke Detector / Heat rise / hot
spots detectors.
16 Whether the installation of Hub / Switches in the
Data Center are
Sr. Client Name Project Title Particulars of Projects
No.
adequately secured
17 Maintenance of Backup Media, Safe Keeping,
Proper Indexing
and Storage,
18 Logs and Audit Trails in Finacle
19 Whether VAPT is conducted periodically on
various surrounding
applications
20 Service Level defined for Helpdesk Management
as well as for Call
Center Management was reviewed and where
details pertaining
to average time of resolution, abandon calls,
first call resolution, cycle time rate, etc. was
recorded.
21 Carrying electronic devices in to the Data
Centre.
22 Whether patches issued by OEM are analysed
and same is applied
after satisfactory test are conducted before
entering into production.
23 Assets Management, Configuration Management,
Problem Management and Change Management
using HP OVSC
24 Whether DR drills are conducted periodically
25 Whether the change management processes are
in place and
the same are being followed
26 Whether proper approvals are in place for
emergency / show-stopper
changes
27 System event logs of the application server logs
monitoring using
log logic;
28 Use of IBM ISS Internet Scanner for the
vulnerabilities
29 Vulnerability scanning
30 Working of CSA (HIDS) in the servers
31 Maintenance and periodical updation of network
design, security
controls etc.,
32 Application of patches in accordance with the
defined change
management process
33 Verification of loading of latest Service Packs on
Critical Servers.
34 Existence of default OS Accounts

35 Whether audit trail policy is enabled with


Success and Failure for Account Logon Event,
Directory Services Access and System Events.,
Account Management, Object Access and Policy
Change.
36 Whether the shared folders are permitted with
Everyone - Full Control,Access to the shared
folders should be granted only to the authorized
users and necessary procedures for sharing of
folders on the network are properly documented.
37 Whether USB Drive, Floppy Drive and CD-ROM
are disabled on Admin Nodes.
38 Loading of unauthorised applications on the
systems.
Sr. Client Name Project Title Particulars of Projects
No.
39 Loading of Antivirus Software, periodical
updating of versions, sample checking etc.,
40 Enabling IPSec is which is used for data
transmission through remotely.
41 Whether the Backupof router as wellas firewall
(Core Switch) configuration is taken on a weekly
basisand the same in not stored at offsite
location,
42 Whether all Access Control Entries (ACEs)
should be configured to log..
43 Periodical review of Access Lists configured in
the Firewall
44 Internet Banking - Segregation of duty between
Information Security (IS) team and
Implementation team
45 Appointment of network and database
administrator and clear allocation of roles and
responsibilities.
46 Web application errors justification for any
critical information
being exposed to external world.

Interest and Charges Verification


47 Verification of charges on a random sample
basis
Charges on cheque book issue
Cheque return charges
Account closure with in 12 months
Account closure after 12 months
Stop Payment charges
Inward / outward clearing reject charges
Charges for violating Minimum Balances for
Metro and Rural Branches
Cash Remittance Charges
DD cancellation charges
Duplicate statement charges
ABB Charges
Cash handling charges
Speed clearing Charges
48 Term Deposits - verification on a random sample
basis
Interest Application
Charges Application
49 Advances - verification on random sample basis
Monthy and Quarterly interest calculation on
advances
Appraising Charges for gold loans
Processing charges for housing loans, mortgage
loans, kisan sampatti loans etc.
Upfront fee for Term Loans
Upfront fee for Agriculture Term Loan
Administrative charges for consumer loans
50 Trade Finance - verification on random sample
basis
Interest on Inaland bills for various tenors
Export bills against undrawn balance
Sr. Client Name Project Title Particulars of Projects
No.
Interest on overdue bills etc
Collection charges for Local cheque collection,
Out station cheques collection
Collection of bills with or without LC for sight
and Usance
Commitment charges for Inland LC
Amendment charges for LC amount wise, period
wise
7. Andhra Bank IS Audit of Smart SCOPE
Card Project for Security & Control Audit of:
Government 1) Equipments used of capturing of Bio-metric
Benefit details, capturing of Personal data of customer and also
Distribution the process of linking them,
2) Equipments capable of reading & writing the data
to smart cards duly capturing the data on Samrat card &
validating with the central server data.
3) Mobile equipments for capturing the finger prints
of customers, data from smart cards, encapsulating
them, communicating with the central data (or)
validating with off-line data on smartcard, authenticating
& recording the transaction etc.
4) Mobile communication with data encryption/
decryptions as per standards etc.
5) Servers, access control, software’s controls
security t\etc. at the Data Centre of the service
provides.
6) Network, Network equipments, interface between
the mobile equipments and servers at the data centre of
the service provide.
7) Accounting, reconciliation, data verifications &
integrity checks.
8) Communication with the Bank’ DC and interface
etc., at the Bank DC.
Operational control Audit like.
1. Software controls & Interfaces Controls.
2. Reconciliation Process.
3. Data Synchronization, Integrity Check etc at DC of
the Bank/Service Provider

8. The Oriental Comprehensive Functional Test Audit


Insurance Co. Audit of CBS
Ltd. Application and A comprehensive functional test of applications to
Data Migration ensure that all the functionality implemented are
Audit functioning accurately as per the current business
requirements of OICL.

Interact and collect all necessary inputs, clarification and


confirmations regarding business
requirements/processes from respective user
departments of OICL.

The bidder is expected to perform the following


minimum set of activities related to testing for all the
modules, applications, delivery channels, products,
processes:

• Development of suitable testing methodology with


supporting processes and templates and develop test
data.
• Develop testing strategy document
• Development of test calendars
• Development of business test case scenarios with
related test cases, and test data to execute
• Conduct individual application testing for the core
Sr. Client Name Project Title Particulars of Projects
No.
insurance solution, modules, products, processes,
interfaces
• Daily, weekly status reporting.
• Train the OICL’s team in test script development and
testing methodology.
• Correctness of data being presented in the reports
• Point out gaps, errors, bugs.
• Explain the bugs, errors and gaps to OICL and System
Integrator.
• Provide Application Audit reports
• Submit all documents on methodology, strategy, test
cases, test documentation, customization requests,
solution etc. to OICL.
• Testing will have to be in conformity of Requirements
of OICL, OICL’s existing product and processes

Application Security and Governance

The Bidder is required validate whether the application is


functioning as per standard security and governance
procedures with following minimum activities :
• Authorization, authentication and access control review
• Review of privileges assigned to users/ user groups/
DBAs
• Control procedures on various database operations
• Vulnerability and Penetration Testing
• Application controls review – covering various inputs,
processing and output controls
Available across INLIAS application
• Controls for application usage – covering segregation
of responsibility
• Controls for master data updation
• Availability of appropriate audit logs
• Batch processing procedures and controls
• Availability of required reports
• Availability of alerts etc. for relevant business cases
such as high value underwriting

Compliance Test

One round of defect correction testing after the


corrections or implementation of recommendations is
done by the system integrator (3i-Infotech).

The compliance test will be executed either on


implementation of corrections by system integrator or
after 90 days of submission of final report whichever is
earlier.

Automated Tool to be used

The auditor will use Quick Test Pro (QTP) for the
purpose of auditing the application
Data Migration Audit
Scope of work

The scope for data migration validation would cover the


following:

To tabulate from INLIAS the number and amount of


claims migrated to INLIAS (line of
business wise) for each office. This would include the
number and Outstanding amount for
each class of business, office-wise, available in INLIAS.
This figure ( number and amount)
Sr. Client Name Project Title Particulars of Projects
No.
would be required for each deptt. as under:
a. Fire
b. Engineering
c. Marine Cargo
d. Marine Hull
e. Motor
f. RID
g. Aviation
h. Workmen Compensation
i. Miscellaneous
To confirm from INLIAS the total number and amount of
unexpired policies migrated to
INLIAS (line of business wise) for each office. This would
be for each class of business,
Office-wise, available in INLIAS. This figure ( number
and amount) would be required for
each deptt. as under:
a. Fire
b. Engineering
c. Marine Cargo
d. Marine Hull
e. Motor
f. RID
g. Aviation
h. Workmen Compensation
i. Miscellaneous
To confirm from INLIAS that relevant Masters had been
migrated to INLIAS like :
a. Agent Master
b. Development Officer Master
c. Employee Master
d. Office Master, etc.

Back
ANNEXURE- IV

Details of the Audit Tools


Freeware
S. No. Tool Name Description
1. Achilles A tool designed for testing the security of Web Applications.
2. Brutus A Windows GUI brute-force tool for FTP, Telnet, POP3, SMB,
HTTP, etc.
3. CrypTool A Cyptanlaysis Utility
4. cURL Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET,
DICT, FILE and LDAP
5. Exploits Publicly available and home made exploit code for the
different vulnerabilities around
6. Fscan A command-line port scanner, supporting TCP and UDP
7. Elza A family of tools for arbitrary HTTP communication with
picky web sites for the purpose of penetration testing and
information gathering
8. Fragrouter Utility that allows to fragment packets in funny ways
9. HPing A command-line oriented TCP/IP packet assembler/analyzer.
It supports TCP, UDP, ICMP and RAW-IP protocols, has a
traceroute mode, the ability to send files between a covered
channel, and many other features.
10. ISNprober Check an IP address for load-balancing.
11. ICMPush A tool that sends ICMP packets fully customized from
command line
12. John The Ripper A password cracker
13. L0phtcrack NTLM/Lanman password auditing and recovery application
14. Tenable Nessus A free, powerful, up-to-date and easy to use remote security
scanner. This tool could be used when scanning a large
range of IP addresses, or to verify the results of manual
work.
15. Netcat The swiss army knife of network tools. A simple utility which
reads and writes data across network connections, using
TCP or UDP protocol
16. NMAP The best known port scanner around
17. p0f Passive OS Fingerprinting: A tool that listens on the network
and tries to identify the OS versions from the information in
the packets.
18. Pwdump Tools that grab the hashes out of the SAM database, to use
with a brute-forcer like L0phtcrack or John
19. SamSpade and Graphical tool that allows to perform different network
Dnsstuff queries: ping, nslookup, whois, IP block whois, dig,
traceroute, finger, SMTP VRFY, web browser keep-alive, DNS
zone transfer, SMTP relay check,etc.
S. No. Tool Name Description
20. ScanDNS Script that scans a range of IP addresses to find DNS names
21. Sing Send ICMP Nasty Garbage. A little tool that sends ICMP
packets fully customized from command line
22. SSLProxy, STunnel Tools that allow to run non SSL-aware tools/programs over
SSL
23. Strobe A command-line port scanner that also performs banner
grabbing
24. Telesweep Secure A commercial wardialer that also does fingerprinting and
brute-forcing
25. THC A freeware wardialer
26. TCPdump A packet sniffer
27. TCPtraceroute Traceroute over TCP
28. UCD-Snmp - (aka Various tools relating to the Simple Network Management
NET-Snmp) Protocol including snmpget, snmpwalk and snmpset.
29. Webinspect CGI scanning, web crawling, etc
30. Webreaper, wget Software that mirrors websites to your hard disk
31. Whisker The most famous CGI scanner. has updated the scanning
databases with checks for the latest vulnerabilities
32. Acuentix Free Web Web Vulnerability Scanner and Exploit Tool
Vulnerability Scanner

33. Auditor, Pentoo, Penetration Live Distort


BackTrack and
Phalak
34. NetTools V 5.0 Various bundle pack Network Hacking, Penetration, Tracing
and information gathering Tool
35. Rainbow Password Tool containing pre-hashed computed password list.
Cracker
36. Cain & Able Freeware, Multi-purpose hacking tool

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

AKS Information Technology Services Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

AKS Information Technology Services Pvt. Ltd., E-52, Sector-3, Noida-201301 (UP)

2. Carrying out Information Security Audits since : 2006

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : YES


 Web-application security audit (Y/N) : YES
 Wireless security audit (Y/N) : YES
 Compliance audits (ISO 27001, ISO 22301 etc.) (Y/N) : YES
 Telecom Security Audit (Y/N) : YES
 Industrial Control System Audit (Y/N) : YES
 Mobile app security testing (Y/N) : YES
 ERP Audit (Y/N) : YES
 Payment Gateway Audit (Y/N) : YES
 Compliance audit as per Government of India Guidelines
(IT Act, CVC, RBI, SBI etc.) (Y/N) : YES

4. Information Security Audits carried out in last 12 Months :

Govt. : 794
PSU : 60
Private : 180
Total Nos. of Information Security Audits done : 1034

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 85


Web-application security audit : 845
Wireless security audit : 20
Compliance audits (ISO 27001, PCI, etc.) : 06
ERP Audit : 05
Telecom Security Audit : 03
External Penetration Testing : 35
Industrial Control System Audit : 10
Compliance audit with Government Guidelines (IT Act, CVC, RBI, SBI etc.) : 25

6. Technical manpower deployed for information security audits :

CISSPs : 02
BS7799 / ISO27001 LAs : 06
CISAs : 02
DISAs / ISAs : 00
CEH/OSCP/CCNA/CASP/MBCI : 28
Total Nos. of Technical Personnel : 40
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Working Experience in Qualifications


No. Employee with AKS Information related to
Since Security (Years) Information security
1. Ashish Kumar Sep 2006 17 CISSP, CISA, MBCI,
Saxena ISO 27001 LA
2. Anil Malik Feb 2016 16 BS 7799 LA, ISO
27001 (Implementer –
Trained)
3. Anshul Saxena Nov 2014 4 MS (Information
Security), CASP
4 Rohit Srivastava June 2011 5.5 ISO 27001 LA, ISO
20000, BS 25999
5. Ravi Mohan May 2013 15 ISO 27001 LA, CEH
Chaubey
6. Neha Rani June 2012 4.5 ISO 27001, CEH
Srivastava
7. Areeb Naqi June 2013 3.5 CEH, OSCP, ISO 27001
LA
8. Anshul Jain June 2014 2.5 CEH
9. Nidhi Singh June 2014 2.5 CASP
10. Jatin Kumar June 2014 2.5 CEH
11. MK Prasad Nov 2014 2.7 CEH,CPISI
12. Ather Ali Aug 2015 1.5 CEH
13. Rahul Yadav Aug 2015 1.5 CASP
14. Rishabh Pandey Nov 2015 1 CEH
15. V. Balaji Dec 2015 2 CEH
16. Devesh Rawat Dec 2015 1 CEH
17. Surej Sekhar Jan 2016 1 CEH
18. Nikhit Kumar June 2016 1.5 CASP
19. Yogendra Singh May 2016 2.5 CASP
20. Ravi Ranjan April 2016 4 CEH
21 Sarthak April 2016 1 CEH
Chaudhary
22 Siddharth Shukla Jan 2015 2 CASP
23 Raghwendra Sep 2016 1 CASP
Kumar
24 Jakkamsetti Sep 2016 1 CASP
Madhuri
25 Arya Anindyaratna Sep 2016 1 CASP
Bal
26 Aniket Prasad Oct 2016 1 CEH & ISO 27001
27 Rashmi Rani April 2016 1 CASP
28 Anil K. Murkha Mar 2016 1 CEH
29 Samaksh Kaushik Oct 2016 1.5 CEH
30 Saurabh Koshti May 2016 1 CEH
31 Shivangi Feb 2016 1 CEH
Srivastava
32 Pragya Varshney June 2016 1 CASP
33 Pankaj Badera Nov 2016 1 CASP
34 Ruchika Berry June 2016 1 CASP
35 Vinod Prakash May 2016 1 ISO 27001
Chandra
36 Shiva Sunar June 2016 0.6 CEH
37 Onkar Babbar Sep 2013 1 CEH
38 Dilpreet Kohli July 2015 1 CASP
39 Shreya Goyal July 2016 0.5 CASP
40 Karan Tanwar July 2015 1 CASP

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.
 Carried out Infrastructure, Process & Security Audit of one of the competition exam
conducted online. Total Number of Nodes were approx. 2,00,000. 31 different cities
with 276 locations. Project value was approx. 70 Lakh

 Carrying out Cyber Security Audit for one of the National Level Power Sector Project
including audit of SCADA system, Project value is approx. 40 Lakh

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Freeware Tools

 Nmap, Superscan and Fport - Port Scanners


 Metasploit framework, Netcat, BeEF , Cain & able, Hydra, John the ripper - Penetration
Testing & Password cracking
 Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware detection
 Netstumbler , Aircrack-ng suite & Kismet – WLAN Auditing
 OpenVas, W3af, Nikto - Vulnerability scanner
 Social Engineering ToolKit – Social Engineering testing
 Wireshark – Packet Analyser

Commercial Tools

 Nessus, Nexpose – Vulnerability Scanner


 Burp Suite, Acunetix - Web application auditing
 Passware: Password Cracking
 Mange Engine, Solarwind – Network Performance Testing
 Sawmill: Log Analysis
 Proprietary Tools
 ISA Log Analyzer

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by AKS Information Technology Services Pvt. Ltd. on 25th Nov
2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Aujas Networks Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

Aujas Networks Pvt Ltd


Locations: Bangalore (India), Mumbai (India), Delhi (India),
Dubai (UAE), New Jersey (US), Cupertino (US)

2. Carrying out Information Security Audits since : <2008>

3. Capability to audit, category wise (add more if required)

 Network security audit : (Y)


 Web-application security audit : (Y)
 Wireless security audit : (Y)
 Compliance audits (ISO 27001, PCI, etc.) : (Y)

4. Information Security Audits carried out in last 12 Months :

Govt. : <4>
PSU : <0>
Private : <140>
Total Nos. of Information Security Audits done : 145

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : <50>


Web-application security audit : <70>
Wireless security audit : <15>
Compliance audits (ISO 27001, PCI, etc.) : <10>

6. Technical manpower deployed for information security audits :

CISSPs : <9>
BS7799 / ISO27001 LAs : <45>
CISAs : <15>
DISAs / ISAs : <2>
Any other information security qualification: <number of>
CEH : 57
CISM : 2
CHFI : 2
CSSLP : 3
CCNA : 26

Total Nos. of Technical Personnel : 301

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related to


No. <organization> Information Information security
Security
1.56 10.23 OSCP, CEH
1 Sohail N
1.54 3.04 CEH,ACSE,OSCP, IBM
2
Appscan certified
Shaik D professional

1.56 6.08 CEH,ECSA,CISE


3 Dhruv S
3.21 6.01 CEH; ITIL v3, CHFI, IBM
4
Appscan Certified
Avinash S
Professional, SANS
GICSP, CCSA, CPISI
2.56 5.81 ISO 27001 LA, IBM
5
Appscan certified
Reinal S professional, CEH, IBM
Appscan certified
professional
8.07 9.82 SCJP, SCWCD, CSSLP,
6 Amit R
OSCP
1.12 6.45 RHCE, CEH, OSCP
7
Tom K

2.50 6.08 CEH


8
Prakash J

1.98 8.98 CISA


9
Amarpreet S

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

One of the largest banks in Middle East (We cannot declare the name of banks we have NDA
signed with them). Three Geographical Locations: India, SA, and London

Complexity: Project involved Network Security Architecture Review, Wireless Security Audit,
Internal Vulnerability Assessment and Penetration Testing, Social Engineering, Security
Configuration Review, Phishing Diagnostics, Physical Security Review, Application Penetration
Testing, Risk Assessment, Polices and Procedures Review

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Name Description
Open Source Tools
Nmap Port Scanner, Fingerprinting
Netcat Network Utility
SuperScan Port Scanner
Snmp Walk SNMP Scanner
User2SID Windows Service Identifier
Sid2User Windows Service Identifier
John the Ripper Unix and Windows Password Analyzer
Metasploit Exploit Framework
Backtrack Live CD Exploit Framework
Paros HTTP/S Interception Proxy
Burp Suite HTTP/S Interception Proxy
Brutus Brute force password utility
Cookie Editor Firefox Plug-in to Edit Cookies
Netstumbler Wireless Network Detector / Sniffer
Kismet 802.11 Wireless Network Detector / Sniffer
MySQL Administration Tool Administration tools for SQL Database
GoCR OCR Reader
Commercial Tools
Accunetix Web Vulnerability Scanner
Burp Suite Pro Web Vulnerability Scanner & Interceptor
Nessus Network Vulnerability Scanner
CheckMarx Source Code Review
Custom Tools
PHP Security Audit Script Web application configuration review tool

10. Outsourcing of Project to External Information Security Auditors / Experts: No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

We don’t outsource information security audit to outside vendors. Aujas execute its entire
project undertaken.

*Information as provided by < Aujas Networks Private Limited> on <24-Nov-16>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Cyber Q Consulting Pvt Ltd.

1. Name & location of the empanelled Information Security Auditing Organization:

CyberQ Consulting Pvt. Ltd.


#622, DLF Tower A, Jasola, New Delhi-110025

2. Carrying out Information Security Audits since : 2002

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Information Security Policy preparation, review and assessment against
best security practices : Yes
 Process Security Testing : Yes
 Physical Access Controls & Security Testing : Yes
 Penetration Testing : Yes
 PKI Audit : Yes
 Industrial Control System Security Audit : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 28+
PSU : 6+
Private : 8+
Total Nos. of Information Security Audits done : 42+

5. Number of audits in last 12 months , category-wise

Network security audit : 16+


Web-application security audit : 28+
Wireless security audit : 4+
Compliance audits (ISO 27001, PCI, etc.): 10+

6. Technical manpower deployed for information security audits :

CISSPs : -
BS7799 / ISO27001 LAs : 2
CISAs : 3
DISAs / ISAs : -
Any other information security qualification: 7
Total Nos. of Technical Personnel : 15+ Information Security Experts having an experience
from 1 to 15+ years.

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (indicative list only)

S. Name of Duration with Experience in Qualifications related to


No. Employee CyberQ Information Information security
Security
1 Debopriyo Kar 15+ 16+ Years - CISA
- Technical Expert for
JAS-ANZ (Australia)
- IRCA Certified ISO
27001
- COBIT Foundation
Certified

2 Mathew Verghese 02+ 7+ Years - CISA


- ISO 27001 LA
3 Ram Chandak 06+ 6+ Years CISA
4 Abhishek Gaur 01 7+ Years CCNA
5 Abhishek Tyagi 05+ 8+ Years CEH
6 And many more
….

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value: CyberQ has executed a number of large projects:

- Geographical locations – India, South-east Asia, SAARC, Middle East, Africa and Europe
- Industry – Government, Telecom, BFI, IT, Power, BPO, Automotive
- Services provided – IT Security Audit, ISMS Consultancy /Audit, Application Security audit,
Performance audit, PKI audit, Industrial Control Systems security audit, etc.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):


- Nessus
- Sam Spade
- Solar Winds
- IP Scanner
- nmap
- Brutus
- Burp Proxy
- Web Scarab
- Echo Mirage
- Ethereal
- WebSphinx
- Winhex
- Tamper IE
- Proprietary Tools etc

10. Outsourcing of Project to External Information Security Auditors / Experts : NO


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by CyberQ Consulting Pvt. Ltd. on Nov 24, 2016.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Control case India Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization

ControlCase International Pvt. Ltd.


203, Town Center I, Andheri-Kurla Road, Andheri East
Mumbai - 400059

2. Carrying out Information Security Audits since : 2005

3. Capability to audit , category wise (add more if required)

 Network Security Audit


 Web-application Security Audit
 Web Application Source Code Review
 Advanced Penetration Testing Training
 Wireless Security Audit
 Compliance Audits (ISO 27001, PCI DSS, PA DSS, HIPPA, EI3PA)
 Virtualization Security Assessment
 Mobile Application Security Audit

4. Information Security Audits carried out in last 12 Months :

Govt. : 15
PSU : 03
Private : 500+
Total Nos. of Information Security Audits done : 500+

5. Number of audits in last 12 months , category-wise

Network Security Audit : 100+


Web-application Security Audit : 100+
Web Application Source Code Review : 15
Advanced Penetration Testing Training : 10
Wireless Security Audit : 10
Compliance Audits (ISO 27001, PCI DSS, PA DSS, HIPPA, EI3PA) : 400+
Virtualization Security Assessment : 5
Mobile Application Security Audit : 20

6. Technical manpower deployed for information security audits :

CISSPs : 8
BS7799 / ISO27001 LAs : 15
CISAs : 10
CEH : 8
PCI QSA : 15
PA QSA : 4
ASV : 3
CISM : 1
CRISC : 1
CCNA : 3
ITIL : 3
PMP : 2
Total Nos. of Technical Personnel : 50 plus
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration Experience in Qualifications


Employee with Information related to
ControlCase Security Information
security
1. Satyashil Rane 5+ Years 10+ Years PCI QSA, PA QSA,
CISSP, CEH, ASV,
ISO 27001 LA
2. Pramod 3+ Years 10+ Years PCI QSA, PA QSA,
Deshmane CISA, CEH, ISO
27001 LI
3. Nitin Patil 2+ Years 4+ Years CEH
4. Abhishek Roy 2+ Years 4+ Years MS Cyber Law and
Info Sec
4. Rajesh Jayaswar 2+ Years 4+ Years MS Cyber Law and
Info Sec, CISA, CEH,
ISO 27001 LA, ISO
20000, BS 25999
5. Shashank Vaidya 2+ Years 3+ Years CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value:

S.No Client Description of services ( Project Value


Relevant to Scope of Work in
this RFP, give reference number
only)
1. One of the largest Compliance as a Services – CAAS Rs. 40 lacs plus per year for 3
bank in Kuwait Which includes years
PCI certification,
Fire wall rule set review,
Configuration scanning of IT
Assets,
Application Security scanning,
Log Monitoring 24 x 7,
Internal vulnerability scan,
External vulnerability scan,
Internal and external penetration
testing,
Review and updating of policies,
Annual security awareness
trainings,
Risk assessment
2. One of the largest PCI DSS Certification Rs. 35 lacs plus in one year
bank in Vietnam Application Penetration Test
Internal vulnerability scan,
External vulnerability scan,
Internal and external penetration
testing
3. One of the largest Application Security Review Rs. 12.5 lacs plus
bank in Brunei Code review
4. One of the largest Compliance as a Services – CAAS Rs. 10 lacs plus per year for
payment transaction Which includes two years
service provider in PCI certification,
Mauritius Fire wall rule set review,
Configuration scanning of IT
Assets,
Application Security scanning,
Log Monitoring 24 x 7,
Internal vulnerability scan,
External vulnerability scan,
Internal and external penetration
testing,
Review and updating of policies,
Annual security awareness
trainings,
Risk assessment
5. One of the Top BPOs, Compliance as a Services – CAAS Rs. 30 lacs plus per year-
with Global Which includes Three years contracts
operations- multiple PCI certification, ISO Certification
sites Configuration scanning of IT
Assets,
Application Security scanning,
Internal vulnerability scan,
External vulnerability scan,
Internal and external penetration
testing,

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial :

IBM Rational Appscan


Armorize Code Secure
Tenable Nessus
Beyond Trust Retina (Privously owned by eEye)
Burp Suite Professional
Nipper

Freeware / Open Source (Includes but not limited to below) :

Backtrack / Kali Linux Framework – Nmap, Netcat, cryptcat, Hping, Sqlmap, JTR, OpenVAS,
SET, MSF, Aircrack suite, Dirbuster, Cain
Rapid 7 NExpose
Fiddler
Charlse Proxy
Eco Mirage
Proprietary :

ControlCase GRC - ControlCase GRC is a consolidated framework that quickly and cost-
effectively enables IT governance, risk management and compliance (GRC) with one or
several government or industry regulations simultaneously. It allows IT organizations to
proactively address issues related to GRC and implement a foundation that is consistent and
repeatable.

ControlCase Compliance Manager (CCM) - Built upon the ControlCase GRC (CC-GRC)
platform and provides an integrated solution to managing all aspects related to compliance.
CCM allows organizations to implement the processes, integrate technologies and provide a
unified repository for all information related to Compliance.

Card Data Discover (CDD) - ControlCase Data Discovery (CDD) addresses key need of
Credit Card Data Discovery and is one of the first comprehensive scanners that not only
searches for credit and debit card data on file systems, but also in most commercial and
open source databases, and all this searching is done WITHOUT installing any agents on any
scanned system. It scans the whole enterprise from one location.

ControlCase Compliance Scanner - ControlCase Compliance Scanner allows


QSAs/Auditors and consultants to streamline and automate the process of evaluating PCI
compliance during onsite engagements. Results from leading vulnerability scanners and
application scanners, along with cardholder data search features are processed by the
Compliance Scanner to pre-populate approximately half the controls of PCI DSS.
JDBF – Jet database Fuzzer, used to automate exploitation of discovered injection
vulnerability in Jet Database to fuzz for databases, tables and associated columns.

NPTO – Network Penetration Testing Optimizer, focuses on elimination of the need to


perform various analysis steps such as live IP identification, active information gathering
using port scanners such as Nmap, optimizing security scanners such as Nessus / OpenVAS
to perform vulnerability identification based on obtained results and providing verified
results.

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by ControlCase International Pvt. Ltd. on 23/May/2013

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Ernst & Young LLP

1. Name & location of the empanelled Information Security Auditing Organization :

Ernst & Young LLP, Chennai

2. Carrying out Information Security Audits since : January 2001

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N)


 Web-application security audit (Y/N)
 Wireless security audit (Y/N)
 Compliance audits (ISO 27001, PCI, etc.) (Y/N)

4. Information Security Audits carried out in last 12 Months :


Govt. : 11
PSU : 15
Private : 90
Total Nos. of Information Security Audits done : 116

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)
Network security audit : 110
Web-application security audit : > 80
Wireless security audit : 6
Compliance audits (ISO 27001, PCI, etc.) : 80

6. Technical manpower deployed for information security audits :


CISSPs : 9
BS7799 / ISO27001 LAs : 17
CISAs : 69
DISAs / ISAs : 2
Total Nos. of Technical Personnel : 145

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related to


No Employee Ernst & Young Information Information security
LLP Security
1 Ponkumar 12.10 years 12.5 years CISM
Venkatesh
2 Rajesh kumar 6 years 13 years CISSP
D

3 Vishal jain 12.7 years 12 years CISSP


4 Mini Gupta 9.6 years 11years CISM, Lead Auditor Course
(BS25999)
5 Abhijit Kumar 6.5 years 14 Years CISA, Lead Auditor Course
(27001:2005)
6 Parab Ganesh 2 years 1.7 Years CHFI (EC-Council), CEH,
CIPP/IT
7 Rushit Choksey 10.6 years 8 Years CISM, CISA, CIPP/IT,
Diploma in Cyber Law,
ISMS Implementation
course (27001:2005)
8 Kartik Shinde 3.8 years 12 Years CISSP, CEH, GCFW, MCSE,
Certified BS7799
Implementer
9 Nikhil 3.4 years 7 Years CISA, CEH, ISO 27001
Wagholikar Lead Auditor, CHFI, CPISI,
CNSM

10 Vineet Shetty 2.10 years 2 Years CEH


11 Rahul Rishi 14.5 years 14 Years BS25999, CFE
12 Vibhor Jain 11.6 years 11 Years CISA, CISSP
13 Munish Arora 2 .7years 2 Years CDCP
14 Krunal 2.3 years 1.10 Years CDCP, CDCS, CCNA
Sidhpura
15 Jamaal Raazi 2.9 Years 2 Years CDCP
16 Navin Kaul 5.4 years 4.9 Years CISA, ISO 27001,
BS25999
17 Arindam 4.1 years 3.7 Years ITILv3
Mandal
18 Pritam Patnaik 2.10 years 2 Years ITILV3
19 Rahul 1 year 1 Year CEH
Choudhary

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 ERP application audit (Application Security review - 500+ screens across various Roles
)

 State Wide Area Network (SWAN) (Vulnerability Assessment - 500+node)

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Freeware

1. Nmap -- Port scanner

2. Nessus -- Vulnerability scanner

3. Nikto -- Web server/application vulnerability scanner

4. Metasploit Framework – Exploit code development framework for penetration tests

5. Peach – Python based fuzzer framework

6. Libnet – High level API for construction & injection of network packets

7. WireShark – Network protocol analyzer

8. Ettercap - Terminal-based network sniffer / interceptor / logger for ethernet LANs

9. Somersoft -- Security configuration, registry entries and access control lists on systems
running the Windows operating system.

Commercial

1. App Detective -- Vulnerability assessment and review of security configuration of MySQL,


Oracle, Sybase, IBM DB2, MS SWQL Server, Lotus Notes/Domino, Oracle Application
Server, Web Applications.

2. Bv-Control Suite -- Security assessment -Microsoft Windows, Active Directory, Microsoft


Exchange, Microsoft SQL Server, UNIX (Sun Solaris, HP-UX, AIX, Red Hat and SUSe
Linux), Internet Security, Check Point Firewall I

3. HP WebInspect – Web application security assessment


4. IPLocks VA – Database configuration and vulnerability assessment

5. Immunity Canvas – Vulnerability exploitation framework for penetration tests

6. eTrust -- Online vulnerability management framework.

7. Bv-Control -- Security and segregation of duty review for SAP

Proprietary

1. iNTerrogator -- Review of security configuration of systems running the windows


operating system.

2. *nix scripts -- A collection of scripts to assess the security configuration including file
level ACLs on *nix systems (SCO OpenServer, Linux, HP-Ux, AIX, Solaris, *BSD).

3. Spider -- Web application security assessment

4. FakeOra -- Security assessment of 2-tier applications that use Oracle 8i (and above) as
the RDBMS).

5. S-SAT -- A traveling SAP Security tool.

6. Permit -- ERP risk assessment and control solution tool.

7. Assessor -- Configuration review of Oracle Financials system.

8. WebSmack – Web application inventory and vulnerability assessment

9. EY/Mercury – Web based technical work plan generator to perform security configuration
review of IT infrastructure

10. Outsourcing of Project to External Information Security Auditors /Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Ernst & Young LLP on 12/11/13

Back
napshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

NETMAGIC IT SERVICES PVT. LTD.

1. Name & location of the empanelled Information Security Auditing Organization :

Netmagic IT Services Pvt. Ltd.


Lighthall 'C' Wing, Hiranandani Business Park,
Saki Vihar Road, Chandivali, Andheri (East)
Mumbai 400 072

2. Carrying out Information Security Audits since : 2006

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 0
Private : 20
Total Nos. of Information Security Audits done: 20

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit: 4


Web-application security audit: 13
Wireless security audit: 0
Compliance audits (ISO 27001, PCI, etc.): 3

6. Technical manpower deployed for information security audits :

CISSPs : <1>
BS7799 / ISO27001 LAs : 15
CISAs : NA
DISAs / ISAs : NA
Any other information security qualification : 10
Total Nos. of Technical Personnel : 25

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information Security to Information
security
1. Srinivas Prasad 9 years 9 years CISC, CPH, CPFA, ISO
27001 LA, CPISI
2. Subramaniam 2 years 7 years CISSP, CCSP, CCNP
Mariappan
3. Homesh Joshi 5 Years 11 Years ISO 27001 LA
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Netmagic’s one of the largest and complex project was to carry out Information Security
Assessment / Audit for one of India’s new age finance company which has recently acquired
banking license. The scope of entire activity includes:

 Vulnerability Assessment / Penetration Testing


 Configuration Audit of Network Devices

 Technical /Configuration Assessment of (Windows and Unix) Servers

 Policy and Process review & Audit

The project value was approximately 42+ Lacs and managed security services worth 1 Cr. INR.

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Open Source

 Webscarab/Paros/Burp
 Grendle scan/Nikto/w3af
 KALI Linux
 Dir buster
 WebSecurify

Commercial

 Nessus
 Hacker Guardian
 Netgear Wi-Fi Scanner

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


(If yes, kindly provide oversight arrangement (MoU, contract etc.)) No

*Information as provided by Netmagic IT Services Pvt. Ltd. on 24-11-2016.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Network Intelligence India Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Network Intelligence India Pvt. Ltd.,


Mumbai

2. Carrying out Information Security Audits since : 2001

3. Capability to audits, category wise (add more if required)

 Network security audit: Yes


 Web-application security audit: Yes
 Wireless security audit: Yes
 Compliance audits (ISO 27001, PCI, etc.): Yes
 SCADA security audit: Yes
 Telecom security audit: Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 25
PSU : 3
Private : 90
Total Nos. of Information Security Audits done : 118

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit: 26


Web-application security audit: 76
Wireless security audit: 20
Compliance audits (ISO 27001, PCI, etc.): 26

6. Technical manpower deployed for information security audits :

CISSPs : 4
BS7799 / ISO27001 LAs : 10
CISAs : 3
DISAs / ISAs : None
Any other information security qualification: 10
Total Nos. of Technical Personnel : 40

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience Qualifications


Employee <organization> in related to
Information Information
Security Security
1 TAS 5 5 CEH
2 VT 5 5 CCNA, RHCE,
CPH, CPFA
3 WH 4 4 CPH
4 Omair 3 7 CEH, OSCP,
Juniper
Certified,
RHCE, VMware
Certified
5 SY 4 4 CWASP, CPH
6 DR 4 4 CWASP, CPH
7 ST 3 3 CPH, CPFA,
CWASP, OSWP
8 RD 1 6 CISSP
9 DM 3 5 CISSP, CISA
10 KKM 11 11 CISSP, CISA,
CISM, CRISC
11 DR 1 8 CISSP
12 JP 3 6

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Powergrid Corporation of India Ltd.


More than 50 network devices, 1000+ end-points, 50+ servers, SCADA systems
Spread over 5 locations of the country
Project value: approximately INR: 15 lakhs

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Proprietary: AuditPro, Firesec

Commercial: Netsparker, Burp Suite Pro, Nessus, GFI, Havij, Appscan, Acunetix,
Checkmarx, Veracode, Cenzic Hailstorm

Freeware: Nmap, Backtrack, Metasploit, Browser Add-ons, Fiddler, .NET Reflector,


Microsoft Threat Modeling Tool, Nikto, Wikto, FuzzDB, Cain & Able, BinScope, Numerous
Malware Analysis Tools, JTR, Crack, ADInfo, Hyena, Wireshark, Sysinternals Tools,
SNMPWalk, Hping, netcat, and many others too numerous to list all of them.

10. Outsourcing of Project to External Information Security Auditors / Experts : No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Network Intelligence India Pvt. Ltd. on 14/09/2012

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Net-Square Solutions Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

Net-Square Solutions Pvt. Ltd, Ahmedabad

2. Carrying out Information Security Audits since : 2001

3. Capability to audit , category wise (add more if required)

Network security audit : Y


Web-application security audit : Y
Wireless security audit : Y
Mobile application audit : Y
Application Code Reviews : Y
IT security design consulting : Y
Social Media Threat Evaluations : Y
Compliance audits (ISO 27001, PCI, etc.) : N

4. Information Security Audits carried out in last 12 Months :

Govt. : 2
PSU : 1
Private : 20
Total Nos. of Information Security Audits done : 23

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 3


Web-application and mobile application security audit : 17
Code reviews and secure coding training : 4
Social Engineering and security process audits : 2
Wireless security audit : 3
Compliance audits (ISO 27001, PCI, etc.) : 2

6. Technical manpower deployed for information security audits : CISSPs : 1 CISAs : 1 Any other
information security qualification:

MCTS : 1
CCNA Security : 1
CEH : 3
Cyber Security Specialists : 2
Certified Forensics Professionals : 2
Total Nos. of Technical Personnel : 22

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Sr Name Designation Duration with Experience in Technical


No. Net-Square Information Certifications
Solutions Security
1. Saumil Shah CEO 13+ years 17+ years Certified Information
Systems Security
Professional (CISSP)
2. Hiren Shah President 2.5 years 15+ years a. Certified Information
Security Auditor (CISA)
b. Certified in the
Governance of
Enterprise IT (CGEIT )
3. Aditya Modha Team Lead - 2.5 years 4 years Microsoft Certified
Consulting Technology Specialist
(MCTS) in .NET
Framework 2.0 Web
Applications
4. Rohan Braganza Security Analyst 1.5 years 2.5 years a. Certified Ethical
Hacker (CEH)
b. Cisco Certified
Network Associate
(CCNA)
c. Cisco Certified
Network
Associate(CCNA) –
Security
5. Yogesh Security Analyst 1 year 1 year a. Certified Professional
Deshpande Hacker (CPH )
b. Certified Information
Security Consultant
(CISC)
c. Certified Professional
Forensics Analyst (CPFA)
6. Shyam Kumar Security Analyst 6 months 1 year a. Certified Ethical
Hacker (CEH)
b. Certified Cyber
Security Expert
c. L1 Ethical Hacking
Expert
7. Girish Shrimali Security Analyst 6 months 2 years a. Certified Ethical
Hacking Expert
b. Certified Cyber
Security Expert
8. KEP Vasudeva Security Analyst 4 months 1.6 years a. Certified Cyber
Security Expert

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

- Annual Information Security project with client based out of multiple locations in India and USA.
Project having work scope of 24 man months which includes testing of web applications, client server
applications and network and security reviews of offshore sites. The total project value has been US
$ 200,000.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Sr. Name of Tool What will it be used for Commercial/freeware


No. / proprietary
1 BURP Suite Professional HTTP request interception and Commercial
(licensed to Net-Square) modification
2 BURP Extensions (custom Enhances burpsuite and makes it Proprietary
developed) easier to work with it.
3 VMware Workstation/Player Helps to install and run one or more Commercial
os(s) virtually.
4 Backtrack 5 R3 virtual Used to install backtrack os. Freeware
machine image
5 DirBuster Used to bruteforce the directories in a Freeware
webapp.
6 Tilde Scanner Find the files on windows IIS server Freeware
which
7 NMap Used to scan for the open ports and Freeware
services on a webserver.
8 W3af Web Application audit and attack Freeware
frameworkused for auditing and
exploitating web apps.
9 Metasploit framework The framework enables us to run the Freeware
exploits, create sessions and exploit
vulnerable apps.
10 Nikto A Webapplication vulneribility scanner Freeware
that can test all the posibile
vulnerabilities in a webapplication.
11 Nessus A Webapplication Commercial
vulnerablity/network scanner that can
be used in local machine to test the
web

10. Outsourcing of Project to External Information Security Auditors / Experts: No ( If yes, kindly
provide oversight arrangement (MoU, contract etc.))

*Information as provided by Net-Square Solutions Pvt. Ltd. on 22nd May 2013

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Paladion Networks Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

Paladion Networks Pvt Ltd


Head Office
Shilpa Vidya 49, 1st Main,
3rd Phase, JP Nagar,
Bangalore-560078

2. Carrying out Information Security Audits since : <Year>: 2000

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Source Code Review : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : more than 5


PSU : more than 5
Private : more than 50
Total Nos. of Information Security Audits done : more than
100

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 1000+ IP addresses


Web-application security audit : 500+ applications
Wireless security audit : 20+ locations
Compliance audits (ISO 27001, PCI, etc.) : 25+

6. Technical manpower deployed for information security audits :

CISSPs : 10+
BS7799 / ISO27001 LAs : 25+
CISAs : 10+
DISAs / ISAs : 5+
Any other information security qualification : 50+ CEH
Total Nos. of Technical Personnel : 700+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required):

We have 700+ technical personnel who are into information security projects. Here
are a few of them-

S. Name of Duration Experience in Qualifications


No. Employee with Information related to
Paladion Security Information security
1. Balaji V 10+ yrs 10+ yrs CISSP
2. Sanjeev Verma 9+ yrs 9+ yrs CISSP

3. Prashant Kumar 9+ yrs 10+ yrs CISSP, Digital Evidence


Verma Analyst, Cyber Crime
Investigator, Qualys
Certified Specialist
4. Santosh Jadhav 5+ yrs 10+ yrs CEH, CISSP

5. Shahabuddin 6+ yrs 8+ yrs Certified Web Hacking


Siddiqui & Security,
Professional, ITIL v3,
Qualys Certified
Professional
6. Dawood Haddadi 6+ yrs 8+ yrs Certified Web Hacking
Security Professional,
ISO 27001 Lead
Auditor
7. Hardik kumar 5+ yrs 8+ yrs CISA (1297325),
Vashi ISO27001 LEAD
AUDITOR
(ISM01MO913-0103),
CCNA
(CSCO11433404), QSA
8. Hariharan 5+ yrs 8+ yrs ISO 27001, CEH, QSA
Anantha Krishnan

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value.

We execute 500+ projects each year globally. Here are a few of them-

S.No Customer Details Scope Project Value

1 Global Bank with Delivery a) Secure configuration review Rs. 5 crore+


Centre in India
b) Firewall rule base audit

c) Internal penetration test

d) External penetration test

e) Host discovery

f) Web application vulnerability scan

2 A large PSU in Western a) Secure configuration review Rs. 1 crore+


India
b) Source Code Review

c) Internal penetration test

d) External penetration test

e) Policy and Procedures

f) Web application penetration

3 A large Private Bank in India a) Security Testing Rs. 3 crore+


b) Security Monitoring

c) Threat Advisory

4 Large IT company in South 25 Web Application Per quarter, Rs. 1 crore+


India 30IPs Per Quarter-Network
Penetration Testing, 10 Applications
Per Year-Code Review, 10 Mobile
Application Testing

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

S. No Activities Security Audit tools

1 Network Penetration Testing KALI Linux, Nslookup, Dnsrecin, Dnsmap, Metagoofil,


fragroute, whisker, Nmap, Firewalk, SNMPc, Hping,
xprobe, Amap, Nessus, Nikto, L0phtcrack, John the
ripper, Brutus and Sqldict.

2 Wireless Penetration Testing AirSnort, WinDump, Ethereal, WEPCrack, NetStumbler,


Kismet, AirTraf, WaveStumbler, Aircrack-ng Suite &
Ettercap

3 Internal Vulnerability Scanning Qualys Guard & Nessus Professional

4 Application Security Assessment Burp Proxy and Scanner, Paros Proxy and Scanner,
Wireshark, Winhex, , CSRF Tester, Elixan, OpenSSL,
tHCSSLCheck, Firefox Extensions, NetSparker

5 Social Engineering KALI Linux, Paladion tools

6 ASV Scans Qualys professional

7 War Driving Netstumbler, Kismac, or Kismet

8 Source Code Review Checkmarx & Paladion Preparatory tool

9 Configuration Review RISKVU IST, Tenable Nessus

10. Outsourcing of Project to External Information Security Auditors / Experts: No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Paladion Networks Pvt Ltd. on 10/09/2012

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

PricewaterhouseCoopers Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

PricewaterhouseCoopers Pvt. Ltd.


Building 8, 7th Floor, Tower C, Dlf Cyber City,
Gurgaon, Haryana 122002

2. Carrying out Information Security Audits since: 1992

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 50+
PSU : 32+
Private : 50+
Total Nos. of Information Security Audits done : 100+

11. Number of audits in last 12 months , category-wise (Organization can add categories
based on project handled by them)

 Network security audit : 50+


 Web-application security audit : 300+
 Wireless security audit : 25+
 Compliance audits (ISO 27001, PCI, etc.) : 25+

12. Technical manpower deployed for information security audits :

CISSPs : 5+
BS7799 / ISO27001 LAs : 5+
CISAs : 5+
DISAs / ISAs : -
Any other information security qualification : CEH – 20+
Total Nos. of Technical Personnel : 200+

13. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Employee Duration with Experience in Qualifications related to


PwC Information Security Information security
1. Rahul Aggarwal 11 Years 8 16 years CISSP, ISO 27001,
months BS25999
2. Manish Kumar 4 Years 2 6 Years CEH
Gupta Months
3. Pravesh Janartha 1 Years 10 5 Years CEH, ISO 27001, ISO
Months 31000
4. Saurabh 3 Years 4 3 Years CEH, ISO 27001
Srivastava Months
5. Atiq Anwar 1 Year 10 6 Years CEH, ISO 27001
Months
6. Nagesh Gautam 1 Year 10 5 Years CEH
Moths
7. Rajinder Singh 2 Years 6 6 Years CISSP, CEH, CISRA,
Months ISO 27001, CIPP, CCNA
8. Debayan Mitra 6 Years 10 8 Years CEH, ISO 27001
Months
9. Anil Keshava 4 Years 8 Years CISM, ISO 27001, ISO
Mallaya 22301
10. B. Ashish Kumar 2 Years 11 8 Years CEH, CISSP, CISA,
Months CISM, ISO 27001

14. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Design and monitor the Information Security and Performance as part of the
Governance, Risk and Compliance (GRCP) initiative of the largest biometric service
provider

M/s. PricewaterhoouseCoopers Pvt. Ltd. has been engaged to facilitate creation of a robust,
comprehensive, secure environment for UIDAI ecosystem including setting up the GRCP
framework for the organization, carrying out compliance assessment of more than 250+
ecosystem partners based on ISO standards and organization’s information security policy,
conducting vulnerability assessment, penetration testing and application assessment for the
entire ecosystem based on OWASP guidelines.

Project Value: Approx. 2.5+ million USD

Implementation and Monitoring of GRC Framework for the IT consolidation Project for
a
Department under Ministry of Finance (GoI)

PwC has been engaged with the client to assist in design, implementation and monitoring of
framework aimed towards achieving secure virtualization of processes/ systems supporting
generation, processing and creation of sensitive tax-payer data. Broadly our scope includes:
 Review of Security governance framework covering three data centers and select other
locations
 Review of the security policy and procedures and assistance in ISMS implementation
 Performance measurement for all large vendors for SI, Data Centre, LAN, WAN and MPLS
services
 Periodic Security audit for critical site locations including Data Centers, Custom and Excise
Houses
 Application Audit and SDLC review for all the 5 business critical applications used by the
department
 Periodic Vulnerability Assessment and Penetration Testing (both Internal and External) of the
centralized IT Infrastructure.
 Periodic Configuration review of the supporting network devices at the Data Centres
 Periodic Security Assessments of the web applications

Project Value: Approx. 1+ million USD

15. list of Information Security Audit Tools used ( commercial/ freeware/proprietary):

S. No. Type of Tool Tools


1. Commercial 1. Webinspect
2. Nessus Professional Feed
3. Maltego
4. Accunetix
5. Burp Professional Suite
6. HPE Fortify
7. Others
2. Open Source 1. Nmap
2. Metasploit
3. Backtrack
4. Nessus Home Feed
5. Others
3. Proprietary 1. Phish Pro
2.PwC Windows Script
3. PwC Unix Script
4. PwC SQL/Oracle Script
5. PwC Server Script
6. Others

16. ourcing of Project to External Information Security Auditors / Experts: No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by PricewaterhouseCoopers Pvt. Ltd. on 17 January, 2017.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

STQC Directorate

1. Name & location of the empanelled Information Security Auditing Organization :

STQC Directorate,
6 CGO Complex and STQC IT Centers at Delhi, Kolkata, Mohali, Pune, Bangalore, Hyderabad,
Trivandrum, Chennai.

2. Carrying out Information Security Audits since : <2003>

3. Capability to audit , category wise (add more if required)


 Network security audit : Yes
 Web-application security audit : Yes
 Wireless security audit : No
 Compliance audits (ISO 27001, PCI, etc.) : Yes

4. Information Security Audits carried out in last 12 Months :


Govt. : 57
PSU : 36
Private : 27
Total Nos. of Information Security Audits done : 119

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)
Network security audit : 16
Web-application security audit : 90
Wireless security audit : Nil
Compliance audits (ISO 27001, PCI, etc.) : 12

6. Technical manpower deployed for information security audits :


CISSPs : NIL
BS7799 / ISO27001 LAs : 17
CISAs : NIL
DISAs / ISAs : NIL
Any other information security qualification:
CEH : 10
Certified Professional for Secure software engineering : 6

7. Total Nos. of Technical Personnel : 27

8. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related to


No. <organization> Information Security Information security

Mr. Sanjeev Center Security, Appl.


1 Kumar 1993 Security 2

Secure software
development, ISMS
2 Mr. Manoj Saxena 1985 LA, Master Trainer 2
3 B.K. Mondal Jan-90 ISMS LA, CEH 13
4 Aloke Sain Nov-91 ISMS LA, CEH 11
5 Subhendu Das Jun-89 ISMS LA, CEH 13
6 Chittaranjan Das Nov-86 ISMS LA, CEH 5
Tapas
7
Bandyopadhyay May-91 ISMS LA, CEH 9

8 Malabika Ghose Jul-89 CEH 9

9 Manikanta Das Mar-84 ISMS LA, CEH 9


CEH, Master Trainer
10 Arpita Datta Jun-95 (ISEA Project) 9

11 Debasis Jana Sep-82 ISMS LA, CEH 13


CPSSE (Certified
Professional for
Secure Software
12 Sanjay K. Prusty Dec-95 Engineering) 9

13 Arup Datta Apr-98 CNSM 3

14 Subrata Giri Jan-13 CNSM 1

15 Himadri Roy Feb,1989 ISMS LA 5

16 E.Kamalakar Rao Oct-89 ISMS LA 7


S.P.Tharesh
17 Kumar Mar-00 CNSM 4

18 V P Yadav January, 1984 -- 4


ISMS -LA, STQC-
S.Velmourougan 1990
19 CISP, CEH
ISMS LA, Wireless
TV Subramanyam Feb-87 LAN Security, Secure 3
20 Software Engineering
MV ISMS LA, STQC CISP,
Sep-86 7
21 Padmanabhaiya STQC CIISA
ISMS LA, Master
Trainer (ISEA
Sushil Kumar Project), Secure
22 Nehra Jun-93 Software Engineering, 13

23 Kamini Malik May-86 ISMS LA 13


ISMS LA, ITSM LA,
24 A K Sharma Oct-89 ITIL Process Manager 13

25 Arvind Kumar Sep-86 ISMS LA 13


ISMS LA, ITSM LA,
Rakesh ITIL Process
Aug-87 13
Maheshwari Manager, Master
26 Trainer (ISEA Project)
App Sec Training,
Network Security, CC,
Dhawal Gupta May-08 5
ISEB Intermediate,
27 CNSM

9. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value. 28 number of Important Government website hosted at
various locations.

10. List of Information Security Audit Tools used ( commercial/ freeware/proprietary) :

Appscan, Nessus, SAINT exploit, Acunetix wvs, Metasploit,Paros, Burp, Webscraber,


Proprietary scripts, SSL Digger, whois, nmap etc
11. Outsourcing of Project to External Information Security Auditors / Experts : No

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by STQC Directorate as on 07 January 2014

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

SUMERU SOFTWARE SOLUTIONS PVT LTD

1. Name & location of the empanelled Information Security Auditing Organization :

1st Floor, SAMVIT”,


Near Art of Living International Center,
Next to Udayapura Bus Stop,
Behind Sri Anjeneya Temple / Anganawadi School,
21st KM Kanakapura Main Raod,
Udayapura, Bangalore – 560082

2. Carrying out Information Security Audits since : 2005

3. Capability to audit , category wise (add more if required)


 Network security audit (Y/N) : Yes
 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 Secure code review : Yes
 Mobile application security audit : Yes
 Security code training : Yes
 Application security training : Yes
 Hardening training : Yes
 Forensic security audit : Yes

4. Information Security Audits carried out in last 12 Months :


Govt. : 42
PSU : 23
Private : 20
Total Nos. of Information Security Audits done : 85

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)
Network security audit : 28
Web-application security audit : 40
Wireless security audit : 10
Compliance audits (ISO 27001, PCI, etc.) : 7

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 17
CISAs : 1
DISAs / ISAs : NIL
Any other information security qualification : 15
Total Nos. of Technical Personnel : 5

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information to Information security
Security
1. VASANTHANAG Jan 2016 4 Years – ISMS 2 ISMS LA, CWHH,
GB Years, 7 months – CCNA, MCP
IT
2. Jitendra Kumar Jan 2014 2+ years CEH
Sharma
3. Ajan Kancharla Dec 2015 2 Years, 5 months ISMS Lead
Implementer
CEH v7
HP ArcSight ESM 6.5
Administration
4. Ravikumara S D July 2014 4 Years, 8 months ISMS LA
QMS LA
5. ARUL P Feb 2015 1 Year, 1 month CEH ,EJPT
6. Abhinav Rajput Aug 2015 1 Year, I month(8 CCNA –(CISCO
months in HCL as Certified Network
Network Engineer) associate)
7 Vyankatesh Feb 2015 1 year Certified Ethical Hacker
Paskanti (CEH)
8 Sandeep V Feb 2015 EC Council- Certified
Ethical Hacker v8 –
2+ Years Cert No:
ECC25199916210
Udemy- Basics Of Web
Application Penetration
Testing –
UC-DJU4VFMX
eLearnSecurity Junior
Penetration Tester -
EJPT-200191
eLearnSecurity Web
application Penetration
Tester –
EWPT – 200
Offensive Security
Certified Professional
(OSCP)
9 Morsa Jagadeesh July 2014 1 Year, 8 months EC Council- certified
Babu Ethical Hacker v8
(CEHv8) - Cert
No: ECC56126713211,
eLearn security Junior
Penetration Tester
(eJPT) - Cert No: EJPT-
200245,
Udemy Basics of Web
Application Penetration
Testing - Cert No: UC-
WVFHUEM8
10 Sasikumar TM Oct 2014 1 Year, 6 months ISO 27001: 2013 LA,
OCJP(Oracle Certified
Java Programmer)
11 Siva T Oct 2015 3+ Years CEH
12 Sathish T Aug 2016 1 Year CEH
13 Ranjith R Aug 2016 1 Year CEH
14 Shivsankar B Mar 2015 1+ Year ISO 27001:2013 LA
15 Shashank Pramod July 2008 7 Years, 5 months OSCP, CISSP
Dixit
16 Krishna Kumar Aug 2008 7 years 8 months GREM, GMOB, GPEN,
Sengoda GWAPT, GWEB, eCPPT,
eWPT
17 Rajesh M Dec 2007 13+ (5 years of ISO 27001:2013 LA
information security
experience)
18 Sandeep Erat Jan 2003 13 +years CISA, ISO 27001:2013
LA
19 V.Rajagopal Jan 2010 7 Years ISO 27001:2013 LA &
ISO 9001 2008 LA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.
Large Global Presence Hotel- 95 hotels, both network and web applications,
Across the globe.
Project value : RS 120,00,000.00 (1.2 Crores)

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial – Burp Suit Professional, Nessus, Netsparker

Freeware –

Kali Linux Operation system


Mallory
Putty, Echomirage
HPing2
Dsniff
GFI Languard
Samspade
Superscan
Saint
Sara
Firewalk
Xprobe2
Toolsets
Hunt
Brutus
Fragroute
Shadow Security Scanner
Nmap

10. Outsourcing of Project to External Information Security Auditors / Experts: No

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by < organization> on <date>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

M/s. Sysman Computers Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Sysman Computers Private Limited


312, Sundram, Rani Laxmi Chowk, Sion Circle, Mumbai 400022
Contact : Dr. Rakesh M Goyal, Managing Director
Phone – 99672-48000 / 99672-47000
Email – [email protected] / � ससमै न@�
ससमै न.भाारत

2. Carrying out Information Security Audits since : 1991

3. Date of empanelment by CERT-In : Since 2005

4. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) - YES


 Web-application security audit (Y/N) - YES
 Mobile-application security audit (Y/N) - YES
 Wireless security audit (Y/N) - YES
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) - YES
 Main business application audit - YES
 Cyber Forensics - YES
 IT GRC Consulting - YES
 Techno-legal compliance/consulting - YES
 Audit of Certifying Authorities/e-sign/RA/ASP - YES
 Audit of UIDAI ASA / KSA - YES

5. Information Security Audits carried out in last 12 Months :

Govt. : <number of> 21


PSU : <number of> 10
Private : <number of> 17 (over 210 branches)
Total Nos. of Information Security Audits done : 48 organisations

6. Number of audits in last 12 months , category-wise


(Organization can add categories based on project handled by them)

Network security audit: <number of> 16


Web-application security audit: <number of> 45
Mobile-application security audit: <number of> 06
Wireless security audit: <number of> 04
Compliance audits (ISO 27001, PCI, RBI): <number of> 240
Cyber Forensics 21
IT GRC Consulting/Audit 06
Audit of Certifying Authorities/e-sign/RA/ASP 05
Audit of UIDAI ASA / KSA 03

7. Technical manpower deployed for information security audits :

CISSPs : <number of> 01


BS7799 / ISO27001 LAs : <number of> 05
CISAs : <number of> 04
DISAs / ISAs : <number of> 01
Any other information security qualification: <number of> 04
Total Nos. of Technical Personnel : 08
8. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. Sysman Information Security to Information security
1 Dr. Rakesh M Feb 1985 26 years PhD, CISA, CISM,
Goyal CCNA, CFE, CCCI
2 Vaibhav Banjan May 2007 14 years CISA, DISA
3 Anand Tanksali April 2010 10 years CCNA, CCSA
4 Winod P Karve Sep 1999 18 years CISA, ISO27001 LA
5 Mohammad Khalid March 2011 7 years CCNA, ISO27001 LA
6 Pallavi Goyal April 2010 6 years ISO27001 LA,
CCNA,CEH
7 Ankur Goyal March 2012 8 years ISO27001 LA
8 Kiran Chugh June 2015 9 years CISA, CISSP,
ISO27001 LA

9. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. IT Infrastructure with 150 servers, 2500+ nodes, 120 switches, 30 routers


spread over 50 locations all over India alongwith matching DR site.
2. Application audit with 32 modules used by 6000 people
3. e-governance Web-application with 23 modules exposed to world
10. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Mostly used - Nmap. Superscan, Nessus, Metasploit, SecurityForest,


kproccheck, sqlmap, MBSA, Belarc, w3af, GFI, Aircrack, Nikto, Kismet,
NetStumbler, WebSecurify, Burp Suite, Temper data, N-stalker, ZAP, Secure
Auditor, Web developer toolbar. (others depending upon requirement).
Finally Manual exploitation.

11. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No ( If yes,
kindly provide oversight arrangement (MoU, contract etc.)) –

No. No outsourcing of assignment. But engagement of external known


experts alongwith Sysman team is done, based on special skills required for
the assignment.

For this, we have (a) Confidentiality and Non Disclosure Agreement; (b)
adherence to IT Security and other Policies and (c) clear cut scope of work,
with clear knowledge of client.

*Information as provided by Sysman Computers Private Limited on 24 November 2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

SISA Information Security Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

SISA Information Security Pvt Ltd


SISA House, #3029, SISA House, 13th Main Road,
HAL 2nd Stage, Indiranagar, Bangalore - 560 008. India

2. Carrying out Information Security Audits since : 2001

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) Yes


 Web-application security audit (Y/N) Yes
 Wireless security audit (Y/N) Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) Yes
 RBI PSS Audits Yes
 Forensic Investigation Yes
 Mobile Application security audit Yes
 Information Security Awareness and Trainings Yes
 Secure Code review Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : <0>
PSU : <2>
Private : <280+>
Total Nos.nof Information Security Audits done : 282

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : <75+>


Web-application security audit : <35+>
Wireless security audit : <2+ >
Compliance audits (ISO 27001, PCI, etc.) : <156+>
Forensic Audit : <8+>
Secure Code Review : <6+>

6. Technical manpower deployed for information security audits :

CISSPs : <3>
BS7799 / ISO27001 LAs : <7>
CISAs : <10>
DISAs / ISAs : <1>
Any other information security qualification : <26>
Total Nos. of Technical Personnel : 47+
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related to


Employee <SISA> Information Information security
Security
1 Renju Varghese October 2006 10 Years 1 CISA, CISSP, GCFA, PCI
Jolly month QSA, PA QSA
2 Vishnu Ganesh October 2014 4 Years M.Tech (Information
Kamat Security and Management)

3 Girish Karehalli February 2015 5 years 2 CISA, CRISC , PCI QSA,


Venkatappa months CEHv8, ISO 27001 LA
4 Lohith January 2015 3 Years 6 M.B.A IT, MSc ISS and
Narayana months Trained in: CEH, ECSA,
Sans IDS, Sans CF, Sans
IHHT, BSI 27001

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

No. of Computer Approx – 3600


Systems :
No. of servers : 600 – 620
No. of switches : 75 – 80
No. of routers : 280 – 300
No. of firewalls : 21
No. of IDS' : 18

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):


Refer to Annexure 1

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

* Information as provided by SISA Information Security Pvt Ltd on 25/11/2016

Back
Annexure 1

List of Tools SISA presents the most commonly used commercial and open source tools in a
SISA Security Audit

Tool License Used


Nessus 6.3 Professional feed Commercial Vulnerability Assessment
Mobisec Open Source Mobil Application Pen Test
Burp Suite Professional Commercial Web Application Pen Test
Accuentix Commercial Web Application Pen Test
Retina Commercial Network Vulnerability Scan
NMAP Open Source Port Scanner
W3af Open Source Web Application Scanner
Wikto Open Source Web Application Scanner
Solarwind Open Source Network Pen Test
Back Track Tool Kit Network and Application Pen
Open Source
Test
Samurai Testing Tool Kit Commercial Web Application Pen Test
Encase Commercial Computer Forensics
Wireshark Open Source Network Sniffer
Netstumbler Open Source Wireless Scanning
Aircrack Open Source Wireless Pen Test
Airmagnet Open Source Wireless Pen Test
Paros Open Source Web Application Proxy
Nipper Open Source Network Configuration File
Qualys Guard Commercial Network and Application VA
SoapUI Commercial Web Services
Nikto Open Source Network Pen Test
Netcat Open Source Network Pen Test
Cain&Abel Open Source ARP Poisoning, DNS Poisoning
Nessus 6.3 Professional feed Commercial Vulnerability Assessment
Mobisec Open Source Mobil Application Pen Test
Burp Suite Professional Commercial Web Application Pen Test
Accuentix Commercial Web Application Pen Test
Retina Commercial Network Vulnerability Scan
NMAP Open Source Port Scanner
W3af Open Source Web Application Scanner
Wikto Open Source Web Application Scanner

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Torrid Networks Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

Torrid Networks Pvt. Ltd. , C-171, 2nd Floor, Sector 63, Noida, NCR

2. Carrying out Information Security Audits since : 2006

3. Capability to audit , category wise (add more if required)

 Network security audit Yes


 Web-application security audit Yes
 Mobile application security audit Yes
 Wireless security audit Yes
 Compliance audits (ISO 27001, PCI, DOT Audit, etc.) Yes
 DoT Audit Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : More than 75


PSU : Around 5
Private : More than 100
Total Nos. of Information Security Audits done : Around 200

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 25+


Web-application security audit : 100+
Mobile Application security Audit : 20+
Wireless security audit : 7+
Compliance audits (ISO 27001, PCI, etc.) : 5+
DoT Audits : 2

6. Technical manpower deployed for information security audits :

BS7799 / ISO27001 LAs : 4


CISAs : 2
CEH : 10
Total Nos. of Technical Personnel : 35

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration Experience in Qualifications


Employee with Torrid Information related to
Networks Security Information
security
1 D.S October 2006 13 CISA, CEH, ISO
27001 LA, ECSA, LPT
2 S.K February 6 ISO 27001
2011
3 S.P July 2014 3 CEH
4 N.S February 2 Diploma in Cyber
2015 Security
5 P.A March 2016 2.5 PG Diploma in IT
Infrastructure,
Systems & Security
6 P.Y March 2016 1.5 CEH, CPFA, CPH,
CISC

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

No. of Computer Systems : 10000


No. of Servers : 500
No. of Switches : 250
No. of Routers : 25
No. of Firewalls : 18
No. of IDS' : 10

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Metasploit, Burp Suite SQLMAP, Dnsenum, Knockpy, whatweb, Nikto, Subbrute, Recon-ng,
Owasp zap, Fiddler, Tamper data, Live http header, Appscan, Accunetix, Wapplyzer,
Dirbuster, wfuzz, Weevely, Nmap, Nessus, Hydra, fping, Wireshark, Tcpdump, testssl,
sslscan, rpcclient, Ethercap, enum4linux, snmpwalk, netcat, Nipper-ng, Microsoft Baseline
Security Analyzer, Intrust, Intrufi

10. Outsourcing of Project to External Information Security Auditors / Experts : No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

* Information as provided by Torrid Networks Pvt. Ltd. on 25th November, 2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

ValueMentor Consulting

1. Name & location of the empanelled Information Security Auditing Organization :

ValueMentor Consulting
"Chandanam”, Infopark Thrissur,
Koratty, Kerala, India – 680 308
Ph: +91 - 487 - 2970 700 / 974 5767 949

2. Carrying out Information Security Audits since : <2012>

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Mobile Security Assessments : Yes
 PCI Consulting / Audit : Yes
 IT Act Consultancy : Yes
 HIPAA Compliance Audits : Yes
 IS Audits for Banks : Yes
 Digital Forensics : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 20
PSU : 2
Private : 117
Total Nos. of Information Security Audits done : 139

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit: At least 20


Web-application security audit: At least 50
Wireless security audit: At least 10
Compliance audits (ISO 27001, PCI, etc.): At least 5

6. Technical manpower deployed for information security audits :

CISSPs : 3
BS7799 / ISO27001 LAs : 1
CISAs : 4
Any other information security qualification : 14
Total Nos. of Technical Personnel : 18

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with Information related to
ValueMentor Security Information security
since
1 Binoy 2012 18 Years CISSP, CISA,
Koonammavu CRISC,CISM,PCI QSA
2 Jobbin Thomas 2012 17 Years CISSP, ISO 27001 LA,
CISA
3 Balakrishnan 2012 19 Years CISA, CISSP, CISM,
Alingal BS7799
4 Angela Maria 2012 16 Years CISA, ISO 27001 LA
Paulson
5 Renjith T C 2013 3 Years CEH

6 Jacob Jose 2014 2 Years CEH

7 Arun Babu 2014 2 Years CEH

8 Jithu T George 2016 2 Years ECSA, CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Client Project Scope Location Approx Project Value

A large business ISO27001, PCI DSS, UAE Above INR 1 Mn


group in UAE Penetration Testing,
IS Risk Assessments

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

# Category Tools
Acunetix
Nessus Professional Feed
1 Commercial Qualys Guard
Burp Professional Suite & Charles Proxy
Metasploit Pro
NMAP
KALI Linux Distribution and tools in it
Metasploit
OWASP ZAP / Paros / Fiddler / SSL Strip
SQLMap
Bowser Add-ons / extensions
Wireshark
WinHEX
NIKTO / Wikto / W3af
2 Freeware / Open Source
Tools from FoundStone
John The Ripper / Hydra
Social Engineering ToolKit
Aircrack-Ng
Android Emulator
Java De-compiler
APK Inspector
APK Analyzer
Cydia Tool set
Automating scripts
3 Proprietary ValueMentor Windows / Unix / Oracle / MS SQL /
MYSQL Scripts

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by ValueMentor on 27-11-2016

BacK
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Wipro Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Wipro Infotech, 480-481,


Udyog Vihar, Phase-III,
Gurgaon, Haryana.

2. Carrying out Information Security Audits since : 2005

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months : Govt. : Atleast 5 PSU : Atleast 5
Private : Atleast 10 Total Nos. of Information Security Audits done : Atleast 30

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit: Atleast 10 Web-application security audit: Atleast 10 Wireless


security audit: 0 Compliance audits (ISO 27001, PCI, etc.): Atleast 15

6. Technical manpower deployed for information security audits : CISSPs : Atleast 10 BS7799 /
ISO27001 LAs : Atleast 15 CISAs : Atleast 20 DISAs / ISAs : 0 Any other information
security qualification: CEH: Atleast 15 Total Nos. of Technical Personnel : Atleast 20

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Details attached in Annexure 1

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value

S. No. Name of the Project Scope Location Approx Project


Client value
1 One of the PCI, Security audits, INR 16 Mn
largest BPO Application security, SOX, 1. Gurgaon
ISAE 3402, ITGC audits. 2. Hyderabad
Volume: More than 140
audits

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial Tools:
a. Nessus—Vulnerability Scanner
b. Acunetix -- Web Application Auditing
Freeware Netcat Nexpose SuperScan John the Metasploit
Tools: Nmap Ripper
Backtrack Burp Suite w3af Brutus Aircrack-ng Netstumbler
Live CD
Kismet Foundstone SSlscan Sqlmap Hydra Social
Tools Engineering
toolkit
Wireshark Cain and Fiddler Sysinternals Firefox chrome
Able addons addons

Proprietary Tools/Scripts

10. Outsourcing of Project to External Information Security Auditors / Experts : No


(If yes, kindly provide oversight arrangement (MoU, Contract etc))

* Information as provided by Wipro on 24-05-2013

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Centre for Development of Advance Computing (C-DAC)

1. Name & location of the empanelled Information Security Auditing Organization :

Centre for Development of Advanced Computing (C-DAC)


(A Scientific Society of Department of Electronics and Information Technology,
Government of India)
Plot No. 6 & 7, Hardware Park,
Sy No. 1/1, Srisailam Highway,
Pahadi Shareef Via Keshavagiri (Post)
Hyderabad - 500005
Contact Person: Mr Ch.A.S.Murty
Email: cswan @cdac.in
Contact Number:- 040-23737124, 9248920122
Fax:- 040-23738131

2. Carrying out Information Security Audits since : 2011

3. Capability to audit , category wise (add more if required)


 Network security audit (Y/N) : Yes
 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : ISO 27001,
Cloud, PCI, AADHAR UIDAI (KSA/KUA/ASA/AUA), e-Sign ASP,OWASP etc.,

4. Information Security Audits carried out in last 12 Months :


Govt. 2 – completed , 1 – ISMS in progress
PSU : -
Private : -
Total Nos. of Information Security Audits done : 3

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 8 number of audits to government organizations


Web-application security audit : 78 number of web audits to government and private
organizations
Mobile applications - 5 mobile apps certified ( 10 audits in progress)
Wireless security audit : 3 number of organizations had wireless in network
audit scope
Compliance audits (ISO 27001, PCI, etc.): All 78 web audits are compliance audits as
follows:
 56 - OWASP
 20 - CCA Compliance ASP e-Sign Audits
 2 - AADHAR UIDAI compliance
 1 - ISO 27001 - in progress

6. Technical manpower deployed for information security audits :


CISSPs : 2
BS7799 / ISO27001 LAs : 1
CISAs : Nil
DISAs / ISAs : Nil
Any other information security qualification:
 SANS Certified – 16
 Cert-CC – 3
 CEH – 17
 ECSA – 4
Total Nos. of Technical Personnel – 36

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required) Refer Annexure – A

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value. : 16 major projects handled which include government
network infrastructure audits and various websites".

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Freeware Commercial Inhouse

1. Nmap 17. Httprint 1. Acunetix - WebSAFE


2. Nikto 18. Curl 2. Burpsuite
3. Netcat 19. Tcpdump Professional
4. W3af 20. Fimap 3. Nessus
5. Wapiti 21. SwfScan 4. Netsparker
6. Sqlmap 22. Hydra 5. Nexpose
7. Zapproxy 23. John the Ripper 6. IBM
8. Skipfish 24. Ssltest AppScan
9. Wget 25. Sslstrip
10. Cmsexplorer 26. Cain and Abel
11. Joomscan 27. Brutus
12. Backtrack , Kali 28. Airmon -ng
13. Openssl 29. Hping
14. Dirbuster 30. Scapy
15. Wireshark 31. Loki
16. Parosproxy 32. wsfuzzer

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by C-DAC on 24.11.2016

Back
Annexure – A

7. List of technical manpower deployed for information security audits in Government and
Critical sector organizations

S. Name of Duration Experience Qualifications related to Information


No. Employee with C-DAC in security
since Information
Security
1 Murthy.Ch.A.S May, 1999 11+  ISMS LA
 SANS - GAWN
 SANS - GXPN
 CERT-CC Certified Incident Handling,
Forensics Analysis and Network Security
in CMU, USA
2 Eswari PRL Feb 2000 11+  CERT-CC Certified Incident Handling,
Forensics Analysis and Network Security
in CMU, USA
 GREM
3 Indraveni.K July 2005 10+  SANS GWAPT
 SANS Advanced Web Application
Penetration Testing and ethical hacking
4 Himanshu.P Sept 2006 07+  SANS GREM
5 Ravi Kishore Mar-2008 7  GIAC Web Application Penetration Tester
Koppuravuri (GWAPT) from SANS

6 Tatikayala Sai Feb 2007 8.6  GIAC Security Essentials (GSEC)


Gopal
7 C Sireesha Feb-2007 8  GIAC Certified Web Application Defender
(GWEB)

8 Jyostna G Mar 2006 9  GMOB

9 Mahesh Patil Aug-04 8  GREM, ECSA, CEH7

10 Sandeep Sep-2007 8  CISSP


Romana
11 Naushed Tyeb Oct 2008 05+  CCNA
 ECSA
12 Nandeeshwar Oct 2008 05+  CEH , EC-Council
B  ECSA
13 Titto Thomas Sept 2015 0.6  CEH , EC-Council
 ECSA
14 Mallesh May, 1999 2  EC Council Security Analyst
15 Atiya Fatima Feb 2000 1.5  EC Council Security Analyst
 CEH, EC-Council
16 Vamsi Krishna Mar-2008 1.5  EC Council Security Analyst
17 Raghuvaran Feb 2007 1.5  EC Council Security Analyst
18 I L N Rao Feb-2015 1.5  EC Council Security Analyst
19 Rahul Kumar Aug 2011 5  EC Council Security Analyst
20 Sandeep Jan 2014 3  EC Council Security Analyst
Chaparla

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Xiarch Solutions Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

Xiarch Solutions Pvt. Ltd


352, 2nd floor, Tarun, Opp Kali Mata Mandir, Outer Ring Road,
Pitampura, New Delhi 110034
Ph: 011 -4551 0033, 9810874431
Fax 011 -6617 3033

2. Carrying out Information Security Audits since : 2008

3. Capability to audit , category wise (add more if required)


 Network security audit : Yes
 Cyber Forensics investigations : Yes
 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 2+
PSU : 1+
Private : 7+
Total Nos. of Information Security Audits done : 20+

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 5+


Web-application security audit : 7+
Wireless security audit : 1+
Compliance audits (ISO 27001, PCI, etc.) : 2+
Cyber forensics Investigations : 4+
PCI Consulting : 1+

6. Technical manpower deployed for information security audits :

CISSPs : 2
BS7799 / ISO27001 Las : 1
CISAs : 1
DISAs / ISAs : 0
Any other information security qualification : 2
Total Nos. of Technical Personnel : 7+

7. Updated details of technical manpower deployed for information security audits in


Government and Critical sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related


Employee Xiarch Information to Information
Solutions Pvt. Security security
Ltd
1. Utsav Mittal 6 years 9+ years CISSP, CEH, MS Infosec
Purdue Univ, USA
2. Ashish Chandra 1 Years 1+ year CISE, BSC (IT) , GNIIT,
MCA (pursuing)
3. Vidushi 1.5 years 1.5+ years BTech, CISE
4. Kritika 2 years 1+ years Btech, CISE
5. Alekh Mittal 2 years 2+ years Btech, CISE
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Vulnerability Management for the Largest KPO firm in the world, scope included VA, PT of
over 500 servers, 5000 desktops and over 200 network devices, 10+ web application.
Location encompassed US, Australia, India and UK

 Managing complete IS and compliance service for one of the first and largest NBFC in
india, work included PCI audit, CMMI, ISO 27001, Vulnerability assessment, web app
security, network and wifi security, log management, SIEM and DLP implementation

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

 Nmap , Superscan
 Backtrack kali linux Live CD,
 Encase, FTK, Pro discover etc.
 Custom Scripts and tools.
 Metasploit Framework, Netcat , BeEf
 Wireshark – Packet Analyser
 Cisco Netwitness.
 Tenable Nessus
 Rapid7 Nexpose community edition
 Burpsuite
 SQL Map
 Tamper Data
 Directory Buster
 Nikto
 Ettercap
 Paros Proxy
 Webscarab
 Brutus

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization?


If yes, give details : No

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Xiarch Solutions Pvt. Ltd on 23/6/2014

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

RSM Astute Consulting Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization:


RSM Astute Consulting Pvt. Ltd.

2. Carrying out Information Security Audits since : 2011

3. Capability to audit , category wise (add more if required)


Network security audit (Y/N) : Yes
Web-application security audit (Y/N) : Yes
Wireless security audit (Y/N) : Yes
Compliance audits (ISO 27001, PCI, SOX, etc.) (Y/N) : Yes
IT General Controls : Yes
Vulnerability assessment & Penetration test : Yes
IT infrastructure audit : Yes
Application Pre & Post Implementation Reviews : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 29
Total Nos. of Information Security Audits done : 29

5. Number of audits in last 12 months , category-wise

Network security audit 0


Web-application security audit 1
Wireless security audit 0
Compliance audits (ISO 27001, PCI, etc.) 5
IT General Controls 13
Vulnerability Assessment & Penetration Testing 2
IT Infrastructure Audit 2
Review of Applications Implementation (Both Pre & Post Implementation) 6

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 LA : 2
CISAs : 3
DISAs / ISAs : 1
CEH : 3
CCNA : 1
Total Nos. of Technical Personnel : 11

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Designation Duration Experience Qualifications related to


No. with RSM in Information security
Astute Information
Consulting Security
Master – IT, CISA, CISP, CISSP,
CIISA, SAP-Net Weaver
1 Director < 1 year 15 years
Security Certification, IS0
22301 Lead Implementor, ESCA
2 Director < 1 year 9 years CISA
3 General Manager < 1 year 5 years CISA
Asst. General ACL Governance, Risk &
4 < 1 year 9 years
Manager Compliance certificate
Masters-Computer
5 Sr. Manager < 1 year 12 years
Management, ITIL
6 Sr. Manager 15 years 15 years CEH, CCNA, MCSE, Diploma-IT
BCA, CISA, ISO 27001-2013,
7 Sr. Manager < 1 year 22 years
ISO 9001:2015, COBIT5:2012
8 Consultant 1 year 12 years PGBDM-IT, ISO 27001
9 Asst. Manager 6.5 years 12 years MBA - IT
10 Asst. Manager 2 years < 1 year CISA
CEH, ME (IT), BE (CS), RHCSA-
11 Officer < 1 year < 1 year
Linux RHEL 7

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Review of Management Systems & Processes (Information Technology & Risk


Management) for Investment Function for one of the largest Indian Private Sector General
Insurance Company. The assignment scope of work covered the following:

 Application Review
 Security Policy & Implementation
 Risk Management
 Capacity Management
 Disaster Recovery, Back-up and Contingency Planning
 Internal Vulnerability Assessment etc.

 The assignment was performed at Mumbai with a team comprising of Information


Technology Technical Experts team and Insurance Domain Functional Expert team from
our BFSI Group.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

 Nessus Professional Burp Suite


 Acunetix
 Nmap
 Wireshark Backtrack
 Metasploit OpenSSL Winaudit NetCat
 Nipper
 Appscan
 SQLmap
 OWASPZAP
 Fortify Static Code Analyzer.

10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No NA

(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by RSM Astute Consulting Pvt Ltd. on 30th November 2016.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Qadit Systems & Solutions Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :


Qadit Systems & Solutions Pvt Ltd, Chennai

2. Carrying out Information Security Audits since : 2002

3. Capability to audit , category wise (add more if required)


 Network security audit (Y/N) : Yes
 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 1
PSU : 21
Private : 86
Total Nos. of Information Security Audits done : 108

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit: 19


Web-application security audit: 28
Mobile-application security audit: 2
Full IT Audit: 36
Migration Audit: 1
Security Consulting: 7
Compliance audits (ISO 27001, PCI, etc.): 15

6. Technical manpower deployed for information security audits :

CISSPs : 2
BS7799 / ISO27001 LAs : 3
CISAs : 6
DISAs / ISAs : 9
Any other information security qualification : -
Total Nos. of Technical Personnel : 9

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. Qadit Systems Information Security to Information security
1 V. Vijayakumar 15 years 15 years CISA, ISMS LA, ISA,
CEH
2 Mahesh Balan 15 years 15 years CISA, ISMS LA, ISA,
CEH
3 Thangam Prakash 12 years 12 years CISA, CISSP
4 N. Swameshwar 12 years 12 years CISSP, ISA, CEH
5 Sanjay Kadel 12 years 12 years CISA, ISA
6 R. Narayanan 12 years 12 years CISA, CIA
7 R. Ramesh 12 years 12 years CISA, CISM, LA, CPISI
8 B Lokaraj 6 mths 8 years CISA
9 G. Guru 3 years 5 years CISA
Santhanam

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.
Client : A project for Government of Tamilnadu
Scope: Information System Security Audit, Developing Security Policy & Procedures,
Application Software Audit
Coverage: all municipalities across Tamilnadu
Project Value: Rs. 27 lakhs

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Proprietary
NsVulnAssessor
Ora DBSecAssessor
MSSQL DBSecAssessor
Router Config security assessor scripts

Commercial
Tenable Nessus Professional Edition

Open Source / Freeware

Achilles Hydra Owasp Mantra


Aircrack-Ng IronWASP Paros Proxy
BackTrack/ KaliLinux John the Pwdump
Ripper
Brutus Lynis Snort
Cain and Able Maltego w3af
DOMTools Metasploit Webinspect
Community
Edition
Dsniff NetCat WebScarab
Firewalk Netstumbler Whisker
Hping Nikto Wikto
HTTPrint Nmap Wireshark
HTTrack OpenVAS

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Qadit Systems & Solutions Pvt Ltd on 29th Nov 2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Varutra Consulting Private Limited

1. Name & location of the empanelled Information Security Auditing Organization:

Varutra Consulting Private Limited


Corporate Office:
A-302 & A-303, Oxy Primo,Gate No. 599, Bakori Phata,
Pune-Nagar Highway,Opp. Jain College,
Wagholi, Pune-412207, MH, India.

2. Carrying out Information Security Audits since : 2012

3. Date of empanelment by CERT-In:

4. Capability to audit, category wise (add more if required)


Network security audit (Y/N) - Yes
Web-application security audit (Y/N) - Yes
Wireless security audit (Y/N) - Yes
Compliance audits (ISO 27001, PCI, etc.) (Y/N) - Yes

5. Information Security Audits carried out in last 12 Months:


Govt. : <3>
PSU : <>
Private : <22>
Total Nos. of Information Security Audits done : 25

6. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : <10>


Web-application security audit : <6>
Wireless security audit : <2>
Compliance audits (ISO 27001, PCI, etc.) : <3>
Source Code Review : <5>
Managed Security Services : <1>
Cloud Security Assessment : <4>
Mobile Application Security (iOS, Android, Windows) : <5>
Software Product Security Testing : <1>

7. Technical manpower deployed for information security audits:


CISSPs : <1> - Appeared
BS7799 / ISO27001 LAs : <2>
CISAs : <number of>
DISAs / ISAs : <number of>
Any other information security qualification: <7 – Certified Ethical Hackers from EC
Council, 1CHFI, 1 CISP, 1 ECSA from EC-Council>
Total Nos. of Technical Personnel 11
8. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Duration Experience in
S. Name of Qualifications related to
with Information
No. Employee Information security
<Varutra> Security
Masters in Computer
Mr. Kishor 2 years 8 Science, Certified Ethical
1 10+ years
Sonawane months Hacker, ISO 27001 – Lead
Auditor
Bachelor in Computer
Science, CEH, CHFI,CCSA,
2 Mr. Omkar Joshi 2 months 2 years
CISP and ISO 27001 Lead
Auditor
Mr. Jeevan 1 year 10 BE (Computer Science),
3 2 years
Dahake month CSLLP- Appeared
BE (Computer
1 year 10
4 Mr. Snehal Raut 1 year 10 months Science),Certified Ethical
month
Hacker
BE (Computer
1 year 6
5 Mr. Sachin Wagh 2 years Science),Certified Ethical
months
Hacker
BE (Computer
Mr. Chetan
6 2 years 2 years Science),Certified Ethical
Gulhane
Hacker

9. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Network and Applications (Mobile + Web) Security Assessment consisting of more than 1,200
IP addresses for network level vulnerability assessment and penetration testing, 20 web and
mobile applications for MCIT (Ministry of Communications and Information Technology,
Kingdom of Saudi Arabia).

Complexity: High. This was the complex project as the assessment included security testing
and hacking of various types and platforms of servers such as Windows, Linux, Unix, MSSQL
Databases, MySQL Databases, Oracle Databases, DB2 Databases, VOIP, Network Sniffing,
Wireless Network Pentest, VLAN Hopping and Hacking , Application Security Testing for Web
Applications and Mobile Application of Android, iOS and Windows platforms, Web Services ,
Social Engineering etc.

At present conducting source code review, threat modeling, SDLC review for 10 web and
mobile applications for the same client.

10. List of Information Security Audit Tools used (commercial/ freeware/proprietary):


Commercial Tools
Vulnerability Assessment & Penetration Testing – Rapid 7 Nexpose, Nessus,
QualysGuard, GFI Languard, etc.

Application Security Assessment – IBM Appscan, HP WebInspect, Burpsuite, Acunetix


WVS, NTOSpider, etc.

Freeware Tools
Vulnerability Assessment & Penetration Testing – Nessus, Nmap, OpenVAS, MBSA,
Nipper, KaliLinux, BackTrack, AirCrack, Helix (Forensics) etc.
Application Security Assessment – W3af, Nikto, BurpSuite, FireBug, SQLMap, N-
Stalker, WebScarab, Powerfuzzer, etc.

Proprietary Tools
MVD - Mobile Vulnerability Database, provides mobile operating system level
vulnerabilities for Android, iOS, Blackberry and Windows platforms.

MASTS - Mobile Application Security Testing Suite: Security Testing Suite for android
mobile applications.

11. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No (If yes,
kindly provide oversight arrangement (MoU, contract etc.))

Yes, NDA (Non Disclosure Agreement getting signed between the two parties before
outsourcing any project to external experts.

12. Whether organization has any Foreign Tie-Ups? If yes, give details : No

13. Whether organization is a subsidiary of any foreign-based organization?


If yes, give details : No

14. Locations of Overseas Headquarters/Offices, if any : No

rd
*Information as provided by Varutra Consulting Private Limited on on 3 Nov 2015

BacK
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Varutra Consulting Private Limited

1. Name & location of the empanelled Information Security Auditing Organization:

Varutra Consulting Private Limited


Corporate Office:
A-302 & A-303, Oxy Primo,Gate No. 599, Bakori Phata,
Pune-Nagar Highway,Opp. Jain College,
Wagholi, Pune-412207, MH, India.

2. Carrying out Information Security Audits since : 2012

3. Date of empanelment by CERT-In:

4. Capability to audit, category wise (add more if required)


Network security audit (Y/N) - Yes
Web-application security audit (Y/N) - Yes
Wireless security audit (Y/N) - Yes
Compliance audits (ISO 27001, PCI, etc.) (Y/N) - Yes

5. Information Security Audits carried out in last 12 Months:


Govt. : <3>
PSU : <>
Private : <22>
Total Nos. of Information Security Audits done : 25

6. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : <10>


Web-application security audit : <6>
Wireless security audit : <2>
Compliance audits (ISO 27001, PCI, etc.) : <3>
Source Code Review : <5>
Managed Security Services : <1>
Cloud Security Assessment : <4>
Mobile Application Security (iOS, Android, Windows) : <5>
Software Product Security Testing : <1>

7. Technical manpower deployed for information security audits:


CISSPs : <1> - Appeared
BS7799 / ISO27001 LAs : <2>
CISAs : <number of>
DISAs / ISAs : <number of>
Any other information security qualification: <7 – Certified Ethical Hackers from EC
Council, 1CHFI, 1 CISP, 1 ECSA from EC-Council>
Total Nos. of Technical Personnel 11
8. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Duration Experience in
S. Name of Qualifications related to
with Information
No. Employee Information security
<Varutra> Security
Masters in Computer
Mr. Kishor 2 years 8 Science, Certified Ethical
1 10+ years
Sonawane months Hacker, ISO 27001 – Lead
Auditor
Bachelor in Computer
Science, CEH, CHFI,CCSA,
2 Mr. Omkar Joshi 2 months 2 years
CISP and ISO 27001 Lead
Auditor
Mr. Jeevan 1 year 10 BE (Computer Science),
3 2 years
Dahake month CSLLP- Appeared
BE (Computer
1 year 10
4 Mr. Snehal Raut 1 year 10 months Science),Certified Ethical
month
Hacker
BE (Computer
1 year 6
5 Mr. Sachin Wagh 2 years Science),Certified Ethical
months
Hacker
BE (Computer
Mr. Chetan
6 2 years 2 years Science),Certified Ethical
Gulhane
Hacker

9. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Network and Applications (Mobile + Web) Security Assessment consisting of more than 1,200
IP addresses for network level vulnerability assessment and penetration testing, 20 web and
mobile applications for MCIT (Ministry of Communications and Information Technology,
Kingdom of Saudi Arabia).

Complexity: High. This was the complex project as the assessment included security testing
and hacking of various types and platforms of servers such as Windows, Linux, Unix, MSSQL
Databases, MySQL Databases, Oracle Databases, DB2 Databases, VOIP, Network Sniffing,
Wireless Network Pentest, VLAN Hopping and Hacking , Application Security Testing for Web
Applications and Mobile Application of Android, iOS and Windows platforms, Web Services ,
Social Engineering etc.

At present conducting source code review, threat modeling, SDLC review for 10 web and
mobile applications for the same client.

10. List of Information Security Audit Tools used (commercial/ freeware/proprietary):


Commercial Tools
Vulnerability Assessment & Penetration Testing – Rapid 7 Nexpose, Nessus,
QualysGuard, GFI Languard, etc.

Application Security Assessment – IBM Appscan, HP WebInspect, Burpsuite, Acunetix


WVS, NTOSpider, etc.

Freeware Tools
Vulnerability Assessment & Penetration Testing – Nessus, Nmap, OpenVAS, MBSA,
Nipper, KaliLinux, BackTrack, AirCrack, Helix (Forensics) etc.
Application Security Assessment – W3af, Nikto, BurpSuite, FireBug, SQLMap, N-
Stalker, WebScarab, Powerfuzzer, etc.

Proprietary Tools
MVD - Mobile Vulnerability Database, provides mobile operating system level
vulnerabilities for Android, iOS, Blackberry and Windows platforms.

MASTS - Mobile Application Security Testing Suite: Security Testing Suite for android
mobile applications.

11. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No (If yes,
kindly provide oversight arrangement (MoU, contract etc.))

Yes, NDA (Non Disclosure Agreement getting signed between the two parties before
outsourcing any project to external experts.

12. Whether organization has any Foreign Tie-Ups? If yes, give details : No

13. Whether organization is a subsidiary of any foreign-based organization?


If yes, give details : No

14. Locations of Overseas Headquarters/Offices, if any : No

rd
*Information as provided by Varutra Consulting Private Limited on on 3 Nov 2015

BacK
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Cyber Security Works Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization:

Cyber Security Works Pvt. Ltd


No.3, III – Floor, E- Block, 599, Anna Salai
Chennai – 600 006.

2. Carrying out Information Security Audits since : 2008

3. Capability to audit, category wise (add more if required)

 Network Vulnerability Assessment / Audit : Yes


 Web-application security Assessment / Audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 SDLC Review and Code Security Review : Yes
 Application Penetration Testing : Yes
 Network Penetration Testing : Yes
 Information Security policy review, development and assessment : Yes
 Mobile application security audit : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 43
PSU : 0
Private : 151
Total Nos. of Information Security Audits done : 194

5. Number of audits in last 12 months, category-wise

Network security audit : 15


Web-application security audit : 178
Wireless security audit : 2
Mobile application security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 1

6. Technical manpower deployed for information security audits:

CISSPs : 1
BS7799 / ISO27001 LAs : 4
CISAs : 1
DISAs / ISAs : 0
Any other information security qualification : 4
Total Nos. of Technical Personnel : 13
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration Experience in Qualifications related to


No. with CSW Information Security Information security
7.6 years CISA, CISSP, ISO Lead
1. Sridhar Krishnamurthi 17.6 years Auditor
2. Ravi Pandey 5.3 years 6.4 years B. Tech, ISO Lead Auditor
3. Ramesh Gunnam 4.5 years 4.5 years ISO Lead Auditor
4. Arjun Basnet 2.10 Years 2.10 years BCA, CEH
5. Sathish Kumar 2.9 Years 2.9 Years B.E, CEH
2.5 Years B. Tech, CCNA, CCNA
6. Vengatesh Nagarajan 2.5 Years Security
7. Raghunadha Reddy Poli 1.7 Years 1.7 Years MCA, CEH
8. Satya Suvarna Bonthala 1.3 Years 1.3 Years MCA
9. Maheswari Dereddy 1.3 Years 1.3 Years MCA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Vulnerability assessment and Penetration testing of network infrastructure and web


applications for a large Financial Services Company with offices across 68 Locations in India.
(We cannot declare the name of organization as we have NDA singed with them)

Complexity: Project involved of Network Security Review, Internal and External Vulnerability
Assessment and Penetration Testing, Security Configuration Review, Physical Security
Review, Application Penetration Testing, Risk Assessment, Polices and Procedures Review.

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Commercial Tools
Acunetix
Nessus
Nexpose
Burp Suite Pro

Proprietary
Risk sense - Vulnerability management tool for Network infrastructure and web application.
Vapsploit - Data mining tool for Network infrastructure assessment.

Freeware Tools:

Nmap
Netcat
Snmp Walk
Metasploit
Kali Linux
Santoku
Paros
Brutus
Nikto
Firewalk
Dsniff
SQL Map
John the ripper
Paros
Wikto
Ethereal
Netcat
Openvas
W3af
OWASP Mantra
Wireshark
Ettercap
Aircrack – Ng
Cain & Abel
Ironwasp
OWASP Xenotix
Fiddler
Tamperdata
Social Engineering Toolkit

10. Outsourcing of Project to External Information Security Auditors / Experts: NO


(If yes, kindly provide oversight arrangement (MoU, contract etc.)

*Information as provided by Cyber Security Works Pvt. Ltd on 28.11.2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Deccan Infotech Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

DECCAN INFOTECH (P) LTD


NO.13A, JAKKASANDRA BLOCK.
7THCROSS. KORAMANGALA
BENGALURU - 560034

2. Carrying out Information Security Audits since : <1996>

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : YES


 Web-application security audit (Y/N) : YES
 Wireless security audit (Y/N) : YES
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : YES

4. Information Security Audits carried out in last 12 Months:

Govt. : <03>
PSU : <07>
Private : <90>
Total Nos. of Information Security Audits done : 100

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : <30>


Web-application security audit : <50>
Wireless security audit : <10>
Compliance audits (ISO 27001, PCI, etc.) : <05>

6. Technical manpower deployed for informationsecurity audits :

CISSPs : <00>
BS7799 / ISO27001 LAs : <10>
CISAs : <05>
DISAs / ISAs : <00>
Any other information security qualification:
CEH, CHFI, CFE, M.Tech (Information Security), MCSP, CISM, CRISC,
C|CISO
Total Nos. of Technical Personnel : 24

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with DIPL Information related to
Security Information security
1. Dilip Hariharan 21 21 years CRISC, CISM, CISA,
C|CISO, CEH, CHFI,
CFE, BS 7799 Lead
Auditor, BS 7799
Implementer
2. Karthik V 4 5 years M.Tech (Information
Security, CEH, MCP)
3. Raja H 4 4 years ISO 27001 LA,
Software testing,
4. Venkata Ramana 2 7 years ISO 27001 Lead
Gudluru implementer
5. Ramanan G 2 02 years ISO 27001 Lead
implementer,
6. Sowrirajan K 3 10+ years CEH, MS (Cyber Law &
Information Security)

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Network Security Audit (VAPT) and Audit of Web applications and devices of a major
Insurance company for Rs. 1+ crores.
 Consultancy for ISO 27001:2013 for a US based Platform Services company for over
75 Lakhs
 Consultancy for ISO 27001:2013 for a private Sector Bank in India for over 50 Lakhs

9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

1. Burp Suite
2. NMAP
3. Hping3
4. John The Ripper
5. NetCat
6. PW DUMP
7. WireShark
8. OWASP ZAP
9. KALI Linux
10. Rapid7
11. Acunetix
12. TCP Dump
13. Nessus
14. Brutus
15. Metasploit
16. Mozilla Tools for web app audits
17. Fiddler
18. Dir buster
19. Nipper
20. Nikto
21. W3AF
22. SQL tools

10. Outsourcing of Project to External Information Security Auditors / Experts : NO


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by <Deccan Infotech (P) Ltd > on <07-02-2017>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Security Brigade InfoSec Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Security Brigade InfoSec Private Limited

2. Carrying out Information Security Audits since : 2006

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 20+
PSU : 2+
Private :
1000+
Total Nos. of Information Security Audits done :
1022+

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 300+


Web-application security audit : 700+
Wireless security audit : 15+
Compliance audits (ISO 27001, PCI, etc.) : 7+

6. Technical manpower deployed for information security audits :

CISSPs : 2+
BS7799 / ISO27001 LAs : 2+
CISAs : 2+
DISAs / ISAs : -
Any other information security qualification : 20+
Total Nos. of Technical Personnel : 25+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


No. Employee <organization> Information related to
Security Information
security
1. YK 10 15 ECCPT
2. CJ 6 6 ECCPT
3. YS 8 10 ECCPT, ISMS LA, CEH,
CISSP
4. SZ 8 10 ECCPT, ISMS LA, CEH,
CISSP
5. SJ 4 6 ECCPT, OSCP
6. AG 2 6 ECCPT
7. MF 2 3 ECCPT

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

200+ Audits, Combination of Network Security, Application Security, Mobile Application


Security, Risk Assessments, Pan-India + 5 Global Locations, 1 Crore+

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Information Gathering

- Bile-Suite
- Cisco torch
- SpiderFoot
- W3af
- Maltego
- SEAT
- In-House sdFinder
- … and 50 other tools

Port Scanning

- Nmap
- In-House networkMapper
- Amap
- Foundstone
- hPing
- ... and 30 other tools

Application Security Assessment

- In-House webSpider
- In-House webDiscovery
- In-House webTester
- Achilles
- Sandcat
- Pixy
- W3af
- Nikto
- Paros
- … and 100 other tools

Threat Profiling & Risk Identification

- In-House Risk Assessment


- … and 5 other tools

Network & System Vulnerability Assessment

- Metasploit
- Nessus
- SAINT
- Inguma
- SARA
- Nipper
- GFI
- Safety-Lab
- Firecat
- Owasp CLASP
- Themis
- In-house VAFramework
- … and 30 other tools
Exploitation

- Saint
- SQL Ninja
- SQL Map
- Inguma
- Metasploit
- … and 100 other tools

Social Engineering

- Social-Engineering Toolkit (SET)


- Firecat
- People Search
- … and 10 other tools

Privilege Escalation

- Cain & Abel


- OphCrack
- Fgdup
- Nipper
- Medusa
- Lynix
- Hydra
- … and 40 others

Commercial Tools

- Nessus Commercial
- Burp Suite

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Security Brigade InfoSec Private Limited on 6/12/2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Payatu Technologies Pvt Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Payatu Technologies Pvt Ltd,


502 Tej House, 5 MG Road, Camp, Pune - 411001

2. Carrying out Information Security Audits since : 2011

3. Capability to audit , category wise (add more if required)

 Network security audit : (Y/N)


 Web-application security audit : (Y/N)
 Wireless security audit : (Y/N)
 Mobile Application Audit
 IoT (Internet of Things) product security audit :
 ICS/SCADA security audit :
 Cloud Infrastructure security audit :
 Crypto Implementation security audit :
 Code Review :

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 2
Private : 20+
Total Nos. of Information Security Audits done : 30+

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 5+


Web-application security audit : 20+
Wireless security audit : 3
Mobile Application Audit : 20+
IoT (Internet of Things) product security audit : 5+
Code Review : 10+

6. Technical manpower deployed for information security audits :

SANS GWAPT : 1
OPSE : 1
CEH : 10
ECSA : 1
ITIL : 1
Any other information security qualification : -
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information Security to Information
security
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Greenfield security implementation and Infrastructure security audit for one of the NGO. We
architected & implemented a complete security program encompassing infrastructure,
operations, security response ability and competency development to make the Organization
skilled enough to sustain and address the future security needs. Project value USD 150000.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Information Gathering
1. Dnsenum
2. Fierce domain scan
3. Dig
4. Whois
5. Wget
6. Google Advanced search

Mapping
1. Nmap
2. Scapy
3. Ike-scan
4. Superscan
5. Dirbuster
6. Openssl
7. THC SSLCheck
8. Sslscan
9. Netcat
10. Traceroute
11. Snmpcheck
12. Smtpscan
13. Smbclient
14. Wireshark
15. Web Browser

Vulnerability Assessment
1. Nessus Professional
2. Openvas
3. Skipfish
4. Ratproxy
5. IronWASP
6. Grendel scan
7. Web securify
8. Burp suite professional
9. Paros Proxy
10. SOAPUI

Exploitation
1. Custom python script
2. W3af
3. Metasploit
4. Sqlmap
5. Sqlninja
6. BeEF Framework
7. Hydra

10. Outsourcing of Project to External Information Security Auditors / Experts: No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Payatu Technologies Pvt Ltd on 08-February-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Suma Soft Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Suma Soft Pvt. Ltd.


"Suma Center", 2nd Floor,
Opp. Himali Society, Erandawane,
Pune, Maharashtra – 411 004.
Tel: +91- 20 - 40130700, +91- 20 - 40130400
Fax: +91- 20 - 25438108

2. Carrying out Information Security Audits since : 2008

3. Capability to audit , category wise (add more if required)

 Network Security Audit : Yes


 Web Application Security Audit : Yes
 Web Application Penetration Testing : Yes
 Network Penetration Testing : Yes
 Wireless Security Audit : Yes
 Compliance Audits (ISO 27001, PCI, BCMS, SOX etc.) : Yes
 Compliance - IT Audits
(Based on guidelines issued by RBI, IRDA, SEBI, Stock Exchanges) : Yes
 Digital Forensic Investigations : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 13
PSU : 1
Private : 2
Total Nos. of Information Security Audits done : 16

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 3


Web-application security audit : 14
Web Site Security audit : 15
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 3

6. Technical manpower deployed for information security audits :

CISSPs : -
BS7799 / ISO27001 LAs : 3
CISAs : 4
CEH : 2
CEH, ECSA : 2
DISAs / ISAs : 1
Any other information security qualification:
CCSE, CCI, ACE, ITIL, RHCE, CCNA, MCP, OCP,
Total Nos. of Technical Personnel : 16

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications related to


No. Employee with Suma Information Information security
Soft Security
Surendra
1. 16 14 FCA,CISA,DISA
Brahme
2. C Manivannan 16 14 CISA
Milind
3. 4.6 12 CISA, ACE, CCNA,CSQP
Dharmadhikari
CISA,ISO27001LA,ITIL,RHCE,Sun
4. Anil Waychal 15 11
Solaris
CEH, ECSA, IBM Certified
5 Sumit Ingole 3 4
Specialist - Rational AppScan
6 Narendra Bhati 3 4 CEH
Praveen
7 1 1 CEH, ECSA
Gauttam
8 Varun Mehata .1 .1 CEH
9 Kalidas Yenpure 5 4 MCP
10 Santosh Harne 4 3 RHCE, MCP
11 Rameshwar 3 2
CCNA, CCNP
Wadghane
12 Manik Mhangare 5 RHCE
13 Mayur Bhagwan 1 0.5
CCNA
Shirsath
14 Pankaj Shripati 1 0.5
CCNA
Chaugule
15 Chirag Singhal 1 0.5 CCNA
16 Shrikan 1 0.5
CCNA
Bhadkwan

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value.

 Client: Gujarat Informatics Ltd.


Type of Audit: Security Audit of 450 websites and 12 applications hosted in
State Data Center
Scope of Work: The scope of our audit included review of following areas –
 Conduct Vulnerability Assessment and Penetration Testing
 Tests vulnerabilities in web sites and applications to ensure that all the
false positives and inaccuracies are removed.
 Analyze and execute advanced testing techniques against all verified
vulnerabilities in order to penetrate through the web based application.
 Discussion with the developers on vulnerabilities identified and
suggesting remediation in the source code
 Perform re-testing after receiving confirmation from the developers on
fixing of issues
 Finalization of report and submission of the same to the client
management.

IT Environment: 450+ Websites, 10+ Web applications


Contract value – Cannot disclose due to confidentiality

 Client: Export Credit Guarantee Corporation (ECGC) of India


Type of Audit: IS Audit
Scope of Work: The scope of our audit included review of following areas –

 IT Policy and its implementation


 Application Management – Development & Maintenance, Logical
Security and System Controls
 IT Infrastructure Management
 Database Review
 Backup and recovery practices
 Network Review
 IT Asset Management
 Physical Security & Environmental Controls

IT Environment: 36 Servers, 2 Firewalls, 4 routers, 150 ISDN modems,


Application portal with more than 10
modules
Contract value – Cannot disclose due to confidentiality

 Client: GIC of India (GIC Re)

Type of Audit: IT Security Audit & IPv6 Compliance Audit


Scope of Work: The scope of our audit included review of following areas –
 Review of existing IT Policies and Procedures
 DC Infrastructure & Network, Software License compliance
 DR Site Visit
 Applications
 LAN Infrastructure (GIC HO)
 Security Infrastructure
 Security Incidences
 Risk Assessment
 Vulnerability Assessment / Penetration Test and Desktop Security
Scanning
 Formulation of BRP/DRP framework
 Preparation of Statement of Applicability
 Formulation of IT Security Policy
 Training & Awareness
 IP v6 Compliance Audit

IT Environment: 40+ Servers, 6 Firewalls, 3 routers, 16 Edge Switches, 10 Distribution


Switches, 2 Core Switches, 2 SAN Switches, 4 Business Applications, 500+ Desktops, 100
Laptops

Contract value – Cannot disclose due to confidentiality

 Client: Kolhapur Municipal Corporation (KMC)


Type of Audit: IS Audit, Network Audit and Web Application Audit
Scope of Work: The scope of our audit included review of following areas –

 Review of existing IT Policies and Procedures


 DC Infrastructure & Network, Software License compliance
 DR Site Visit
 Applications
 LAN Infrastructure (KMC)
 Security Infrastructure
 Risk Assessment
 Vulnerability Assessment / Penetration Test and Desktop Security
Scanning
 Conduct Vulnerability Assessment and Penetration Testing
 Tests vulnerabilities in web sites and applications to ensure that all the
false positives and inaccuracies are removed.
 Analyze and execute advanced testing techniques against all verified
vulnerabilities in order to penetrate through the web based application.
 Discussion with the developers on vulnerabilities identified and
suggesting remediation in the source code
 Perform re-testing after receiving confirmation from the developers on
fixing of issues
 Finalization of report and submission of the same to the client
management.

IT Environment: 12 Servers, 4 Firewalls, 10 routers, 100 modems, 350+ IP address,


Application portal with more than 36 modules

Contract value – Cannot disclose due to confidentiality

 Client: Principal Controller of Defence Accounts (PCDAO)


Type of Audit: IS Audit, Network Audit and Web Application Audit
Scope of Work: The scope of our audit included review of following areas –

 Review of existing IT Policies and Procedures


 DC Infrastructure & Network, Software License compliance
 Applications
 LAN Infrastructure (KMC)
 Security Infrastructure
 Risk Assessment
 Vulnerability Assessment / Penetration Test and Desktop Security
Scanning

 Conduct Vulnerability Assessment and Penetration Testing


 Tests vulnerabilities in web sites and applications to ensure that all the
false positives and inaccuracies are removed.
 Analyze and execute advanced testing techniques against all verified
vulnerabilities in order to penetrate through the web based application.
 Discussion with the developers on vulnerabilities identified and
suggesting remediation in the source code
 Perform re-testing after receiving confirmation from the developers on
fixing of issues
 Finalization of report and submission of the same to the client
management.

IT Environment: 8 Servers, 1 Firewalls, 4 routers, 250+ IP address, Application portal with


more than 10 modules

Contract value – Cannot disclose due to confidentiality

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial

 IBM AppScan
 Burp Suite Pro
 Nessus
 Acunetix
 Netsparker
Freeware

 Kali Linux
 Metasploit
 Sqlmap

10. Outsourcing of Project to External Information Security Auditors / Experts: No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

No. We do not outsource our engagements to external consultants. However, we engage


known external consultants / experts in the field of information Security to work alongside
our team based on specific skills required for the engagement. Project Management and
delivery of the engagement is done by Suma Soft.

For this purpose, we use Confidentiality and Non-Disclosure Agreements before engaging the
consultants for assignments with defined scope of work and with clear knowledge of the
client. Also the consultants need to adhere to IT Security and other Policies of Suma Soft and
also of the client during the course of the engagement.

*Information as provided by Suma Soft Pvt. Ltd. on 24-November-2016

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

AGC Network

1. Name & location of the empanelled Information Security Auditing Organization :

AGC Network,
2nd Floor, Equinox Business Park,
Tower 1, (Peninsula Techno Park)
Off Bandra Kurla Complex, LBS Marg
Kurla (West) Mumbai – 400070.

2. Carrying out Information Security Audits since : 2002

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 1
PSU : 1
Private : 6
Total Nos. of Information Security Audits done : 8

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : -


Web-application security audit : 8
Wireless security audit : -
Compliance audits (ISO 27001, PCI, etc.) : 8

6. Technical manpower deployed for information security audits :

CISSPs : -
BS7799 / ISO27001 LAs : 10
CISAs : 3
DISAs / ISAs : --
Any other information security qualification -CEH : 10
Total Nos. of Technical Personnel : 25

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Duration Experience in
S. Name of Qualifications related to
with Information
No. Employee Information security
Organization Security
1 Atul Khatavkar 7 Years 23 Years CISA, CRISC
2 Prashant Ketkar 7 Years 18 Years ECSA, CEH, ISO27001LA
3 Sachin Ratnakar 7 Years 18 Years CISA,ISO27001LA,BS2599LA
4 Kris Coutinho 6 Years 6 Years CISM
5 Shivkumar Singh 10 months 4 Years CCNA, CEH, McAfee SIEM
Satya Narayan
6 Yadav 1.6 months 6 Years CCNA, McAfee SIEM
7 Arnold Antony 11 months 2.11 years OSCP, CEH
8 Aakanksha Deo 1.8 Years 1.8 Years CEH
9 Imdadullah M 1.0 Years 4 years
10 Delmin Davis 1.8 years 3.8 years CCNA, CEH
11 Kamlakar Kadam 1.8 Years 1.8 Years Solarwind CP
12 Sunil Sahu 1.8 Years 1.8 Years
13 Sandip Bobade 11 months 1.11 years
14 Satyajeet Darjee 3 months 3.6 years
15 Sadanand Jadhav 4 months 2 Years
16 Omkar Patil 1 month 2.5 Years CEH, Qualys
17 Aniruddha Gurav 4 months 4 months CEH
18 Ganesh Patil 4 months 4 months CEH
19 Priyanka Malusare 3 months 3 months CEH
20 Harsh Shah 3 months 3 months CEH
21 Faisal Shaikh 3 months 3 months CEH
22 Reena Bhoyar 2 months 2 months

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

I & M Bank - US$ 50000 – 2 locations – SIEM Implementation

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Accunetix WAS, Qualys Guard,Nessus, Kali Linux/Backtrack Suite

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No NO ( If yes,
kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by AGC Network on 27/03/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

iSec Services Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

iSec Services Pvt. Ltd.


607-608, Reliable Business Center,
Anand Nagar Jogeshwari (W),
Mumbai 400102, INDIA
email: [email protected]

2. Carrying out Information Security Audits since : 2001

3. Date of empanelment by CERT-In :

4. Capability to audit , category wise (add more if required)

 Network security audit : (Yes)


 Web-application security audit : (Yes)
 Wireless security audit : (Yes)
 Compliance audits (ISO 27001, PCI, etc.) : (Yes)

5. Information Security Audits carried out in last 12 Months :

Govt. : <15>
PSU : <2>
Private : <19>
Total Nos. of Information Security Audits done : 36

6. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : <3>


Web-application security audit : <15>
Wireless security audit : <7>
Compliance audits (ISO 27001, PCI, etc.) : <11>

7. Technical manpower deployed for information security audits :

BS7799 / ISO27001 LAs : <3 >


Any other information security qualification : <3>
Total Nos. of Technical Personnel : 6

8. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Duration with Experience in Qualifications related


Name of
S. No. <organization Information to Information
Employee
> Security security

1 Mayur Khole >4 years >4 years ISO LA 27001:2013


2 Naman Chaturvedi >4 years >4 years ISO LA 27001:2013
3 Anil Patil 1 month >3 Years CEH v8.0
4 Deepak D.R. >2.5 years >2.5 Years CEH v7.0
Jyoti Shankar
5 Singh >5 years >5 years ISO LA 27001:2013
6 Krapesh Bhatt 2 months >3 years PGDM Cyber Security
9. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
Along with project value.

Client Name: Syntel Ltd.

Locations covered: Mumbai (2 locations), Pune (2 locations), Chennai (2 locations) and Gurgaon (1
location)

Scope: ISMS Compliance Audits on daily basis for a year, Handling U.S. Clients audits at locations,
imparting training sessions to employees in reference to Information Security at regular Intervals,
Doing Risk Assessment at annual basis, Transition done from ISO 27001:2005 to ISO 27001:2013,
DR and BCP drills for each account.

Manpower Deployed : 3 resources (one each at Mumbai Chennai and Pune).

Project Value: INR 50 lacs.


10. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial:
 Burp Suite Pro

Freeware:
 Nmap
 Nikto
 Metasploit
 OpenVas
 Wireshark
 Crowbar
 Nessus
 Webscarab
 Paros
 Wapiti
 Nemesis
 NetCat
 Brutus
 GrendeIscan
 Havij
 Hydra
 Httprint
 Hydra
 W3af

11. Outsourcing of Project to External Information Security Auditors / Experts : No

(If yes, kindly provide oversight arrangement (MoU, contract etc.))

12. Whether organization has any Foreign Tie-Ups? If yes, give details : No

13. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

14. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by iSec Services Pvt. Ltd. on 23/3/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

KPMG

1. Name & location of the empanelled Information Security Auditing Organization :

KPMG,
DLF Building No. 10,
8th Floor, Tower B
DLF Cyber City, Phase 2
Gurgaon 122002

2. Carrying out Information Security Audits since : 1996

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 20
PSU : 15
Private : 40
Total Nos. of Information Security Audits done : 75

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 50+


Web-application security audit : 60+
Wireless security audit : 20+
Compliance audits (ISO 27001, PCI, etc.) : 30+

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 6
BS7799 / ISO27001 LAs : 40+
CISA / CISMs : 40+
CEH/OSCP : 35
CCSK/OSCP : 5
CCNA / CCNP/CCIE : 10
Total Nos. of Technical Personnel : 300

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience Qualifications related to


No. Employee KPMG> in Information security
Information
Security
1 Sony Anthony 15yrs 21yrs ISO 27001, ISO 22301, ISO
20000
2 Manish 3yrs 14yrs CEH, CCNA, CISA, ISO 22301
Tembhurkar
3 Kedar Telavane 8yrs 10yrs CISM, CISSP, CCNA,
SNPA,JMCIA,ISO 27001, ISO
22301,DSCI- LA
4 Urmimala 7yrs 10yrs CEH, ISMS-27001:2013, ITIL,
Dasgupta QualysGuard
5 Anupama Atluri 6yrs 10yrs CEH, CCSK, ISO Lead
Implementer, IBM Certified Pen
tester
6 Aditya Tawde 2yrs 9yrs ISO 27001, DSCI -LA
7 Jayant Singh 7yrs 8yrs CEH, ISMS 27001
8 Ramit Gupta 5yrs 8yrs CEH, ISMS-27001:2013, ITIL
9 Ragini Gupta 1yrs 4yrs CEH
10 Abhishek Dashora 2yrs 4yrs CEH, CCSK

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Telecom security testing – Multi-year engagement to support client in its security


initiatives which include Security testing of core telecom network nodes like MSC, IN,
SGSN, GGSN, VAS systems etc, network architecture review, application security testing,
vulnerability assessment and development of baseline security standards. The
engagement spread across all the circles within the country covering remote locations.
 Largest public sector bank in India- The scope of work include to perform periodic
vulnerability assessment and penetration testing, application security testing, secure code
review, mobile app security testing, Internet banking and core banking application
security tests. KPMG performed security review of network architecture for bank’s data
centers, local networks and international branch networks. As part of assessment, KPMG
also reviewed security policy and procedures of the bank and its implementation. KPMG
was also a part of it’s Digital Banking initiative where KPMG had performed pre-launch
security assessment of entire setup.
 Security audit for highway authority: The engagement is to conduct detailed As-IS
study of existing security controls implemented on network, application and infrastructure
and submit a detailed report to the organization. Post As-IS assessment KPMG conducted
a comprehensive security audit of network, application, endpoints, database, external
website and e-tendering portal.
 Security audit for nationalized bank: Multi-year engagement with a leading bank to
conduct quarterly security audit of 100 application security tests, vulnerability assessment
on more than 600+ IP address, external penetration test, Denial of service assessment,
IT DR review and review of policy and process. The value of engagement is more than
INR 50Lakhs.
 Security operations center for public sector bank:KPMG assisted 9 banks to assess
the security requirement in each of the banks and help in selection of technologies and
security integrator. KPMG is also assisting a few banks in design and implement the
technologies such as SIEM, PIM, DAM, WAF, VAS, Anti-APT, DLP etc.Logs from various
security devices as routers, switches, firewalls, etc. are fed to the SIEM along with the
logs from other monitoring tools. KPMG has also helped the Banks build use cases for
each of the technologies and implement the same.
 Large IT/ITES Company: KPMG conducted Cyber maturity assessment for the
organization spread across multiple countries followed by road-map for implementation of
security control. KPMG also performed security architecture review, cyber drills, phishing
assessment, Senior management trainings, development of cyber response and incident
management framework, Value of engagement was more than INR one crore.
 Leading intellectual property management and Technology Company: KPMG has
been appointed to provide cyber security services which include cyber security
transformation projects, governance & sustenance and security testing services. KPMG is
to conduct cyber security maturity assessment, program governance for implementation
security controls and security testing for critical on-premises and cloud based applications

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

 Commercial –
 Acunetix,
 Burp,
 Nessus
 AppScan
 WebInspect
 Proprietary
 KRaptor,
 KPMG Brand Protection Tool,
 KPMG SABA,
 KCR Tool
 Freeware
 BackTrack,
 Kali Linux,
 Fiddler,
 Paros,
 SQLMap,
 nmap,
 Wireshark

10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No ( If yes,
kindly indicate mode of arrangement (MoU, contract etc.)) NO

*Information as provided by KPMG on 21st Mar 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Mahindra Special Services Group

1. Name & location of the empanelled Information Security Auditing Organization :

Mahindra Special Services Group( A Division Of Mahindra Defence Systems


Limited), 212, 2nd Floor, Rectangle One,
Commercial Complex D4,
Saket, New Delhi-110017

2. Carrying out Information Security Audits since : 2002

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 Compliance audits(ISO 22301) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 60
PSU : 7
Private : 83
Total Nos. of Information Security Audits done : 150

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 60


Web-application security audit : 100
Wireless security audit : 30
Compliance audits (ISO 27001, PCI, etc.) : 15

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 47
CISAs : 4
DISAs / ISAs : 2
Any other information security qualification:CEH/CFE/CAMS- : 18
Total Nos. of Technical Personnel : 113

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications


No. <organization> Information related to
Security Information security
1. Shailesh Srivastava 9 14 MS ( Cyber Law &
Information
Security);B. Tech. (
Electrical
Engg.);L.L.B., ISO
27001 LA, ISO
22301 LA, ISO
27001 LI,CISA
2. Chandrika Putrevu 7 7.5 B.E.(IT), ISO 27001
LA

3. FarzanaArakkal 6.5 7.5 B E (Computer


Science), ISO 27001
LA
4. Vaibhav Pulekar 6.4 9.7 BE (Computer
Science), ISO27001

5. Anil Govindu 5.2 14.2 B Sc.(Physics), ISO


27001

6. Pankaj Patil 4.10 15.20 BHMS,

OSCP, ISO 22301


LA

7. ChiragaliPeerzada 3.5 8.5 ISO 27001 LA,


CCNA, ISO 22301 LI

8. NeerajRathi 3.5 18.5 ISO 27001 LA, ISO


22301 LI

9. Anushree Desai 3 3 BSc(IT),

ISO 27001LA, ISO


22301 LI

10 Daniel Joseph 2.5 3.5 M Sc(IT),

RHCSA and DFI by


Data 64, OSCP

11. Manish Pandey 2.5 3.5 B.Tech, CEH

12. Santosh Lala 2.5 16.5 MBA, ISO 22301,


ISO 27001

13. Uday Kiran 2.5 4.5 M.Tech (Computer


Sci), B. Tech
(Computer Sci),

CEH; ISO
27001:2013 LA

14. Mousam Khatri 2 2.76 M.Sc. (Cyber Law &


Information
Security), B.E. (IT),
ISO 27001 LA
15. Suresh Mishra 2 16 MBA, ISO 27001 LA

16. Pradeep Lavhale 2 11 MBA, ISO27001


17 Suman Ganguly 2 18 MBA, BE, ISO 27001
LA, ISO 22301 LA,

18 Mihir Shukla 1.5 4.5 B.Sc. (Hons.)


Computer Security &
Forensic: University
of Bedfordshire, UK,

CEH, RHCSA, ISO


27001 LA

19 Sachit Bhatia 1.5 2 MBA(IT), CEH, OSCP

20 Dheeraj Gupta 1.5 2.5 B Sc(T), ISO


27001LA, ISO
27001 Li, ISO 22301
LA
21 K Harisaiprasad 1.5 9.5 MS, BE, ISO 27001,
CISA (Pending)

22 Nair Ashish Ravindran 1.5 3.5 B Sc (IT), ISO


27001 LA

23 Thakur Chandan 1.5 1.5 B E ( Computers),


Kumar ISO 27001 LA

24 Yadav Mayank Kumar 1.5 1.5 BE, ISO 27001 LA,


ISO 27001 LI

25 KhanolkarAkshayUday 1 2.5 B Sc(IT), ISO


27001LA

26 SubirKochar 1 1 MSc, BE, ISO 27001


LA, ISO 22301, PCI
DSS, ITIL
27 Pankaj Tiwari 1 5 MBA, MSc, MCA,
CEH

28 Muktanand Kale 1 2.5 B E, CEH

29 Varinder Kumar 1 17 B Sc,

CISA, CIA, ISO


27001 LA, ITIL

30 RuchitaDaund 1 3.5 BSC, CEH, ISO


27001 LA

31 Abhishek Srivastava 1 3 B E( Computer Sci),


CEH, ISO 27001 LA

32 SanketKakde 1 3.5 BE, CEH, ISO


27001LA
33 Alok Mishra 1 5 MSc, BSc, CEH, ISO
27001 LA

34 PrabudhAyush 1 3 MCA, B Sc, ISO


27001 LA, ISO
27001 Li
35 Navin Kumar Pandey 1 3.5 MCA, BCA, ITIl, ISO
27001 LA

36 Archana Vinod 1 8.5 B E, ISO 27001 LA,


Baisane ISO 22301 LA, ISO
27001 Li

37 Newton Robin Pereira 1 4 B Sc, CEH, CCNA

38 SonaliRaje 1 3.5 B Tech, ISO 27001


LA

39 C R Vishnukumar 1 8.5 B Tech, ISo 27001


LA, ITIL

40 Manojit Nath 1 2 B Tech, ISO 27001


LA

41 Praful Mathur 1 5.5 MBA, ISO 27001 LA

42 Deepak Pandita 1 1.5 Btech, CEH

43 Shweta Rai 1 4.5 B Sc, ISO 27001 LA,


ISO 22301LA

44 Neha Narang 1 5.5 B Tech, ISO 27001


LA, ITIL

45 Irfan Khan 1 10.5 MBA, BTech, ISO


27001 LA

46 Dinesh Usnale 1 3.5 M Sc, BSc, CEH

47 Manoj Singh 1 12.5 MCA, Bsc, ISO


27001 LA,

48 MitaNaik 1 14 BCA,

DCPLA (DSCI
Certified
Professional Lead
Auditor) ,ISO
270001 LI-LA
Certified, CEH v8
certified, pursuing
CISSP, CCNA ,CCIP
Certified, ITIL V3
Foundation &
Service Strategy
certified.
49 Sameer Goyal 1 2.5 B. Tech, CEH

50 Parth Srivastava 1 1.5 B.Tech,CEH, CCNA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Central Bank Of India- Consulting For ISO 27001 implementation.


Allahabad Bank- IS Audit and VA PT for application and network
infrastructure
Bajaj Finserv- Consulting for ISO 27001
Airport Authority Of India- Consulting for ISO 27001 , IS Audit, VA PT ( Network and
application)
ICICI Bank- VAPT For Network and applications
Union Bank- Consulting For ISO 27001 and ISO 22301

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

10. Outsourcing of Project to External Information Security Auditors / Experts : No

( If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by Mahindra Special Services Group ( A Division Of Mahindra Defence


Systems Limited) on 24th March 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Cigtial Asia Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

Cigtial Asia Pvt Ltd,


Bangalore 560029

2. Carrying out Information Security Audits since : 2004

3. Capability to audit, category wise (add more if required)

 Network security audit : (Y)


 Web-application security audit : (Y)
 Wireless security audit : (Y)
 Compliance audits (ISO 27001, PCI, etc.) : (N)

4. Information Security Audits carried out in last 12 Months:

Govt : 6
PSU : 0
Private : 2110
Total Nos. of Information Security Audits done : Around 2000

5. Number of audits in last 12 months, category-wise (Organization can add categories


based on project handled by them)

Network security audit : 35


Web-application security audit : About 2081
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 0

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 0
BS7799 / ISO27001 LAs : 0
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification:OSCP, CEH, Internal Certifications
Total Nos. of Technical Personnel : 60

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee Cigital Information Security to Information security
1 Somnath Neogi > 10 Years >12 Years CEH, OSCP
Guha
2 Yamel Patel > 2 Years > 2 Years CEH, OSCP
3 Anupam Sain > 10 Years >10 Years CEH
4 Sourav Bhadra > 8 Years >8 Years CEH
5 Darshan V > 3 Years >1 Year CEH
6 Jeevan Kumar > 2 Years >2 Years CEH
7 Pravat Sahoo > 1 Year >1 Year CEH
8 Siddharth > 2 Years > 2 Years CEH
Bavisker
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Customer Volume Complexity Location Approximate


Project Value

One of the Mobile Critical business Onsite Mumbai, INR 4.5Mn


largest Private applications Applications Bangalore and
bank in India Remote (from
Bangalore)

One of the Instructor led On selected New Delhi INR 600K


Government trainings technologies
Autonomous
organizations
India

One of the Red Teaming, Complex business Onsite and INR 2.5MN
Insurance consulting, mobile applications and remote
companies in and web red teaming locations in
India application assignments Bangalore
assessments

One of the Web Applications, High complex Onsite at client INR 6.5MN
Software Architecture risk business location in
products analysis and applications Bangalore
company based Advanced Pen
in Bangalore testing

One of the Network Testing Internal and Remote location INR 1.5MN
Global IT external in Bangalore
Services and
Support
company
focused on
Financial
Services market

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

1. IBM App Scan


2. Burp Suit Pro
3. SSLizer
4. Nessus
5. N Map
6. Wire shark
7. TCP Dump
8. IGT
9. WinSCP
10. Drozer
11. Hooper
12. APK Debug
13. SQLI Browser
14. Protecode SC
15. Protecode ES
16. Coverity
17. SQL Map
10. Outsourcing of Project to External Information Security Auditors / Experts: No

(If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by Cigital Asia Pvt Ltd on 24/03/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

HCL Comnet Ltd.

1. Name & location of the empaneled Information Security Auditing Organization:

HCL Comnet Ltd.

2. Carrying out Information Security Audits since : 2008

3. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y
 Mobile Application Security: 3 UPI and BFSI
 Forensic Audit: in BFSI sector

4. Information Security Audits carried out in last 12 Months :

Govt. : 7 Large Govt. Customers


PSU : 2 Large PSU
Private : 6 large Private Enterprise
Total Nos. of Information Security Audits done : 30+

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 50000 Servers/infra, 100+ firewall audits


Web-application security audit : 1500+
Wireless security audit : 30+
Compliance audits (ISO 27001, PCI, etc.) :5 ISO 27001:2013, 1 PCIDSS v3.2
Certification
Application Source Code Review 6

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 5
BS7799 / ISO27001 LAs : 25 LAs
CISAs : 10
CISMs : 5
DISAs / ISAs : <number of>
Star Certified (Cloud Security) : 10+
OSCP : 2
Any other information security qualification:5 CEH, 10 ISO 22301 LAs, OEM
Certifications (Skybox, Qualys, RSA, Checkpoint, CISCO, Juniper Certified)
Total Nos. of Technical Personnel : 35+ resources

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


Employee <organizati Informatio related to
on> n Security Information
security
1 Sandeep 10+ years 9+ years ISO 27001-2013,
Kumar QGCS
Pasi
2 Ashwani 2.8 Years 2+ Years CCNA,
QGCS,BCMS
3 Nitin Sharma 4.9 Yrs 3 Yrs CEH,ISO 22301,
QGCS, PCI-
DSS from
SISA
4 Saurabh 2 Years 6+ Years CEH, QGCS
Mishra
5 Nand Kishore 2.7 Years 6 years CEH and QGCS
Kumar
6 Roopesh 10+ years 9+ years ISO 27001-2013
Ramakris
hna
Kamat
7 Mohan Raj 2.1 Yrs 5 Yrs ISO 27001:2013,
Venkates CEH, ITIL
an
8 Satish 2 years 2 years ISO 27001-2013
Rangabh LA
atla
9 Ashish 1 year 8 7+ Yrs ISO 27001-2013
Chauhan months(app LA
rox.)
10 Sikha moni 2+ Years 6+ Years ISMS, BCMS,
Bhuyan ITIL, COBIT,
PCI-DSS
from SISA
11 Kshitij Kishore 10+ years 9+ years ISO 22301,
Bharadw QGCS
aj
12 Abhishek 7 Yrs 5 Yrs CISSP, CISA,
Kumar CISM, ISO
27001:2013,
ISO 22301

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. SBI Security Operations Center – 40000 + infrastructure for VA (quarterly),


300 websites (quarterly), approx. 50 firewalls monthly, ISO 27001:2013
certifications, RSA Archer GRC Secops integration with SIEM and Nessus – all
SBI Branches terminating at DC/DR – Approx. 46 Cr.

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):


Qualysguard, Accunetix, IBM Appscan, HP Fortify, Skybox, Nipper, Nessus, Nexpose,
Metasploit, Kali Linux, Open Source Tools

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No : No


(If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by HCL Comnet Ltd. on 23-03-2017.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Lucideus Tech Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Lucideus Tech Pvt. Ltd.

2. Carrying out Information Security Audits since : 2012

3. Capability to audit , category wise (add more if required)

● Network security audit (Y/N) : Yes


● Web-application security audit (Y/N) : Yes
● Wireless security audit (Y/N) : Yes
● Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 5
PSU : 3
Private : 300+
Total Nos. of Information Security Audits done : 45+

5. Number of audits in last 12 months , category-wise

Network security audit : 5000+ IP Addresses


Web-application security audit : 1000+ Web Applications
Wireless security audit : 150+
Compliance audits (ISO 27001, PCI, etc.) : 40

6. Technical manpower deployed for information security audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 1
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification : OSCP, LCEH, MCP
Total Nos. of Technical Personnel : 40+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration Experience in Qualifications


Employee with Information Security related to
Lucideus Information
security
1 VB 4.5+ Years 7+ Years LCEH
2 RT 3.5+ Years 7+ Years LCEH
3 RD 1.5+ Years 2.5+ Years LCEH
4 MK 1+ Years 2.5+ Years LCEH
5 AJ 3+ Years 5+ Years LCEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.
● One of India’s biggest retail payment system
Activities - Secure Code review, Application security assessment, Network
Architecture review, Configuration Review, DDoS Testing.

● One of India’s Leading e-commerce platform


Activities - Continuous Web Application security assessment, Network
Penetration Testing, Online Reputation Management, Secure Code review
etc.

● One of India’s Leading FMCG Companies


Activities - Application security assessment, Network Architecture review,
Configuration Review, Risk Assessment

● One of India’s Leading Aviation Companies


Activities - Continuous Web Application security assessment, Network
Penetration Testing

● One of India’s Leading Defence Organisation


Activities - Application security assessment, Network Architecture review,
Configuration Review, Risk Assessment

● One of India’s Leading Private Banks


Activities - Continuous Web Application security assessment, Network
Penetration Testing

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Web Application Source


Network VAPT Web Application VAPT
Code Review

● Burp Suite
● OWASP Zap
● Skipfish
● CheckMarx
● Arachini
● MS CAT
● Xenotix
● FxCop ● Nmap
● BeeF
● OWASP SWAAT ● Nessus
● Tilde Scanner
● RIPS ● OpenVAS
● Nikto
● LAPSE+ ● Metasploit
● SQL Map
● Visual Studio and
● W3af
other IDE
● Dirb
● Nessus (for Web App
Scanning)

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No :


NO ( If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by Lucideus Tech Pvt. Ltd. on 25th March, 2017.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Sandrock eSecurities Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Sandrock eSecurities Private Limited

2. Carrying out Information Security Audits since : November 2011

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y
(Internal Audits Only)

4. Information Security Audits carried out in last 12 Months :

Govt. : 10
PSU : 0
Private : 5
Total Nos. of Information Security Audits done : 15

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 2


Web-application security audit : 13
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 0

6. Technical manpower deployed for information security audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 0
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification : 2
Total Nos. of Technical Personnel : 3

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information Security to Information
security
1 Rachna Agarwal April 2014 2 Years
2 Ankush Garg June 2015 1 Year Diploma in Cyber Law

3 Daman Preet June 2015 1 Year

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

S.N Categor Brief Descrition of Details of Contact Person at Auditee Additional Info.
o y Scope of Work Organization (Name, email, website
(Govt./ URL, Mobile, telepohne, fax, etc)
PSU/Pri
vate)
1 Private External Network Comnet Vision India Private Limited External Network
Penetration Test B-1 Aggarwal Bhawan, 35-36, Nehru Penetration Test on Public
Place, IPs
New Delhi – 110019
2 Private Internal Network Comnet Vision India Private Limited Internal Network
Penetration Test B-1 Aggarwal Bhawan, 35-36, Nehru Penetration Test on Private
Place, IPs
New Delhi – 110019
3 Govern Web Application Varkul Websoft Private Limited Bureau of Energy Efficiency
ment Penetration Test New Delhi, Delhi 110007 A staturory body under
Ministry of Power,
Government of India
www.beeindia.gov.in
4 Govern Web Application University IT Services Cell (UITS) Guru Gobind Singh
ment Penetration Test Room No.D-412 Indraprastha University
GGS Indraprastha University www.ipu.ac.in
Sector 16C, Dwarka, N.Delhi-110078
Phone: 25302746 Email: [email protected]
5 Govern Web Application Varkul Websoft Private Limited Bureau of Energy Efficiency
ment Penetration Test New Delhi, Delhi 110007 A staturory body under
Ministry of Power,
Government of India
www.beesdaportal.com
6 Govern Web Application Varkul Websoft Private Limited Bureau of Energy Efficiency
ment Penetration Test New Delhi, Delhi 110007 A staturory body under
Ministry of Power,
Government of India
www.beestarlabel.com
7 Govern Web Application IT Cell, Ministry of Power, http://staging.indianic.com
ment Penetration Test Room No. 123, 1st Floor, /power/ and
Shram Shakti Bhawan, Rafi Marg, http://staging.indianic.com
New Delhi /ujwalbharat/
8 Govern Web Application Hindustan Insecticides Limited http://www.hil.gov.in/
ment Penetration Test New Delhi, Delhi 110003
9 Govern Web Application State Consumer Disputes Redressal http://chdconsumercourt.g
ment Penetration Test Commission, U.T., Chandigarh. ov.in/
10 Private Web Application MSF Insurance Web Aggregator Direct Insure
Penetration Test Pvt.Ltd, Delhi http://www.directinsure.in
11 Govern Web Application Mahatma Gandhi Mission
ment Penetration Test College of Engineering & Technology,
Noida
12 Govern Web Application Recruitment and Assessment Centre http://rac.gov.in/
ment Penetration Test (RAC) Defence Research and
Development Organisation
Ministry of Defence
Lucknow Road, Timarpur, Delhi (INDIA)
13 Govern Web Application Mukesh Kumar, http://ccestagra.gov.in/
ment Penetration Test Immortal Technologies (P) Ltd.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Nmap Freeware

Nikto Freeware

Mozilla Firefox with Freeware


Security Add-Ons

Web Scarab Freeware

Sqlmap Freeware

Cain and Abel Freeware


W3af Freeware

HTTrack Freeware

Nessus Commercial

Metasploit Freeware

Nexpose Freeware

Brutus Freeware

MBSA Freeware

GFI Langaurd Commercial

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.)) NO

*Information as provided by Sandrock eSecurities Private Limited on 27-03-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

VISTA InfoSec

1. Name & location of the empanelled Information Security Auditing


Organization :

nd
VISTA InfoSec, 001, North Wing, 2 Floor, Neoshine House,
Opp. Monginis Factory, Link Road, Andheri (West), Mumbai,
Maharashtra, India.

2. Carrying out Information Security Audits since :


2004

3. Capability to audit , category wise (add more if required)


• Network security audit : (Y)
• Web-application security audit : (Y)
• Wireless security audit : (Y)
• Compliance audits (ISO 27001, PCI, etc.) : (Y)

4. Information Security Audits carried out in last 12


Months

Govt. : 25+
PSU : 30+
Private : 100+
Total Nos. of Information Security Audits done : 200+

5. Number of audits in last 12 months , category-wise:

Sr. Category Brief Description of Details of Contact Person at Additional Info


Work Auditee
Organization (Name, email,
1. Govt. Tech audit of the IT INS Mumbai
2. Govt. Tech audit of the IT INS Mysore
3. Govt. Tech audit of the IT FMU
4. Govt. Tech audit of the IT FMU & MMT
5. Govt. Tech audit of the IT CONFIDENTIAL Naval Station, Thane
6. Govt. Tech audit of the central NA0049 - Kochi
7. Govt. Tech audit of central DIT
and remote
locations
8. PSU Audit as per SEBI Name: Rajesh Prasad SBI
guidelines. Email ID:
[email protected]
Organisation: SBI
Website: www.onlinesbi.com
Phone Number: 9869770276

9. PSU Audit as per SEBI Name: Sunil Yadav NSDL


guidelines. Email ID:
[email protected]
Organisation: NSDL
Website:
npscra.nsdl.co.in Phone
Number: 9967222267
10. Pvt. Audit as per RBI Name: Priti Shah PMCB
requirements Email ID:
[email protected]
Organisation: PMCB
Website:
Audit as per ISO27001
www.pmcbank.com
requirements Phone number: (022) 6780 4174
11. Pvt. Audit as per RBI Name: Ravindra Pathar GPPJSB
requirements Email ID:
rspathar514@gpparsikbank.
net Organisation: GPP Bank
Audit as per ISO27001 Website:www.gpparsikbank.
requirements com Phone Number: 022-
25456524
12. Pvt. Audit as per RBI Name: DK Gosavi KJSB
requirements Email ID:
[email protected]
Organisation: KJSB
Audit as per ISO27001 Website: www.kalyanjanata.in/
requirements Phone Number: 9322705900

13. Pvt. Audit as per ISO27001 Name: Yogesh Maroli AGS


requirements Email ID:
[email protected]
Organisation: AGS Transact
Website: www.agsindia.com
Phone Number: 9223191411

14. Pvt. Audit as per PCI Name: Pankaj Khandelwal ISG


requirements Email ID:
pankajk@insolutionsglobal
.com Organisation: ISG
Pvt. Audit as per ISO27001 Website: ISG
requirements www.insolutionsglobal.com
Phone Number: 9820820497
15. Pvt. Audit as per RBI Name: Vikram Idnani Tata – Trent
requirements Email ID:
Vikram.Idnani@trent-
tata.com
Organisation: TATA
Trent Website:
www.tata.com/company/profile/Tr
ent
16. Pvt. Audit as per ISO27001 Name: Sreeram GC TATA TRUST
requirements Email ID:
[email protected]
Organisation: TATA
Trust Website:
www.tatatrusts.org

Network security audit : 60+


Web-application security audit : 50+
Wireless security audit : 20+
Compliance audits (ISO 27001, PCI, etc.) : 15+

6. Technical manpower deployed for information security audits :


CISSPs : 3
BS7799 / ISO27001 LAs : 8
CISAs : 3
DISAs / ISAs : 1
Any other information security qualification: PCI QSA, CRISC, CEH, OSCP
Total Nos. of Technical Personnel : 23
7. Details of technical manpower deployed for information security audits in Government
and Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related to


No. VISTA InfoSec Information Security Information security
1. Srushti Mohadikar June 2014 3 CCNA R&S, CEH,
PYTHON
2. Rohan Bangera Apr 2012 4 CISC, CPFA, CPH NxG

3. Sachin Pagare Nov 2015 3 CAST, CEH, ECSA

4. Mayur Patil Nov 2015 2 CEH,

5. Anshuman Dubey Aug 2014 6 ISMS LA

6. Bhagyashree Jan 2013 4 PRISM


Mulgund
7. Divya Nitesh Oct 2013 8 ISMS LA

8. Vibha Yadav Nov 2013 6 ISMS LA, Diploma in


Certified
Manager in
Information
9. Rohan Patil Aug 2005 12 eCPPT

10. Narendra Sahoo Dec 2004 23 CISSP, CISA, ISMS LA,


CRISC
11. Saru Chandrakar Oct 2012 6 CISA, ISMS LA

12. Anil Yadav Feb 2014 5 CISC

13. Pravin K Nov 2006 14 CISA, CISSP

14. Aniket Lavhande Oct 2016 2 CEH

15. Sneha Karan Jan 2016 1 CEH

16. Shailesh Wagh Feb 2016 6 CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Projects Volume Complexity Locations

InSolutions Global – Into card printing, Payment processor to Mumbai, Pune, Delhi
Compliance card processing, some of the largest and Bangalore
Management payment application banks and
development – We merchants in India
support end to end
compliance

PMCB – Compliance End to end One of the largest 100 locations


Management compliance Co—operative bank across Maharashtra
GPPJSB – End to end One of the largest 75 locations
Compliance compliance Co- operative bank across
Management Maharashtra

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

 Rapid7 NeXpose
 IBM Rational AppScan.
 NESSUS.
 GFI Languard.
 Acunetix WVS.
 QualysGuard.
 BurpSuite.
 MetaPacktPublishingoit.
 Nikto.
 Wikto.
 BackTrack Security Distro.
 Paros Proxy.
 Nmap.
 Exploits DB from “astalavista”, “packetstormsecurity”, “exploitdb” etc.
 Google Hack DataBase.
 Inhouse customized Scripts.
 Zero Day Scripts / Exploits.
 Other Tools (As when required by the type of work).

10. Outsourcing of Project to External Information Security Auditors / Experts :


No ( If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by VISTA InfoSec on 21/03/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Sify Technologies Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Sify Technologies Limited.


2nd Floor, TIDEL Park, #4, Rajiv Gandhi Salai,
Taramani, Chennai-600113

2. Carrying out Information Security Audits since : 2004

3. Capability to audit , category wise (add more if required)

 Network security audit : (Y)


 Web-application security audit : (Y)
 Wireless security audit : (Y)
 Compliance audits (ISO 27001, PCI, etc.) : (Y)

4. Information Security Audits carried out in last 12 Months :

Govt. : 3
PSU : 1
Private : 6
Total Nos. of Information Security Audits done : 10

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 5


Web-application security audit : 4
Wireless security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 3

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 Las : 1
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification:
CISM : 1
CIWSA : 1
MS (Cyber Law & Information Security) : 1
C|EH : 4
Total Nos. of Technical Personnel : 7

7. Updated details of technical manpower deployed for information security audits in


Government and Critical sector organizations (attach Annexure if required)

S. Name of Duration with Sify Experience in Qualifications


No. Employee Technologies Ltd. Information related to
Security Information security
CISSP, CISM, MCSA,
1 Palaniraja M 3.7 13.8
MCSE, CCNA, CIWSA
ISO27001 Lead
Auditor, ISO27001
2 Amruta Khot 9.3 9.3 Lead Implementer,
ITIL V3, ISO 22301
Professional
MS (Cyber Law &
3 Nairit Adhikary 4.3 4.3
Information Security)
4 Vinoth Kumar 6.11 7.8 C|EH
5 Jude Lesley 2 2 C|EH
6 Vinoth P 2 2 C|EH
7 Mohan M 2 2 C|EH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Company Complexity Volume Project Value


Name

IL&FS Penetration Testing 20 IP's 1867000


Security Bi-Annually for 2
Services Ltd. years
Vulnerability 146 IP's
Assessment Bi-
Annually for 2 years
ISMS Build- End to Premises : IL&FS Securities Services
End consultancy till Limited, Mumbai
ISO27001 Processes : IT Department, Data Center
Certification (managed by 75 personnel)
Completion IT services (Service Desk, Desktop
Sup.,
Networks Sup., Servers Sup., DC Sup.,
Application Development / Management
/ Support, DBA,
Procurement, IT Security).

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):


Acunetix, Nessus, Metasploit Framework, Nmap, BurpSuite, Kali Linux, OWASP Zap

10. Outsourcing of Project to External Information Security Auditors / Experts: No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Sify Technologies Limited on 27th March 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Locuz Enterprise Solutions Ltd.

1. Name & location of the empaneled Information Security Auditing Organization:

Locuz Enterprise Solutions Ltd.


401, Krishe Sapphire, Main Road, Madhapur, Hyderabad – 500081.
Phone #: +91-40-45004600 | Fax #: +91-40-45004601.
http://www.locuz.com

2. Carrying out Information Security Audits since : August 2001

3. Capability to audit , category wise (add more if required)

 Network security audit : Y


 Web-application security audit : Y
 Wireless security audit : Y
 Compliance audits (ISO 27001, PCI, etc.) : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 40
PSU : 02
Private : 12
Total Nos. of Information Security Audits done :

5. Number of audits in last 12 months , category-wise (Organization can add categories


based on project handled by them)

Network security audit : 9


Web-application security audit : 37
Wireless security audit : 5
Compliance audits (ISO 27001, PCI, etc.) : 1
Cloud Security : 2

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 2
CISAs : NIL
DISAs / ISAs : NIL
Any other information security qualification : 12
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


No. Employee <organization> Information related to
Security Information
security
1 Mr R Nageshwar 6 + Years 7.5 + years CEH, CCSA, ISMS
Rao Naik Trained
2 Mr. Sashidhar 4 +years 4 +years CEH,ISO
Somireddy
7001:2015 LA-
Certified
3 Uttam Mujumdar 14 + Years 11 +years CISSP
4 Narendra Nath 5+ Years 5+ Years LA ISO 27001:2005
Swarna
5 Milind Mistri 5+ Years 4 + Years CCIE Security
6 NIHAL 3 + years 2 +years CCIE Security
7 Chandan 3 + Years 3 + Years CCIE Security
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.)
Along with project value.

Client Location Activity Period Locations Value


Name
Tasec Mumbai Security Assessment, 2016-2017 2 locations Confidential
Vulnerability
Assessment,
Breach assessment,
Social Engineering,
Firewall Configuration
review
LVGI Mumbai Vulnerability 2016-2017 1 Location Confidential
Assesment and
Penetration Testing
(Both Internal And
External )

Eros Mumbai Security Assessment, 2016-2017 1 Location Confidential


International Vulnerability
Assessment, IT
Infrastructure
Consulting Services &
Gap Analysis
Ness Bangalore Vulnerability 2016-2017 3 Locations Confidential
Technologies Assesment and
Penetration Testing
(Both Internal And
External )

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Nmap
Superscan
Metasploit & Securityforest - Penetration Testing
Process explorer, Sigcheck, Kproccheck - Windows Kernel & malware
detection
Netstumbler & Kismet – WLAN Auditing
Nikto - Web server vulnerability scanner
SQLMap – SQL Injections
Wireshark – Protocol Analyzer
BackTrack tools
Burp Proxy
Nessus

10. Outsourcing of Project to External Information Security Auditors / Experts : No

(If yes, kindly indicate mode of arrangement (MoU, contract etc.))

*Information as provided by Locuz Enterprise Solutions Ltd. on 27 th March 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Digital Age Strategies Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Digital Age Strategies Pvt. Ltd.


Corporate office # 28, "Om Arcade", 2nd & 3rd Floors,
Thimmappa Reddy Layout , Hulimavu,
Bannerghatta Road, Bangalore – 560076

2. Carrying out Information Security Audits since : 8th March,


2004

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Network Information security policy Audit against best
Security Practices : Yes
 Process Security Audit : Yes
 Internet Technology Security Audit : Yes
 Communications Security Audit : Yes
 Internet & Mobile Security Testing : Yes
 Physical Access Controls & Security Audit : Yes
 Software Vulnerability Assessment Audit : Yes
 Penetration Testing : Yes
 Business Continuity Planning / Disaster Recovery Audit : Yes
 CBS/Core/ERP Application Audits : Yes
 Software Asset Management Audit : Yes
 Sarbanes’ Oxley Act (SOX) Audit : Yes
 Data Migration Audit : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 990
PSU : 406
Private : 270
Total Nos. of Information Security Audits done : 1666

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

 Network security audit : 90+


 Web-application security audit : 330+
 Wireless security audit : 4+
 Compliance audits (ISO 27001, PCI, etc.) : 342+
 Network Information security policy Audit against
best security practice : 115 +
 Internet Technology Security Audit : 95+
 Mobile Security Testing : 5+
 Physical Access Controls & Security Audit : 35+
 Vulnerability Assessment Audit : 80+
 Penetration Testing : 40+
 Business Continuity Planning / Disaster Recovery Audit : 572+
6. Technical manpower deployed for information security audits :

CISSPs : 03
BS7799 / ISO27001 LAs : 22
CISAs : 25
DISAs / ISAs : 1
Any other information security qualification: CEH : 19
Total Nos. of Technical Personnel : 44

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


No. Employee <organization> Information related to
Security Information
security
As per the Annexure Enclosed

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

I. Reserve Bank of India, HO Mumbai

 IT Infrastructure Audit – System Upgrade & Integration (SOC) TPA for 2016-
2018. Value of Order Rs. 14.45 Lacs approx.

 CBS Data Migration Audits of RBI across the Country from August 2011 to
2013. Vulnerability Assessment & Penetration Testing for RBI Network & Web
application. Value of Order Rs. 68.70 Lacs + Rs. 1.20 Lacs.

 eKuber Treasury Migration Audit for RBI during 2014-15. Value of Order Rs.
29.35 Lacs Approx.

 Reserve Bank of India, RTGS Application Data Migration Audit during 2015-
2016. Value of order Rs. 13.20 Lacs

II. ONGC, Govt. of India – Paperless Office Implementation – Third Party Auditor (TPA)
for L&T Infotech Ltd., for 2017-2018.

III. Odisha Power Transmission Corporation Limited (OPTCL), Govt. of Odisha,


Bhubaneswar.

 IT Security Auditor including ISO 27001:2013 Implementation for


OPTCL/GRIDCO/SLDC Audit for 2017 – 2023. Value of Order Rs. 27.43 Lacs
Approx.

IV. Central Bank of India, Mumbai

 Cyber Security Audit and Comprehensive Audit of CBS Project & other
Applications 2016 – 2017. Value of Order Rs 14.50 Lacs Approx.

V. Federal Bank Ltd. Kerala

 IS Audit of IT infrastructure, VAPT and Concurrent Audit of Data Center, IT


Department and Operations Department of the Bank 2016-18. Value of Order
Rs 15.50 Lacs Approx.

VI. Ministry of Finance & Economic Affairs, Government of The Gambia 2015 - 16

 ICT Audit covering Data Centre, Disaster Recovery Site, Audit of Epicore
Core Application, IS Audit of Nine Applications, Vulnerability Assessment and
Penetration Testing of the entire network covering all IT Assets. Gap
Assessment against COBIT Version 5.0, Gap Assessment against ISO
27001:2013 Standard, detailed Risk Assessments, Future Capacity Plan, Way
Forward Initiatives for IT etc. Value of the order Rs. 48 Lacs.

VII. Bank of Uganda

 Attack & Penetration Testing of Bank of Uganda during 2016 – 17 etc. Value
of the Order Rs. 46 Lacs.

VIII. Nashik Municipal Corporation

 Security Audit of Softwares and Network System for 2015-16. Value of the
Order Rs. 15.60 Lacs.

IX. Indian Bank

 IS Audit of all areas of Audit like DC, DRS, Treasury, ATM Internet Banking,
Mobile Banking including ITMS Migration Audit, CAAT Tools Evaluation,
Capacity Planning, Risk Assessment, Policies Review, VA & PT of entire Bank
etc. for 2015 -16 & 2016-17. Value of the Order Rs. 24 Lacs.

X. Canara Bank, Head Office, Bangalore

 Vulnerability Assessment and Penetration Testing for Bank’s Network, Servers,


Applications, Websites etc from 2016 to Till date . Value of order Rs. 15 Lakhs.

XI. Corporation Bank

 Comprehensive Audit of Bank's Data Center, IT Applications, IT Network,


and
Independent Assurance of the IS Audit Function including VA & PT for 2015-
16. Value of order Rs. 17 Lakhs

XII. Wipro - Data Migration Audit of 803 Branches of RRBS of UCO Bank across India.
Value of order Rs. 32.12 Lacs.

XIII. Allahabad Bank, HO, Kolkata

 CBS Data Migration Audit for 586 branches of two RRBs sponsored by
Allahabad Bank for the year 2011-12 & 2012-13. Value of order Rs. 35.36
Lacs.

XIV. Canbank Computer Services Ltd., a Subsidiary of Canara Bank

 Core Banking Solution Migration Audits of 805 RRBs of Canara Bank for
2011-12 on behalf of CCSL. Value of order Rs. 56.66 Lacs.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Digital Age will be using the following Audit Tools depending upon the specific requirements
of this Audit.

I. Commercial Tools

1. Nessus Pro
2. Burp Suite Professional
3. Secure Cisco Auditor tool
4. Hash Suite Standard

II. Open Source

1. Kali Linux
2. Nmap
3. Wireshark
4. OWASP ZAP
5. Paros
6. Web Scarab
7. coSARA
8. Network Stumbler
9.Aircrack suite
10. Nikto
11. Cain and Abel
12. MBSA
13. L0phtcrack: Password Cracker ver. 6.0
14. BackTrack
15. OpenVas
16. W3af
17. Directory Buster
18. SQL Map
19. SSL Strip
20. Tamper Data
21. FOCA

III. Proprietary Tools

1. Web Cracker Ver. 3.0


2. Network Mapper Ver. 4.6
3. Filter It - Ver. 2.0
4. SQL Checker Ver. 1.0
5. Inject Script Ver. 2.0

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Digital Age Strategies Pvt. Ltd., on 09.05.2017

Back
Annexure

Details of technical manpower deployed for information security audits in Government and
Critical sector organizations

S. Name of the Employee Working with Total Information Security


No. the organization experience in related qualifications
since (month & information (CISSP/ISMS LA /
year) security CISM/ CISA/ ISA
related etc., state as
activities applicable)
(years)
1. Mr. Dinesh S. Shastri March, 2004 20 Years ISO 27001 ISMS L. A &
ISO 22301 BCMS L. A,
ISO 20001 ITSM L.A,
CISA, CEH, CHFI, CISM,
CSQA, COBIT Ver. 5.0
Certified.
2. Mr. G. Krishnamurthy August, 2005 19 Years CEH, ISO 27001 LA,
ISO 9001 LA, COBIT
Ver. 5.0 Certified.
3. Mr. P. L. N. Sarma October, 2008 19 Years CISA, CeISB, ISO
27001 LA.
4. Mr. Suresh Sundaram August, 2016 18 Years DCS, CISA.

5. Mrs. Shobha R. August, 2011 16 years CISA, CISM, ISO 27001


Lead Auditor.

6. Mr. Padmanaban S. October, 2010 15 years CISA, ISO 27001 Lead


Auditor.
7. Mr.Chandrasekharaiah T. G. March, 2005 12 years CISA, ISO 27001 Lead
Auditor, Oracle Data
Base trained SAP
Consultant.
8. Mr. Rajgopal Tholpadi S. November, 2013 15 Years CISA, ISO 27001 LA,
ISO 9001 LA, 6
Sigma GreenBelt, PMP.
9. Mr. H. P. Ramakrishna March, 2004 16 Years ISO 27001 Lead
Auditor.
10. Mr. Manjunath Naik April, 2016 7 Years ISO 27001 LA, ISO
9001 LA.
11. Mr. L. R. Kumar September, 2015 12 Years CISA, CEH, CQA, PMP,
ISO27001 LA.

12. Mr. R. Janardhanan August, 2013 18 Years CISA, PGDB, ISO 27001
Lead Auditor.
13. Mr. K. Rajasekharan August, 2013 16 Years CISA, ISO 27001 Lead
Auditor.
14. Mr. S. V. Iyer February, 2014 16 Years MCA, CISA, CISSP,
CEH, CFE.
15. Mr. Ravichandran R. February, 2014 8 years CISA, ISTQB.
16. Mr. Vikram Kapoor April, 2014 18years CISA.
17. Mr. Prabhakar Raju C. S. April, 2014 15 Years CISA, DISA, ISO 27001
LA.
18. Mr. Manjunath Babu April, 2016 14 Years CISA, ISO 27001 LA.

19. Mr. Vishwas Utekar April, 2014 17 Years CISA, CEH, ISO 27001
L. A.
20. Mrs. Padmashree S. August, 2014 16Years CISA, CCNA.
21. Mr. Prathik Shanbhag January, 2014 5 Years B.E., CISA, CEH, ISO
27001 LA.
22. Mr. Jaiprakash J. L. April, 2014 15Years ISO 27001 LA, CQA,
PMP, 6 Sigma Green
Belt.
23. Mr. Soundarajan S. G. December, 2015 6 Years CISA, CISSP.

24. Mr. M. L. Venkataraman August, 2015 9 Years CISA, CISM, CISSP,


CRISC, CGEIT.
25. Mr. Viswanath G. July, 2016 12 Years CISA, CISM, CGEIT,
CEH, ISO 27001 L.A.
26. Mr. Parveez Khan December, 2013 13 Years ISO27001 L.A., ITIL V3,
Dip CS, 6 Sigma Green
Belt.
27. Mr. Raju Hari Patil February, 2016 1 ½ Years BE, CEH.

28. Mr. Sarath Kumar February, 2016 1 ½ Years B. Tech, CEH.

29. Mr. Touseef Jagirdar February, 2016 1 ½ Years BE, CEH.

30. Mr. Mohammed Irfan August, 2016 1 Year B. Tech, CEH .

31. Ms. Gayithri. R. October, 2016 1 Year MCA, CEH.

32. Mrs. Divya S. B. October, 2016 1 Year BE, DSC, CEH.

33. Ms. Roopa S October, 2016 1 Year B. Tech, CEH.

34. Mr. Patrick Oswald Pinto December, 2016 14 Years PGDCA, CISA, CIA.

35. Mr. Sridhar Pulivarthy December, 2016 16 Years BE, CISA, ITIL Expert,
ISO 27001 LA.
36. Mr. Dhyan September, 2016 8 Months BE, CEH.

37. Mr. Santhosh Kumar K R May, 2016 1 Year M.Tech, CEH, ISO
27001 LA.
38. Mr. Padmanabha N. November, 2016 12 Years CEH, ISO 27001 LA.

39. Mr. Mohammed Jameel January, 2017 1 Year BE(Computer Science),


Zarzari M.Tech.(Computer
Networks).
40. Mr. Sachin D. Bellundagi January, 2017 1 Year BE, CEH.

41. Mr. Naveenraddi M Hulikatti February, 2017 2 Years BE, CEH.

42. Ms. Uma Devi March, 2017 1 Year B.Tech.(IT),


M.Tech.(Cyber
Security).
43. Mr. Surender D. February, 2017 12 Years CISA, CeISB.

44. Mr. Susheel Kumar May, 2017 14 Years CISA.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

MAVERICK QUALITY ADVISORY SERVICES PRIVATE LIMITED

1. Name&locationof theempanelledInformationSecurityAuditingOrganization :

MAVERICK QUALITY ADVISORY SERVICES PRIVATE LIMITED


123 RADHEYSHYAMPARK P.O
SAHIBABAD
GHAZIABAD,U.P,INDIA– 201005

2. CarryingoutInformationSecurityAudits since : 2005

3. Capabilitytoaudit, categorywise(addmoreifrequired)

 Network securityaudit(Y/N) : Yes


 Web-applicationsecurityaudit(Y/N) : Yes
 Wirelesssecurityaudit(Y/N) : Yes
 Complianceaudits(ISO27001,PCI,etc.)(Y/N) : Yes
 Physical Access Controls&Securitytesting : Yes
 SoftwareVulnerability Assessment : Yes
 PenetrationTesting : Yes
 InformationSecurityTesting : Yes
 BusinessContinuity Planning/Disaster RecoveryAudit : Yes

4. InformationSecurityAuditscarriedoutinlast12Months :

Govt. : 1
PSU : 2
Private : 16
TotalNos.of InformationSecurityAudits done : 19
(In last12 months)

5. Numberof audits in last12months ,category-wise(Organizationcan add categorie sbased


on project handled by them)

Network securityaudit : 5
Web-applicationsecurityaudit : 6
Wirelesssecurityaudit : 2
Complianceaudits(ISO27001,PCI,etc.) : 20

6. Technicalmanpower deployed for information securityaudits:

CISSPs : 1
BS7799/ISO27001LAs : 6
CISAs : 1
DISAs /ISAs : NA
Anyother informationsecurityqualification : NA
TotalNos.ofTechnicalPersonnel : 7
7. Detailsoftechnicalmanpower deployed for informationsecurityaudits in Government and
Critical sectororganizations(attach Annexureif required)

S. Nameof Duration with Experience in Qualifications related


No. Employee Information To Information
MAVERICK Security security
QUALITY
ADVISORY
SERVICES
PRIVATE
LIMITED
1 AshokVardhan 12years 11years ISMS LA
2 Vinit Maheshwari 12years 13years ISMS LA
3 AnandSarup 5years 19years CISA, CISM,ISMS LA
Bhatnagar
4 ArvindKumar 4years 7years ISMS LA
5 Raj Maheshwari 12years 6years ISMS LA
6 Harish Gupta 6years 16years CISSP,MCSE, SYMANT
AC Certified,
RSA Certified
7 SanjeevGupta 2years 4years ISMS LA

8. SpecifyLargestProjecthandled in termsof scope(intermsofvolume,complexity, locations etc.)


alongwith projectvalue.

IL&FSGroup(IL&FS Technologies andIL&FSEnvironment)–11L

9. ListofInformationSecurityAudit Toolsused (commercial/freeware/proprietary):

CommercialandFreeware

Nmap
Dontools
Nikto
Dsniff
SqlTool
Metasploit
Netcat
Ethereal
SSLProxy,STunnel
Webinspect
Wireshark
Acuentix
Appscan
BurpSuite
Nessus

10. OutsourcingofProjecttoExternal InformationSecurityAuditors /Experts:No (If yes, kindly


indicatemode ofarrangement(MoU, contractetc.))

*Information as provided by Maverick QualityAdvisory Services Private Limited on June 302017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

SecurEyes Techno Services Pvt. Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

SecurEyes Techno Services Pvt. Ltd.,


#3S, 3rd Floor, Swamy Towers,
Chinapanahalli, Marathahalli,
Outer Ring Road,
Bangalore - 560037

2. Carrying out Information Security Audits since : 2006

3. Capability to audit, category wise (add more if required):

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits and GRC consultancy against well-known
International standards
(including ISO 27001, PCI, ISO 2000, COBIT, etc.) (Y/N) : Y
 Thick-Client Application Security Testing : Y
 Vulnerability Assessment : Y
 Network Penetration Testing : Y
 SDLC Review and code security review : Y
 Information security policy development, review and assessment
against security best practices : Y
 Process Security Testing : Y
 Communications Security Testing : Y
 Physical Access and Environment Security Controls Review : Y
 Social Engineering Testing : Y
 Gap Analysis against well-known standards : Y
 Risk Assessment / Management Services : Y
 Enterprise Security Architecture Review : Y
 Regulatory security compliance review : Y
 Information Security Trainings (user awareness, technical training, etc.) : Y
 DLP consulting : Y
 User and Identity Management : Y
 Single Sign On : Y
 Application Security Architecture review : Y
 Design and development of Operational Security Guidelines : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : 380
PSU : 35
Private : 144
Total Nos. of Information Security Audits done : 559

5. Number of audits in last 12 months, category-wise

Network security audit : 18


Web-application security audit : 524
Wireless security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 15
Business Continuity Review : 4
Incident Management Review : 5
Regulatory Compliance Review : 5
SOC Audit : 4
Vulnerability Assessments : 15
ATM Audits : 4
Applications Control Reviews : 34
Visa 3-D secure audit : 2
Not e: Some of the above audits may have been conducted for the same client through different
times/duration during the year.

6. Technical manpower deployed for information security audit:

Certified Ethical Hacker (CEH) : 18


BS7799 / ISO27001 LAs : 9
CISAs : 6
CCNA : 3
RHCSA : 1
BS15000 : 1
SANS-GCIH : 1
SCSA : 1
CEH : 18
Total Nos. of Technical Personnel : 26

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related


Employee SecurEyes Information to Information
Security security
1. 10.5 years 16+ years CISA, ISO 27001, SANS-
GCIH (Gold
Karmendra Kohli
Certified), SCSA,
CCNA, BS15000
2. Seemanta Patnaik 10.5 years 16+ years CEH, ISO-27001, CISA
3. S Narayan 8.6 years 8.6 years CISA, CEH, ISO-27001
4. K Bala S 5.9 years 5.9 years CEH, ISO-27001, COBIT
5. D Kumar 3.8 years 3.8 years CEH, ISO-27001, CCNA
6. P Rao 5.6 years 16 years CISA, ISO-27001
7. UP 7.11 years 16years CISA, ISO-27001
8. KT 1 year 2.10 years CEH, CISA
9. SM 2.11 years 6.2 years CEH, ISO-27001, CCNA
10. NM 1.8 years 1.8 years CEH
11. PS 1.8 Years 1.8 years CEH
12. MS 4.3 years 4.3 years CEH
13. AG 1.5 years 3.2 years CEH
14. AK 1.8 years 1.8 years CEH
15. AS 1.8 years 1.8 years CEH
16. CS 1.8 years 1.8 years CEH
17. AD 3.8 years 3.8 years
18. MB 8 months 2.7 months
19. RVR 9 months 18years ISO-27001, CEH
20. RA 4 months 1.8 years
21. SR 6 months 3 years RHCSA
22. SS 1 year 4.6 years CEH
23. SK 3 months 3.1 years CEH
24. UMR 1.8 years 1.8 years CEH
25. VPB 1.3 years 1.3 years CEH
26. VK 1 month 1.4 years CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

The largest project handled in last year, was an end-to-end Information security governance and
business continuity management review for one of our customers in Middle-East. The details of the
project are mentioned below:
Project Scope:

1. Information Security Governance assessment


2. Assessment of Security Operation Centre (SOC) including review of coverage scope for SOC
monitoring, adequacy of rules defined for monitoring, implementation review of the SIEM solution
and review of policies, procedures and standards pertaining to the SOC operation.
3. Assessment of Incident Management (IM) including review of policies, procedures and standards
pertaining to the IM operation; determining the adequacy of incident detection controls by
conducting mock incidents under controlled environment; evaluating the incident response under
various scenarios; evaluating the maturity of the incident response team.
4. Assessment of the network architecture, topology, network communication with third parties and
regulators.
5. Assessment of remote connectivity including VPN access.
6. Assessment of security appliances & solutions
7. External vulnerability assessment and penetration testing.
8. Internal vulnerability assessment and penetration testing.
9. Secure configuration review of firewalls, routers, switches, operating systems and databases being
used within the Organization.
10. Application & infrastructure review and assessment of multiple customer financial, internal financial
& internal non-financial applications.
11. Assessment of the Data Center and Disaster Recovery Sites.
12. Assessment of Business Continuity including review of strategy, policy, procedure & standards
pertaining to Business Continuity Management; review of BCP & DR drill results; review of adequacy
of the Business Continuity committee & required management support.
13. Assessment of the ATM operation including field based assessment of branch & off-site ATMs
14. Review of the process and monitoring adequacy of the Organization to comply with all local and
global regulatory requirements.
15. Social Engineering test to determine the IS awareness level among the employees.
16. Random survey pertaining to Information Security awareness
17. Advanced Persistent Treat (APT) resilience test to determine the adequacy of the APT solution.
18. Network Penetration testing of Internal and External Internet facing infrastructure
19. Application Security Assessment services of 25+ applications
20. Vulnerability assessment covering production infrastructure including multiple Operating Systems,
Web Servers, Databases, Mail Servers
21. Providing compliance services based on requirements of ISO27001 & ISO 22301
22. Providing user access control review for all platforms for critical production infrastructure
23. Review of adequacy of alignment between IT risk, Information Security risk and Operational Risk
assessment methodology used within the organization

Project Complexity:
This was a project for a financial sector client having large IT Infra-setup in Middle-East. The project
covers multiple applications, infrastructure systems and networks that were in the scope of the
security assessment. The project covered multiple locations within the region. The project required
the assessment team to perform its review against local and international best practices, compliance
requirements and regulatory standards. This was an approximately 20-man month project with the
team carrying out assessments across locations.

Locations:
Middle-East

Project Value:
Rs. ~1.6 Crores

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

i. Commercial Tools

1. Nessus (Commercial Professional Version)


2. Burp Suite Professional
3. Checkmarx
4. Accunetix
5. And many more licensed or subscription based commercial tools
ii. Freeware Tools

1. Google Search
2. SamSpade
3. Tcp traceroute
4. Nmap
5. Sparta
6. hping2
7. Protos
8. XProbe
9. P0f
10. Nmap-cronos
11. Httprint
12. Smtpscan
13. SinFP
14. Metasploit Framework
15. Nikto
16. Cain & Cable
17. SQL Map
…. And many other open source tools

iii. Proprietary Tools

1. SecurEyes Centralized Vulnerability Management System


2. SecurEyes Advance Social Engineering Test System
3. SecurEyes Advanced Penetration Testing Toolkit
4. SeInfo_Grabber
(Tool used for application security reconnaissance)
5. SEWindowsXP_VA
(Tool for VA of windows XP)
6. SEWindows2003_VA
(Tool for VA of windows 2003)
7. SEWindows2008_VA
(Tool for VA of windows 2008)
8. SEWindows7_VA
(Tool for VA of windows 7)
9. SERedHat_VA
(Tool for VA of RedHat Linux)
10. SEAIX_VA
(Tool for VA of AIX)
11. SESolaris_VA
(Tool for VA of Solaris)
12. SEDB_VA
(Tool for VA of MS-SQL, MySQL, Oracle, PostGRE SQL)
13. SENW_VA
(Tool used for VA of network devices including switches, routers, Firewalls)
10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No
( If yes, kindly indicate mode of arrangement (MoU, contract etc.)) : No

*Information as provided by SecurEyes Techno Services Pvt. Ltd. on 24 March 2017.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Deloitte Touche Tohmatsu India Limited Liability Partnership

1. Name & location of the empaneled Information Security Auditing Organization :

Deloitte Touche Tohmatsu India Limited Liability Partnership


Address: 12, Annie Besant Road,
Opposite Shiv Sagar Estate,
Worli, Mumbai - 400018

2. Carrying out Information Security Audits since : Prior to 2000

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 IOT security testing : Yes
 Mobile application security : Yes
 Cloud security : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : Approximately 10 engagements


PSU : Approximately15 engagements
Private : Approximately250 engagements
Total Nos. of Information Security Audits done : Approximately275 engagements

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : Approximately 35


Web-application security audit : Approximately 40
Wireless security audit : Approximately 5
Compliance audits (ISO 27001, PCI, etc.) : Approximately 20

6. Technical manpower deployed for informationsecurity audits:

CISSPs : Approximately 15
BS7799 / ISO27001 LAs : Approximately 25
CISAs : Approximately 70
DISAs / ISAs : Approximately 10
Any other information security qualification : Approximately 70

Total Nos. of Technical Personnel:We have approximately 140 technical personnel. The
names listed in Annexure A is illustrative list of professionals involved in critical
infrastructure support for Public Sector.

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Please refer to Annexure A : for details.

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value.

No. of Computer Systems : > 70000


No. of Servers : 500
No. of Switches : 100
No. of Routers : 50
No. of Firewalls : 25
No. of IDS : 10
9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial Tools:

1. Nessus
2. Acunetix
3. Nipper
4. Burp-Suite
5. Netsparker

The above list of tools is indicative.

Freeware Tools:

a. Xprobe
b. Dnssecwalker
c. Tcpdump/tcpshow
d. Dsniff
e. Ettercap
f. Ethereal
g. Fping/ Hping
h. Queso
i. Nmap
j. SuperScan
k. Netwag
l. Firewalk
m. Q-Tip
n. SQLMap
o. Jack the Ripper
p. Crack 5.0a
q. NGS SQLCrack
r. HydraCain and Abel
s. Metasploit
The above list of tools is indicative.

10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No (If yes,
kindly indicate mode of arrangement (MoU, contract etc.))

Not Applicable

*Information as provided by Deloitte Touche Tohmatsu India Limited Liability Partnership on 27-
march-2017

Back
Annexure A:

Details of technical manpower deployed for information security audits in Government and Critical
sector organizations:

Duration Experience in
S. Qualifications related to
Name of Employee with Deloitte Information
No. (Years) Security (Years) Information security
CEH, ISO 27001 LA_LI, ITIL
1 Achal Gangwani 5.9 13.86 Foundation, CCNA
CISM, CISSP, ISSAP, ISO 22301
2 Anand Venkatraman 5.8 16.78
LI, COBIT5
OSCP, Certified Ethical Hacker
3 Abhijeet Jayaraj 2.6 3.63
(CEH v8)
4 Ashish Arora 0.7 10.72 CISSP, ITILV3, CNAP, RHCE, CWSE
5 Ashutosh Jain 1.2 5.22 CISA, CEH
6 Chinkle Umrania 2.3 6.00 CCNA, ISMS Internal Auditor, CISA
Certified Ethical Hacker (CEH V7),
ISO/IEC 27001:2005 Lead Auditor
7 Anand Kishore Pandey 3.2 6.10 from ISC, ISO/IEC 27001:2005
Lead Implementer from BSI, BS
25999:2007 Lead Auditor from ISC
8 Divin Proothi 2.0 10.96 CISA, SAP GRC 5.2
9 Gautam Kapoor 6.7 16.70 CISA, CISSP, ISO 27001 LA_LI
ITIL v3, ISO 27001, CEH V7,
10 Kapil Dev Sharma 1.3 10.83 PRINCE2 (Foundation), PRINCE2
(Practitioner)
11 Kartikeya Raman 4.0 7.48 ITIL v3, CISA
12 Maninder Pal Singh 1.1 12.78 Lead Auditor, CISSP, CISA, CEH
CCSK, CISM, CPISI, COBIT 5
FOUNDATION, ISMS, BCMS , QMS
13 Navaneethan M 1.2 6.22 ,DSCI, CEH, ITIL Version 3, RHCE,
CCSA, CCSE, CCNA, SCSA PART-1
& SCSA PART-II, SCNA
Certified Information Systems
Auditor (CISA).
ISO 27001:2005 ISMS Lead
Implementer
EC - Council Certified Ethical
14 Pawan Kumar 4.9 10.68 Hacker (CEH v6)
ITIL v3 Foundation certified.
Cisco Certified Network Associate
(640-802)
Deploying ASA Firewall -CCNP
Security (642-617
CEH, ISO 27001 LI, BCM - 400,
15 Preetam Hazarika 2.0 11.23 ArcSight ESM
CISA, ECSA LPT, CISSP, ITIL v3,
16 Reena Ulhas Pradhan 2.1 7.02 CEH, Cyber Crime investigator
certificate
CISA, ITIL V3 Foundation, ISO
17 Rohit Rane 1.8 12.10 27001 LI, ISO 27001 LA, ISO 2000
LA, BS25999 LA, A+, N+, CCNA,
ISO 27001 LI, ISO 25999 LI, BCM
Implementation, ISO 31000
18 Santosh Kumar Jinugu 4.0 12.46
Internal Auditor, CEH, SAP
Security
CEH, Qualys Guard Vulnerability
Management Certified, Nexpose
19 Shashank Gupta 0.8 4.26
Certified Administrator, Java
Professional
ISO 9001:2000 ; BS7799 LI ; ISO
27001 LA ; CISA ; CISM ; CISSP,
PMP, CEH, BS7799 LA, Info.
Security/ BS7799 LA, Info.
20 Vikas Garg 6.7 13.34
Security/ BS7799 LI, BS7799 to
ISO27001 Transition Certified,
BCP/ DR Certified, BS 15000 RCB
Auditor Examination (itSMF
Certified), ITSM/ BS15000
Certified LA, ITSM/ BS15000
Certified LI, QMS/ ISO 9001:2000
Certified Lead Auditor, DSCI - lead
assessor for privacy
21 Vivek Patil 0.8 5.81 CEH v8, PCISI, CISO, ITIL
22 Arshdeep Singh 5.5 5.5 ISO 27001 LI, CCNA
Program in Information security
23 Mahesh Kumar Heda 5.6 8.6
management
CISM, CRISC, COBIT, ITIL
24 Praveen Sasidharan 6.3 15.3 Foundation, BCCS, ISO 27001 LI,
BS25999 LI & CSPFA, CBCP

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

TAC InfoSec Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

TAC InfoSec Private Limited


E190, 4th Floor, Quark City, Industrial Area,
Phase-8B, Mohali-160055

2. Carrying out Information Security Audits since : 2013

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Source Code Review : Yes
 Red Team : Yes
 Mobil Applications : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : N/A
PSU : N/A
Private : 15+
Total Nos. of Information Security Audits done : 15+

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 8+


Web-application security audit : 15+
Wireless security audit : 4+
Compliance audits (ISO 27001, PCI, etc.) : N/A
Mobile Application : 4+

6. Technical manpower deployed for information security audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 0
CISAs : 0
DISAs / ISAs : 0
CSSP : 1+
CSSA : 1+
Any other information security qualification : 2+
Total Nos. of Technical Personnel : 5+

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security
1. Mr. Trishneet 3.5 years 5 years Diploma in Ethical
Arora Hacking & Cyber
Security (IADL – UK )
2. Mr. Avinash Dixit 2 months 4 years MBA (Information
Technology)
3. Mr. Avneet Singh 3.5 years 3.5 years B-Tech (Information
Technology)
TAC-CSE(Cyber
Security Expert)
4. Mr. Gourav Bali 2.5 years 2.5 years MBA (Finance)
TAC-CSE(Cyber
Security Expert)
5. Mr. Sidhant Dogra 3 months 1.5 years M-Tech – Information
Security

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

Project for one of the largest tyre manufacturer in the country. Scope included external network
and web VAPT, Internal Network VAPT of 50 + servers with 300 + systems. Value of the project
was approx 5 Lacs.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Web Application VAPT:

1.) Acunetix Consultant Edition (Commercial)


2.) Burp Suite Pro (Commercial)
3.) Dirbuster (Open Source)
4.) Nikto (Open Source)
5.) OWASP ZAP Proxy

Network VAPT:

1.) Nessus Vulnerability Scanner


2.) Wireshark
3.) Cain & Abel
4.) Metasploit
5.) smbclient
6.) snmpenum
7.) enum4linux
8.) netcat
9.) nslookup
10.) Exploit codes from exploit.db
11.) Other Kali OS tools as per the vulnerability

Configuration Review (OS & Devices):

1.) Nessus
2.) Nipper freeware
3.) Manual review

Wireless Penetration Testing:

1.) Atheros wifi card


2.) Aircrack-ng
3.) Wapiti
4.) Wifi - Pineapple

Red-Team:

1.) Malicious USB


2.) TAC PhishInfielder (TAC’s tool)
3.) Payloads (Self-Created)
4.) Other tools in kali OS.

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly indicate mode of arrangement (MoU, contract etc.)) N/A

*Information as provided by TAC InfoSec Private Limited on 24 March 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

TATA Communications Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

TATA Communications Ltd,


C-21 and C-36, G Block, Bandra Kurla Complex
Mumbai 400098

2. Carrying out Information Security Audits since : 2008

3. Capability to audit , category wise (add more if required)

 Network security audit : Y


 Web-application security audit : Y
 Wireless security audit : Y
 Compliance audits (ISO 27001, PCI, etc.) : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 3
PSU : 8
Private : 175
Total Nos. of Information Security Audits done : 186

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 186


Web-application security audit : 7
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 0

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 6
BS7799 / ISO27001 LAs : 9
CISAs : 4
DISAs / ISAs :
Any other information security qualification:CEH,GCIA, GCIH,CISM,CHFI
Total Nos. of Technical Personnel : 150+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related to


No. <organization> Information Security Information security
1 Mohan Dass 9 years 14 years CHFI,CEH,CISSP
2 Rajaguru GS 8 years 11 years ITIL,QCS

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Network security Audit for of one of the largest Airline logistics company covering data center
locations in US and UK. The total deal value is INR 1,65,00,000 for Network and Security audit.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

 Nessus
 Qualys Guard
 Burp Suite
 NMAP
 Kali Linux – Armitage
 Metasploit Framework
 SQL MAP
 FireEye Ax

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by TATA Communications on 27-Mar-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

CyberRoot Risk Advisory Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

CyberRoot Risk Advisory Private Limited


023, 5th Floor, Tower A, Emaar Digital Greens,
Sector 61, Gurugram - 122102, Haryana
2. Carrying out Information Security Audits since : 2013

3. Capability to audit , category wises

 Network Security Audit : Yes


 Web Application Security Audit : Yes
 Wireless Security Audit : Yes
 Physical Access Control & Security Testing : Yes
 Web Application Source Code Review : Yes
 Mobile Application Audit : Yes
 Configuration Audit : Yes
 Cyber Forensics Investigation : Yes
 Penetration Testing : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 13
Total Nos. of Information Security Audits done : 13

5. Number of audits in last 12 months , category-wise

Network Security Audit : 4


Web Application Security Audit : 8
Configuration Audit : 1
Wireless Security Audit : 0
Cyber Forensics Investigation : 20+

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification : 6
Total Nos. of Technical Personnel : 12

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations

S.No. Name of Duration with Experience in Qualifications


Employee CyberRoot Risk Information related to
Advisory Pvt. Security Information security
Ltd.
1 Vibhor Sharma 3 years 6.5 years ISMS LA
2 Chiranshu Ahuja 3 years 6.5 years ISMS LA, CCCSP,
CCNA, CCNA Security
3 Vikash Pandey 1.5 years 3 years ACSE
4 Sudhir Kumar 1 year 2 years
5 Abhishek Verma 1 year 1 year PG Diploma in
Information Security,
CEH, CompTIA
Security+
6 ABHINAV RAWAT 1 year 1 year CISE
7 CHIRAG ARORA 0.5 year 0.5 year
8 Priya Singh 0.5 year 0.5 year CEH

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Network security auditforone of the largest hotel brand in India

No. of Computer Systems : 3000+


No. of Servers : 480
No. of Routers : 160
No. of Switches : 320
No. of Firewalls : 197
No. of IDS/IPS : 170

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial:

 Burp Suite
 Acunetix

Freeware:

 Wireshak
 RIPS
 NexPose
 Nmap
 Metasploit scanner
 Sparta
 OWASP ZAP
 Cookie Manager
 W3AF
 Netstumbler
 Kismet
 Hydra
 Cain & Abel
 Tamper Data
 Net Sparker
 Nikto
 DirSearch
 Hamster
 Sqlmap
 SET
 Ettercap
 .Net Reflector
 NetStumbler
 Brutus
 BackTrack OS
 Kali Linux OS

Proprietary:

 Script to test for Administrative privileges granted to web application


 Script to test for CSRF
 Other scripts for verification of vulnerabilities

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by CyberRoot Risk Advisory Private Limited on 22-Mar-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Robert Bosch Engineering and Business Solutions Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Robert Bosch Engineering and Business Solutions Private Limited


Electronic City Phase 1, Bangalore - 560100

2. Carrying out Information Security Audits since : Jan 2009

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : YES


 Web-application security audit (Y/N) : YES
 Wireless security audit (Y/N) : NO
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : YES

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 34
Total Nos. of Information Security Audits done : 34

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 0


Web-application security audit : 33
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 1

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 6
CISAs : 3
CWWH : 1
CEH : 7
CISM : 1
CoBIT : 1
DISAs / ISAs : 0
Any other information security qualification : 0
Total Nos. of Technical Personnel : 11

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with RBEI Information related to
Security Information security
1 Krishna Bhat May 1994 6 Years CISA, ISO/IEC 27001 -
(RBEI/DSO Lead Auditor,
RBIN/DSO)
2 Jeevan N Earappa Dec 2010 12 Yrs CISA (Certificate
(RBEI/BSD) awaited) , CISM, CoBIT
4.1, ITIL-V3,– ISO/IEC
ISO27001:2005 Lead
Auditor, BS
25999:2006
3 Deepak N May 2009 15 Yrs CISSP, CISA, ISO/IEC
(RBEI/DSO-Dp) 27001 - Lead Auditor
4 Vinod Kumar Sep 2003 5 Yrs CEH, ITIL V3
Vasudevan
(RBEI/BSW4)
5 Gautham 2008 8 Yrs CCNA, CEH V8,CWWH,
Balasundaram ISO 27001 Lead
(RBEI/BSD1) Implementer
6 Kulkarni Jun 2000 5 Yrs ISO/IEC 27001 - Lead
Pramodkumar V Auditor
(RBEI/DSO12)
7 Naresh Bikkina Sep 2012 4 Yrs CEH,
(CI/WBS-EU) ISO27001 Lead Auditor
8 Anish Marangattu May 2011 2 Yrs CEH
Ramadas
(RBEI/BSW4)
9 Harish Prabhu Aug 2014 3 Yrs CEH
Pethanan
(RBEI/BSW4)
10 Prakash Sep 2010 5 Yrs CEH
Thangavelu
(RBEI/BSW4)
11 Sudhakar June 2011 2 Yrs ITIL V3, ISO/IEC
Srinivasamurthy 27001 - Lead Auditor
(RBEI/BSD1)

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Bosch Healthcare solution- Bosch has developed a comprehensive solution consisting


of a digital eye care device in conjunction with software.

This solution has various modules integrated which requires security implementation
end to end

1. Web Application
2. Web services
3. Android App
4. iOS App
5. Hardware Device
6. Bosch Cloud

1. Security experts assisted in building a secure solution from early stage.


2. Since the patient data is considered critical, our security experts made sure
that there is no possible way to steal the data by attackers
3. Security team supported in complying product with HIPAA standards

Project value is about USD 25000

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

1. Commercial - Checkmarx, Acunetix, Burp suite Pro


2. Freeware - Wireshark , Metasploit, ZAP , SQLMap, NMAP, OpenVAS

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.)) - NO

*Information as provided by Robert Bosch Engineering and Business Solutions Private


Limited on 04/07/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Qseap InfoTech Pv.t Ltd.

1. Name & location of the empanelled Information Security Auditing Organisation :

Name: - Qseap InfoTech Pv.t Ltd.

Registered Office Address: -

452, Central Facility Building No - 2,


Sector - 19, APMC Vashi,
Navi Mumbai-400705, Maharashtra, INDIA

Corporate Office Address: -

Office No. 101, Building No. 06, Sector No. 03,


Millennium Business Park, Kopar Kharine, Navi Mumbai,
Maharashtra 400710.

2. Carrying out Information Security Audits since : November 2011

3. Capability to audit, category wise (add more if required)

 Network security audit : YES


 Web-application security audit : YES
 Wireless security audit : YES
 Compliance audits (ISO 27001, PCI, etc.) : YES
 Mobile-application security audit : YES
 Secure Code Review : YES
 External/Internal Penetration Testing : YES
 Firewall Rule Base Audit : YES
 Threat Modeling : YES
 Web Service/ Flash/ Bluetooth Security Testing : YES
 Ethical Hacking/ blind Hacking : YES
 VoIP Security Review : YES

4. Information Security Audits carried out in last 12 Months :

Govt. : 10
PSU : 2
Private : 30+
Total Nos. of Information Security Audits done : ~45

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 15


Web-application security audit : 40
Wireless security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 1

6. Technical manpower deployed for information security audits :

CISSPs :
BS7799 / ISO27001 LAs : 1
CISAs :
DISAs / ISAs :
Any other information security qualification: CEH, OSCP, CCNA
Total Nos. of Technical Personnel : 40+
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Experience in
Duration with Qualifications related to
S. No. Name of Employee Information
<organization> Information security
Security
1. SUNIL KAPRI 6 YEARS 10 YEARS EMBA, BE (IT)
2. PRAVEEN SINGH 6 YEARS 10 YEARS B.TECH (IT)
3. ABHIJEET DOKE 5 YEARS 5 YEARS B.E (IT) CISC
4. ABHISHEK TIWARI 5 YEARS 5 YEARS MSC (IT), CISC
5. MOHSIN DESHMUKH 7 MONTH 7 MONTH B.E (COMPUTER ENGG.)
6. ANUP NAIR 7 MONTH 3 YEARS B.E (IT) , CEH
7. SWAPNALI DIGHE 3 YEARS 3 YEARS B.SC , CEH
1 & HALF
8. KALYANI MALI 1 & HALF YEAR YEAR B.E (IT) , CEH
1 & HALF
9. PRAJAKTA VAITY 1 & HALF YEAR YEAR B.E (IT) , CEH
AMEYA 1 & HALF
10. HATKHAMBKAR 1 & HALF YEAR YEAR B.E (IT) , CEH
1 & HALF
11. SANDEEP DEOGIRE 1 & HALF YEAR YEAR MSC.COMPUTER
12. SHASHANK PUTHRAN 1 .5 YEAR 1 .5 YEAR B.SC (IT), OSCP
13. SAMEED KHAN 1 .5 YEAR 1 .5 YEAR B.E (IT) , CEH
14. AWDHESH YADAV 7 MONTH 7 MONTH B.SC (IT) , CCNA
15. VARUN KARAYAT 7 MONTH 7 MONTH B.SC (CS)
16. VIGNESH 1 .5 YEAR 1 .5 YEAR B.E (IT)
17. KARTIK 8 MONTHS 8 MONTHS B.E (ELE), CEH
18. SOORAJ KUMAR 2 YEARS 2 YEARS MSC.IT, CEH
1 & HALF
19. RUKSAR PATHAN 1 & HALF YEAR YEAR B.E (EXTC)
20. SUPRIYA PATIL 2 YEARS 2 YEARS MSC (IT), CEH
SHRINATH
21. NARAYANKAR 7 MONTHS 7 MONTHS B.E (IT)
22. ATHUL 4 YEARS 4 YEARS B.SC (IT)
23. SWAPNIL RANE 2 YEARS 2 YEARS B.SC
1 & HALF
24. VIDIT DAS 1 & HALF YEAR YEAR B.SC
25. AJIT SHARMA 5 YEARS 5 YEARS B.SC IT
26. SAURAV BHATT 3 YEARS 3 YEARS BCA
27. DOSHAN JINDE 3 YEARS 3 YEARS B.SC (IT), CEH
MSC NETWORK SYSTEM
28. AJITA GAWAI 5 YEARS 5 YEARS ENGINEERING

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) Along with project value.

Project Value: 50 Lac’s INR

Activity Scope Complexity Location

Penetration -Configuration Review of 9 -Understanding Saudi Arabiya,


Testing/Configuration Systems (TPAM, iAccess Plus, various applications Riyadh
Review of assets Tripwire, NIPS, Symantec End and devices in
(Applications and Point, Active Directory, WAF, scope.
Infrastructure DLP, Websense Proxy) - Preparation of
elements) under PCI -Application Security testing of checklists and
Scope 13 Applications baseline for third
-VAPT of 109Servers party proprietary
(Production Servers, DR, devices
Support Systems)
-Config Review of 109 Servers
and 20 Database servers

Security Review of PCI Detailed configuration review of Saudi Arabiya,


Network Segmentation 17 Firewalls, 9 Routers, 10 Riyadh
Switches. This included rule
base review to understand
segmentation
VA of above mentioned devices.
PCI Secure Code Saudi Arabiya,
Training Riyadh
Penetration Testing of 20 Core Banking Applications Saudi Arabiya,
mission critical Riyadh
transactional
applications
Security Review of 3rd Third party services like Swift, -Understanding the Saudi Arabiya,
Party Connections Bloomberg, VISA/Mastercard, architecture of Riyadh
Sms gateway, Payroll etc. various applications
-Identifying data
flowing towards
third party
applications.
-Spotting the
relevant rules in
firewall rule base
Security review of Webex server and Cisco Jabber Saudi Arabiya,
remote conferencing (VAPT) Riyadh
and sharing facilities
Security Review of VPN Saudi Arabiya,
and Websense Proxy Riyadh
Critical Infrastructure Review of Access to e-DMZ and Saudi Arabiya,
Security Review p-DMZ Riyadh
Security Review of Kiosk server & Application VAPT Saudi Arabiya,
Cash Acceptance and process review Riyadh
Machines
Establish security Review of current baselines Understanding the Saudi Arabiya,
control baselines business Riyadh
requirement.
Establishing
baselines as per the
business needs
Penetration Testing and Saudi Arabiya,
Security Source Code Riyadh
Review for CustoMobile

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Commercial:

 Nessus Professional
 Nipper
 Acunetix
 Burp Suite
 CheckMarx
Freeware:

 Nmap
 DOMTOOLS - DNS-interrogation tools
 Nikto - This tool scans for web-application vulnerabilities
 Firewalk - Traceroute-like ACL & network inspection/mapping
 Hping – TCP ping utilitiy
 Dsniff - Passively monitor a network for interesting data (passwords, e-mail, files, etc.).
facilitate the interception of network traffic normally unavailable to an attacker
 HTTrack - Website Copier
 Tools from FoundStone - Variety of free security-tools
 SQL Tools - MS SQL related tools
 John - John The Ripper, Password-cracking utility
 Paros - Web proxy for web application testing
 Wikto - Web server vulnerability assessment tool
 Back Track
 MetaSploit
 Ethereal - GUI for packet sniffing. Can analyse tcpdump-compatible logs
 NetCat - Swiss Army-knife, very useful
 Hping2 - TCP/IP packet analyzer/assembler, packet forgery, useful for ACL inspection
 Brutus – password cracking for web applications, telnet, etc.
 WebSleuth - web-app auditing tool
 HTTPrint – detect web server and version
 OpenVas
 W3af
 Owasp Mantra
 Wire Shark
 Ettercap
 Social Engineering Tool Kit
 Exploit database
 Aircrack-Ng
 SOAPUI
 Hydra
 Directory Buster
 SQL Map
 SSL Strip
 Hamster
 Grimwepa
 CAIN & Able
 Rips
 xIron Wasp
 Fiddler
 Tamper Data
 FOCA

Proprietary: -

 Own developed scripts for Operating System and Database Audit.

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by Qseap InfoTech Pvt. Ltd. on 29-06-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Yoganandh & Ram LLP

1. Name & location of the empanelled Information Security Auditing Organization


Yoganandh & Ram LLP
G-1, SHREE VISHNU APARTMENTS,
#12, 12TH CROSS STREET,
DHANDEESWARAM NAGAR,
VELACHERY, CHENNAI – 600 042

2. Carrying out Information Security Audits since : September-2009


(8 Years – 5 Months)

3. Capability to audit,category wise (add more if required)

• Network security audit : YES


• Web-application security audit : YES
• Wireless security audit : YES
• IT Security Audit : YES
• Data Centre Physical and Environment Security Audit : YES
• Internet & Mobile Security Audit : YES
• CBS/ERP Application Security Assessment : YES
• Information Security Policy Formulation & Assessment : YES
• Data Migration Audit : YES
• Cyber Forensics & Mail Forensics Analysis : YES
• Compliance audits (ISO 27001, PCI, CCA, IRDA, CRA, etc.) : YES
• BCP Policy Formation & Assessment : YES
• BCP DR Testing & Implementation : YES

4. Information Security Audits carried out in last 12 Months

Govt. : 6
PSU : 2
Private : 12
Total Nos. of Information Security Audits done : 20

5. Number of audits in last 12 months ,category-wise (Organization can add categories based on
project handled by them)

Network security audit : 5


Web-application security audit : 10
Information Technology Security Audit : 20
Data Migration Audit : 3
Physical and Environment Security Audit : 12
CBS/ERP Application Security Assessments : 1
Internet & Mobile Security Audit : 4
Information Security Policy Formulation & assessment : 4
Cyber Forensics & Mail Forensics Analysis : 2
Wireless security audit : 1
Compliance audits (ISO 27001, PCI,CCA,IRDA,CRA etc.) : 4
BCP Policy Formation & Assessment : 1
BCP DR Testing & Implementation : 1

6. Technical manpower deployed for information security audits

CISSPs : 1
BS7799 / ISO27001 LAs : 4
BS25999 : 1
LA-QMS-ISO 9001:2015 : 1
LA-BCMS-ISO 22301:2012 : 1
LA-ITSM-ISO/IEC 20000-1:2011 : 1
CISAs : 9
DISAs / ISAs : 2

Any other information security qualification:


1. Offensive Security Certified Professional : 1
2. Certified Ethical Hacker : 3
3. M.Sc/M.Tech- Cyber Forensics and Information Security : 3
4. PG Diploma in Cyber Law : 1
5. System Security Certified Practitioner : 1
6. CloudU : 2
Total Nos. of Technical Personnel : 14

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required) : As per Annexure-1

8. Specify Largest Project handled in terms of scope (in terms of volume,complexity, locations
etc.) along with project value.
IT Security Audit for one of the leading Banks in India

1. Scope inclusive of

a. Vulnerability Assessment for over 200 Servers,


b. Web Application Penetration Testing of Internet & Mobile Banking Applications,
c. CBS Application Review,
d. Policy Assessment,
e. Application security Assessments,
f. ATM Switch Review,
g. Physical and Environmental Audit.

2. Value: Over 12 Lakhs


3. No. of Applications: 20+
4. No. of Server: 200+
5. Locations: Chennai, Bangalore

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

1. Nessus(Commercial)
2. Burpsuite(Commercial)
3. Nmap
4. Nikto
5. Sqlmap
6. John the Ripper
7. Wireshark
8. Hping3
9. SNMP Walk
10. Metasploit
11. W3af
12. Netcat
13. Pdump
14. THC Hydra
15. Acunetix Free Web Application Scanner
16. Dirbuster
17. ZAP
18. PW Dump
19. OWASP Xenotix
20. SEToolikit
21. Aircrack-ng
10. Outsourcing of Project to External Information Security Auditors / Experts(If yes, kindly
indicate mode of arrangement (MoU, contract etc.) : No

Back
Annexure-1

Sl.No Name of Employee Duration with Experience in Qualifications


organization Information related to
Security Information
security
1. T Manoj Kumar Jain 10 Years 3 Months 6 Years 5 Months CISA

2. R Chandrasekhar 6 Years 11 Months 14 Years CISA, DISA,


CISSP, ISO
27001:2013 Lead
Auditor, ISO
25999, PG
Diploma Cyber
Law
3. VinodhKumarar S K 2 Years 6 Months 2 Years 6 Months Offensive Security
Certified
Professional
(OSCP), Certified
Ethical Hacker
(C|EH), M.Sc.,
Cyber Forensics &
Information
Security
4. T Mariappan 7 Years 9 Months 6 Years 5 Months CISA, DISA

5. Saran Kumar M 1 Year 10 Months 2 Years 10 Months M.Sc., Cyber


Forensics &
Information
Security
6. BalajiBharadwaaj M 2 Years 10 Months 2 Years 10 Months ISO 27001:2013
Lead Implementer,
CISA, SSCP,
CloudU
7. Vinodhini G 9 Months 9 Months CISA, , ISO
27001:2013 Lead
Auditor

8. Sangeetha N 10 Months 10 Months CISA

9. Arul Selvan R 9 Months 9 Months Certified Ethical


Hacker
(C|EH),M.Tech-
Information
Security & Cyber
Forensics
10. Mohammed Mubariz S 2 Years 8 Months 2 Years 8 Months CloudU

11. T Chandra Prakash Jain 5 Years 4 Years 6 Months CISA

12. Pavana Kumar LKG Mushti 3 Years 3 Years CISA

13. Sreevatchan S 6 Months 6 Months Certified Ethical


Hacker (C|EH)
Sl.No Name of Employee Duration with Experience in Qualifications
organization Information related to
Security Information
security
14. Kamalutheen A 3 Months 3 Months CISA,LA-QMS-ISO
9001:2015
LA-BCMS-ISO
22301:2012
LA-ITSM-ISO/IEC
20000-1:2011
LA-ISMS-ISO/IEC
27001:2013,
Investigation
Basics

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Indusface Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Indusface Pvt. Ltd


A-2/3, 3rd Floor, Status Plaza,
Opp. Relish Resort, Atladara Old Padra Road,
Vadodara - 390020, Gujarat, India

2. Carrying out Information Security Audits since : 2004

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Mobile application security audit : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : N

4. Information Security Audits carried out in last 12 Months :

Govt. : 17 plus
PSU : 40 plus
Private : 600 plus
Total Nos. of Information Security Audits done : 5000 plus

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 25 plus


Web-application security audit : 1000 plus
Wireless security audit : 10 plus
Mobile application security audit : 500 plus

6. Technical manpower deployed for information security audits :

CISSPs :
BS7799 / ISO27001 LAs :
CISAs :
DISAs / ISAs :
CEH : 10
Total Nos. of Technical Personnel : 12

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


No. Employee <organization> Information related to
Security Information security
1 Khushboo sharma 1.8 years 9.7 years CEH
2 Rahul PK 1.8 years 3.1 years
3 Rahul Kshirsagar 2.3 years 2.7 years CEH
4 Mukesh Chaudari 1.1 years 1.5 years CEH
5 Deepti Pathak 1.2 years 2.6 years
6 Ambreen Ansari 1.6 years 2.2 years CEH
7 Trupti Sable 0.6 years 3 years CEH
8 Amit Dubey 0.6 years 1.0 years CEH
9 Mayur Patil 0.3 years 2.2 years CEH
10 Pranav Pisal 0.8 years 1.4 year CEH
11 Sagar Shah 3.5 years 3.9 years CEH
12 kalpana 1.5 years 2.1 years CEH
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.: Reliance- RDAG, 50 Lakhs

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Sr Testing Tool Name Commercial/


No Environment Freeware/Proprietary
1 Web Appsec Burp Suite Professional Commercial
2 SQLmap Freeware
3 Dirbuster Freeware
4 Wireshark Freeware
5 Winhex Commercial
6 Indusguard Scanner Proprietary
9 Mobile Appsec Android SDK Freeware
10 GenyMotion Freeware
11 ApkTool Freeware
12 Dex2Jar Freeware
13 JD-Gui Freeware
16 Burp Proxy Commercial
17 iOS Simulator Freeware
18 Cydia Freeware
20 iTools Freeware
22 iNalyzer Freeware
23 Androbugs Freeware
24 Network VAPT NMap Freeware
25 Nessus Commercial
26 Rapid7 Commercial
27 TestSSLScan Freeware
28 SSLScan Freeware

10. Outsourcing of Project to External Information Security Auditors / Experts : NO

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

* Information as provided by Indusface Pvt. Ltd on 10th July 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Haribhakti & Company LLP, Chartered Accountants

1. Name & location of the empanelled Information Security Auditing Organization :

Haribhakti & Company LLP, Chartered Accountants


701, Leela Business Park, Andheri Kurla Road, Andheri (E)
Maharashtra India 400059

2. Carrying out Information Security Audits since : 2000

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 IT General Controls Review : Yes
 Vulnerability Assessment/Penetration Testing : Yes
 Cyber Security Awareness Workshop for Board Member
and Senior Members of Management : Yes
 Application/ERP Post implementation Review : Yes
 SAP – configuration controls review for various modules like Finance
and Costing, Material Management, Sales and Distribution, Production
planning and Quality Management, Human Resource, Use access
entitlement review, SAP Basis : Yes
 Cloud Security Review : Yes
 Data Privacy Review : Yes
 Data Migration Audit : Yes
 Digital Forensic Review : Yes
 Data Analytics : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 1
PSU : Nil
Private : 20
Total Nos. of Information Security Audits done : 21

(In addition to the above engagements, we have carried out 9 ITGC reviews as a part of
internal audit and 50+ ITGC reviews as a part of Statutory Audit engagements)

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 5


Web-application security audit : 3
Wireless security audit : Nil
Compliance audits (ISO 27001, PCI, etc.) : 20
(As a part of IT General Controls Review/Systems audit or IT Due Diligence)
Data Migration Audit : 1
Systems Audit : 4
Internal Financial Controls : 8

(*Some of the audits covers more than one scope as stated above)
6. Technical manpower deployed for information security audits :

CISSPs : Nil
BS7799 / ISO27001 LAs : 4
CISAs : 3
DISAs / ISAs : 2
CEH : 4
M.Tech/MS Cyber Security : 8
Total Nos. of Technical Personnel : 14

(* Some of the personnel have multiple certifications)

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience Qualifications related to


No in Information security
. H & Co. Informatio
n Security
1. Rhucha Vartak 9 9 CISA, ISO 27001: 2008, CEH
2. Sandeep Shinde 4 9 ISO 27001:2013, CEH
3. Kapil Shah 2 2 ISO 27001:2013, CEH
4. Ankit Joshi 1 Year 10 Months 1 Year 10 M.Tech Cyber Security and Incident
Months Response
5. Amit Gohel 1 Year 10 Months 1 Year 10 M.Tech Cyber Security and Incident
Months Response
6. Chandraprakash Pandey 11 8 CISA, ISO 27001
7. Vikas Gupta 8 2 CA, CISA
8. Mitesh Parekh 5 5 CA, DISA
9. Shyamal Devmurari 9 Months 9 Months M. S. Digital Forensic & Information
Assurance
10. Kashyap Thakar 1 Year 1 Year M.Tech Cyber Security and Incident
Response
11. Varun Taker 1 Year 1 Year M.Tech Cyber Security and Incident
Response
12. Ashish Kapadiya Recent Appointments as M.Tech Cyber Security and Incident
13. Smeet Rawal Management Trainee Response (Pursuing)
14. Trupal Patel

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

The organization provides guaranteed clearing and settlement functions for transactions in
Money, G-Secs, Foreign Exchange and Derivative markets. We conducted a systems audit
comprising of 21 business critical applications. All the business operations are mission
critical. 4 of these applications and infrastructure is covered as a part of Payment Settlement
Systems Act 2007 of RBI. There were more than 100 infrastructure components like mix of
operating systems, databases, firewall, switches, routers etc.

Areas included Process Flow Statement, Risk Assessment of Systems, Achievement of the
Business Objectives of the system, Application level controls, IT Infrastructure assessment,
OS/db and application level controls, System Life cycle Maintenance, Backup, Business
Continuity Planning, Network architecture, Overview of External Personnel Security, Physical
security, General Controls and Assessment of HR requirement

The locations covered were Mumbai and Pune.

Project Value : 13 Lac

Team Size: 5
9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Nessus, NMAP, Accunetix, Burp Suite, Kali Linux, AppDetective, SQL Map, Nikto, ZAP,
Wireshark, NetCat

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by Haribhakti & Company LLP , Chartered Accountants on 11 July 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Madhya Pradesh Agency for Promotion of Information Technology (MAP_IT)

1. Name & location of the empanelled Information Security Auditing Organization:

Madhya Pradesh Agency for Promotion of Information Technology (MAP_IT)


(A Regt. Society of Department of Science & Technology, Government of Madhya Pradesh)
State IT Center, 47-A, Arera Hills, Bhopal - 462021

2. Carrying out Information Security Audits since : 2014

3. Capability to audit, category wise (add more if required)


• Information Security Audit (Y/N) : Yes
• Web-application Security audit (Y/N) : Yes
• Vulnerability Assessment (Y/N) : Yes
• Penetration Testing (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months:


Govt. : 12
PSU : 2
Private : None
Total No. of Information Security Audits done : 14

5. Number of audits in last 12 months, category-wise


(Organization can add categories based on project handled by them)

Web-application security audit : 14

6. Technical manpower deployed for information security audits:

CISSPs : Nil
BS7799 / ISO27001 LAs : 1
CISAs : 2
DISAs / ISAs : Nil
Any other information security qualification : 4
Total Nos. of Technical Personnel : 5

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Experience in
Working with Qualification Related to
S.No Name of Employee Information
MAP_IT Since Information Security
Security
1. Roopak Srivastava Aug, 2014 5 Years CISA, PMI – PMP, ITIL v3
2. Viral Tripathi Nov, 2015 10 Years CCIE
3. Priyank Soni Apr, 2014 5 Years CISA, ISMS LA,CEH v9
4. Satyarth Dubey Oct, 2015 3 Years CSQA, COBIT Foundation,
Six Sigma
5. Vasundhara May, 2015 3 Years STQC-CIISA
Raghuvanshi

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value : 50 Govt. of MP Dept. web application audited till date.

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

S.No Name of the Tool Commercial/ Functionality


Freeware of the Tool
1. OWASP ZAP Open Source Web Application Pen Test
2. Burp Suite Professional Commercial Web Application Pen Test
3. Accuentix WVS 11.00 Commercial Web Application Pen Test
4. NMAP Open Source Port Scanner
5. W3af Open Source Web Application Scanner
6. Wikto Open Source Web Application Scanner
7. Solarwind Open Source Network Pen Test
8. Back Track Tool Kit Open Source Network and Application Pen Test
9. Wireshark Open Source Network Sniffer
10. Netstumbler Open Source Wireless Scanning
11. Aircrack Open Source Wireless Pen Test
12. Airmagnet Open Source Wireless Pen Test
13. Paros Open Source Web Application Proxy
14. Nipper Open Source Network Configuration File
15. Nikto Open Source Network Pen Test
16. Netcat Open Source Network Pen Test
17. Cain&Abel Open Source ARP Poisoning, DNS Poisoning
18. Mobisec Open Source Mobil Application Pen Test
19. Uniscan Open Source Web Application Pen Test
20. SQL MAP Open Source Web Application Pen Test

10. Outsourcing of Project to External Information Security Auditors / Experts : No

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

ANB Solutions Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

ANB Solutions Pvt. Ltd.


901, Kamla Executive Park, Off Andheri-Kurla Road,
J. B. Nagar, Andheri East, Mumbai 400 059

2. Carrying out Information Security Audits since : 2009

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Software Asset Management : Yes
 Vulnerability Assessment and Penetration Testing : Yes
 Business Continuity and Disaster Recovery : Yes
 Application Security Review : Yes
 Regulatory System Audits : Yes
 Cyber Security Review : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 2
PSU : 0
Private : 72
Total Nos. of Information Security Audits done : 74

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 5


Web-application security audit : 4
Wireless security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 14
Application Security Audit : 38
ITGC DC Audit : 38
Application Security Audit : 32
Business Continuity and Disaster Recovery : 11
Application Security Audit : 32
VAPT : 15
Vendor Risk Management : 5
Software Asset Management : 1

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 Las : 14
CISAs : 8
DISAs / ISAs : 4
CEH : 5
ISO22301 IA : 5
Total Nos. of Technical Personnel : 30
more than
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications


Employee ANB Information related to
Security Information
security
1 Nirma Varma 16 years 16 years • CISA
• BS7799LA
• ISO 22301 IA
2 Vasudha Sawant 10 years 10 years • CISA
• ISO 22301 IA

3 Rashmi Maydeo 12 years 12 years • CISA


• CISSP
• ISO 27001 LA
• ISO 22301 IA
4 Preeti Raut 8 years 8 years • CISA
• ISO 27001 LA
• ISO 22301 IA
5 Pradeep Patil 2 years 10 years • CISA
• ISO 27001 LA
6 Vinit Shah 3.5 years 3.5 years • CISA (Associate)
• DISA
• ISO 27001 LA
7 Pranay Shah 6 years 2 years • CISA (Associate)
• DISA
8 Remella Suman 9 years 9 years • ISO 22301 IA
• Lean Six Sigma
Black Belt
• ITIL Foundation v.3
• PRINCE2
Practitioner
9 Varun Sharma 1 year 3 years • CEH
• ISO 27001 LA
10 Kunal Mehta 3 month 10 years • CISA
• ISO 27001 LA
• ITIL v3
11 Rajeev Kumar 1.9 years 1.9 years • ISO 27001

12 Sukanya 2 years 2 years • CEH


• ISO 27001 LA
Kanawade
13 Vibha Yadav 4 months 9 years • ISO 27001 LA
14 Niraj Soni 9 months 1 year • DISA
15 Mayuri Shah 8 months 8 months • DISA
16 Harshad Mahajan 6.4 years 6.4 years • ISO 27001 LA
17 Rahul Kamble 3 years 4.5 years • CEH
18 Sampoorna 12 years 10 years • ISO 27001 LA
Nagamalli
19 Divya John 11 onths • ISO 27001 LA

20 Rajeev Kumar 1.10 years 1.10 years • ISO 27001 LA

21 Preeti Sangmule 3.7 years 6.8 years  ISO 27001 LA


 ITIL
 CEH
22 Sudhanshu Rana 8-9 months 8 years  CEH
 CHFI
 ECSA
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. For one of the largest private banks in India conducted:


 Vulnerability assessments for more than 1000 system (operating systems,
databases, network devices)
 Internal assessment for more than 20 web banking applications
 Hardening review of more than 5000 systems (operating systems, databases,
network devices)
 PROJECT VALUE: RS. 1 CRORE

2. Forone of the government owned information technology company in India conducted:


 NMS (Network Management System) Audit
 Inventory Audit
 SLA Monitoring Audit
 Security Audit of various networks.
 Vulnerability assessment & penetration testing on the identified components
 Reviewing configuration of network components such as router, firewall, IDS, proxy
server, NMS, HDMS etc.
 Physical and Environmental verification.
 Operations and Management Process and Control Audit
 PROJECT VALUE: RS. 7 CRORE

3. For a department of government of South Africa performed:


 Establishing IS Policy & Procedures
 Review and Establishing Cyber Security Framework
 Vulnerability Assessment and Penetration Testing
 Detailed Security Configuration Review of entire IT Infrastructure
 PROJECT VALUE: RS. 1 CRORE

4. For one of the renowned commodity exchange in India performed:


 Application Security Audit for 5 applications
 IT General Control and Datacenter operations Audit
 Vulnerability assessment of 125 system and Penetration Testing for 5 websites
 Business Continuity and Disaster Recovery Review

5. For some of the largest telecom companies in India conducted:


 Core Telecom Network and IT security for datacenter and applications
 Compliance to IT Act

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

SN Type of Tool Tool Name

1 Freeware  Nmap
 Snmp Walk
 Metasploit
 Cookie Editor
 Echo Mirage
 Winhex
 Kali Linux Framework
 Wireshark
 APK Analyser
 SQLMAP
 Dirbuster
 OWASPZAP
 VAMT
2 Commercial  Nessus Professional
 Burp Suite Professional
 ARSIM
 Lansweeper - License Compliance Auditing Software
3 Proprietary  Scripts for Oracle, Linux, AIX, Solaris, Windows
10. Outsourcing of Project to External Information Security Auditors / Experts : NO

(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by ANB Solutions Pvt. Ltd. on 29th November 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

BDO India LLP

1. Name & location of the empanelled Information Security Auditing Organization:

The Ruby, Level 9, 29, Senapati Bapat Marg,


Dadar West, Dadar, Mumbai, Maharashtra 400028

2. Carrying out Information Security Audits since : 2013

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 Information Technology Audits (Y/N) : Yes
 Application control audit (Y/N) : Yes
 IT Governance Audit (Y/N) : Yes
 Cyber Security Assessments(Y/N) : Yes
 Business continuity and disaster recovery : Yes
 Software Compliance Review(Y/N) : Yes
 IT General Control Review(Y/N) : Yes
 Network Architecture Design Review(Y/N) : Yes
 SSAE 18 & SOC 2 Audit (Y/N) : Yes
 WebTrust Audit(Y/N) : Yes
 Vulnerability Assessment and penetration testing : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 3 Approximately
PSU : 6 Approximately
Private : 15 Approximately
Total Nos. of Information Security Audits done : 25 Approximately

5. Number of audits in last 12 months, category-wise

Network security audit : 5 Approximately


Web-application security audit : 5 Approximately
Wireless security audit : 2 Approximately
Compliance audits (ISO 27001, PCI, etc.) : 15 Approximately

6. Technical manpower deployed for information security audits :

CISSPs : 4 Approximately
BS7799 / ISO27001 LAs : 5 Approximately
CISAs : 4 Approximately
DISAs / ISAs : 4 Approximately
Any other information security qualification : 15 Approximately
Total Nos. of Technical Personnel : 30 Approximately

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S.No. Name of Employee Duration Experience in Qualifications


with BDO Information related to
India LLP Security Information
security
1. Kartik Radia 7* 12 FCA, CPA, CISA, CIA,
ACS, ACM
2. Shravan Prabhu 0.2 12 ISO 22301 LA
3. Seemant Bisht 1 4.6 OSCP, Certified
ethical hacker
4. Ajinkya Ramesh 2.5 3 Certified ethical
Nikam hacker, Certified
forensic analyst,
CISC
5. Anita Patade 1.5 2 Certified forensic
analyst, Certified
information security
consultant
6. Bhavika Jain 0.5 2 MSc in Cyber
Forensic and IT
Security, BSc in
Forensic Science
7. Priya Raorane 0.3 5 CCNA,CCNA
Security,CEH V7
8. Mangesh Kolaskar 1.5 1.5 -

9. Burgis Elavia 0.6 2 Certified ethical


hacker V9

 * Kartik has served BDO with total experience of 7 years

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. Information technology audit for largest vehicle Manufacturing Company in


India

More than 1000+ end-points, 50+ servers, spread over 17 locations of the country

Project value: approximately INR: 15 Lakhs

2. SOC 2 Type II and Web Trust Audit for one of the biggest trust service provider
company

More than 5 location across the world in scope of SOC 2 Type II and Web trust Audit.

Project Value approximately INR: 40 Lakhs

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial Tools:

1. Nessus
2. Acunetix
3. Burp-Suite
4. Netsparker
5. Encase
6. FTK

The above list of tools is indicative.

Details of Audit Tools-Freeware

S. No. Tool Name Description


1. Achilles A tool designed for testing the security of Web Applications.
2. Brutus A Windows GUI brute-force tool for FTP, Telnet, POP3, SMB,
HTTP, etc.
3. CrypTool A Cryptanalysis Utility
4. cURL Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET,
DICT, FILE and LDAP
5. Exploits Publicly available and homemade exploit code for the
different vulnerabilities around
6. Fscan A command-line port scanner, supporting TCP and UDP
7. Elza A family of tools for arbitrary HTTP communication with
picky web sites for the purpose of penetration testing and
information gathering
8. Fragrouter Utility that allows to fragment packets in funny ways
9. HPing A command-line oriented TCP/IP packet assembler/analyzer.
It supports TCP, UDP, ICMP and RAW-IP protocols, has a trace
route mode, the ability to send files between a covered
channel, and many other features.

10. ISNprober Check an IP address for load-balancing.


11. ICMPush A tool that sends ICMP packets fully customized from
command line
12. John The Ripper A password cracker
13. L0phtcrack NTLM/Lanman password auditing and recovery application
14. Tenable Nessus A free, powerful, up-to-date and easy to use remote security
scanner. This tool could be used when scanning a large
range of IP addresses, or to verify the results of manual
work.

15. Netcat The swiss army knife of network tools. A simple utility which
reads and writes data across network connections, using
TCP or UDP protocol
16. NMAP The best-known port scanner around
17. p0f Passive OS Fingerprinting: A tool that listens on the network
and tries to identify the OS versions from the information in
the packets.
18. Pwdump Tools that grab the hashes out of the SAM database, to use
with a brute-forcer like L0phtcrack or John
19. SamSpade and Graphical tool that allows to perform different network
Dnsstuff queries: ping, nslookup, whois, IP block whois, dig, traceroute,
finger, SMTP VRFY, web browser keep-alive, DNS zone transfer,
SMTP relay check, etc.

HELIX3 collect data from physical memory, network connections, user


20. accounts, executing processes and services, scheduled jobs,
Windows Fegistry, chat logs, screen captures, SAM files,
applications, drivers, environment variables and Internet history

21. FTK Multi-purpose tool, FTK is a court-cited digital investigations


platform built for speed, stability and ease of use.
22. SANS Investigative Multi-purpose forensic operating system
Forensics Toolkit - SIFT
23. Wireshark Open-source packet capture/analyzer, backend library used is
[win]pcap.
10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No
(If yes, kindly provide oversight arrangement (MoU, contract etc.))

Not Applicable

*Information as provided by BDO India LLP on 04/12/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

CMS IT Services Pvt Ltd

1. Name & location of the empaneled Information Security Auditing Organization :

CMS IT Services Private Limited


No. 236, Venkatadri IT Park,Konappana Agrahara
Electronic City Phase-1,Bangalore, Karnataka – 560100

Registered Address: 2nd Floor, "61 Radius"


Plot No. 61, Road No. 13 MIDC, Andheri
(East), Mumbai City MH 400093 IN

2. Carrying out Information Security Audits since : <2014>

3. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Infra security audit (Y/N) : Y
 Strategy/Security roadmap audit (Y/N) : Y
 Compliance audit (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : <0>
PSU : <1>
Private : <10>
Total Nos. of Information Security Audits done : 11

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : <9>


Web-application security audit : <5>
Wireless security audit : <6>
Infra security audit : <9>
Strategy/Security roadmap audit : <1>
Compliance audit (ISO 27001, PCI, etc.) : <6>

6. Technical manpower deployed for information security audits :

CISSPs : <1>
BS7799 / ISO27001 LAs : <4>
ISO27001 LIs : <2>
CISAs : <2>
DISAs / ISAs : <0>
Any other information security qualification : <30 >
Total Nos. of Technical Personnel : 135

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with CMS IT Information related to
Services Security Information security
1. Aditya Vardhan 3.5 17 CISA, CISSP, CPISI
2. Avinash Jadhav 1.8 8 ISO27001 LA, CISA,
CHFI
3. Vinamra Rai 2.8 2.8 M.S in Cyber Law and
Information Security,
ISO 27001:2013 LI,
CEH, Cyber octet
CPISA
4. Srinivas Rao 11 11 MCSE
Sirikonda
5. A V H S Prasad 7.3 9.3 CCNP, CEH, MCTS
Rao
6. R Prasun Kumar 0.8 3.8 M.S in Cyber Law and
Naidu Information Security,
ISO 27001:2013 LI,
ITIL 2011 F
7. Tajinder Pal Singh 1.4 7 ISO 27001:2013 LA
Kalsi
8. Ankita Singh 2 2.5 ISO27001 LA
9. Alok Kumar 0.9 2 ISO27001 LA
10. Ritesh Kumar 0.6 6 MCSA, CCNA, CCDE
11. Paresh 17.3 17.3 CCNP R&S
Ravindranath
Chogle
12. Kalpesh S Patwa 22.4 22.4 HCNP (Huawei Certified
Network Professional),
CCNSP (Cyberoam
Certified Network
Security Professional),
VTSP - NV (Network
Virtualization 2016)
13. Ajit Kumar Potnuri 2.7 2.7 MCSE (OEM
Certification -Trend)
14. Unaise E K 1.2 1.2 CCNA
15. Naga Srinivas 2.5 2.5 CCNA
Mangipudi

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Leading Energy (Public) sector organization – Yearly Security Audits

The audit was conducted across complex architecture of multiple Gateway Locations and audit
comprised of:

 Policy/Process Assessment
 Network Architecture Review
 Network Security Assessment
 Security Configurations Review
 Vulnerability Assessment & Penetration Testing (Applications & Infra)

Emerging (Unconventional) Power sector company – Information Security Audit

The audit was conducted across the enterprise aiming at identifying the gaps in security posture and
remediating them through a well-established Security Roadmap:

 Information Security Roadmap development


 Cloud Landscape Assessment
 Policy/Process Assessment
 Network Architecture Review
 Network Security Assessment
 Security Configurations Review
 Vulnerability Assessment & Penetration Testing (Applications & Infra)

Leading FMCG organization – Security assessment

This assessment was conducted across the enterprise to identify vulnerabilities that were existent in
network, devices and web applications, and the remediation thereof,

 Policy/Process Assessment
 Network Security Assessment
 Vulnerability Assessment & Penetration Testing (Applications & Infra)

Leading Manufacturing sector organization – Security Assessment


This assessment was conducted across the organization targeted towards preparation for ISO
27001:2013 certification:

 Policy/Process Assessment
 Network Security Audit
 Security Configurations Review
 Vulnerability Assessment & Penetration Testing

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary): Commercial &
Freeware

Commercial:

 Nessus
 Acunetix
 Burp Suite

Freeware:

 Kali Linux
 Nmap
 Wireshark
 SQLMap
 TCPDump
 Metasploit
 OpenVAS
 Nikto
 Dirb
 Open source tools

10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No


(If yes, kindly provide oversight arrangement (MoU, contract etc.)) NA

*Information as provided by CMS IT Services Pvt. Ltd. on 04/12/2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Esec Forte Technologies Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

ESEC FORTE TECHNOLOGIES PRIVATE LIMITED.

Registered Address:

Pocket A-2 Sector-5, Rohini, Delhi-110085,

Corporate Office (Mailing Address):

Level 2, Enkay Centre, Vanijya Kunj,


Udyog Vihar, Phase V, Gurgaon -122016 (Opp. Cyber Hub)

Branch Office:

 165, Intermediate Ring Rd, Amarjyoti Layout, Domlur,


Bengaluru, Karnataka 560081

 Plot C 59, Bandra Kurla Complex,


9th Floor, Platina, G Block, Mumbai – 400051

 C-38, Sahityik Sailajaranjan St Sec-2A,


Bidhannagar, Durgapur, WB– 713212

2. Carrying out Information Security Audits since : 2011

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 Digital Forensics and Malware Analysis : Yes
 DDOS Assessment : Yes
 Gap Assessment : Yes
 Social Engineering Engagement : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 01
PSU : 02
Private : 15
Total Nos. of Information Security Audits done : 18

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 15


Web-application security audit : 5
Wireless security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 2
Wireless Assessment Audits : 1
DDOS Assessment : 1
Social Engineering Engagement : 1

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 3
CISAs/ CISMs : 1
DISAs / ISAs : 0
Any other information security qualification : CEH – 6,
ECSA, CDFE, Nexpose Certified, Metaploit Certified, Tenable Certified, MCSE,
ITIL V3, Cyberark Vault Admin, PCI DSS 3.2, Sourcefire Certified,
QualysGuard Security Expert.

Total Nos. of Technical Personnel : 13 –Information Security;


(50+ Total team Size)

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S.No Technical Working with Information Security Related Total


Personnel’s the Qualification Experience
Name Organization in
Since Information
Security
Related
activities
(Years)
1 Lt Col August 2016 CISM, CEH v9, ISO 27001 LA,
Snehamoy Nexpose Administrator (VM),M.Tech
Banerjee (Retd.) (IIT, Kanpur), DP (IIM,Lucknow) ,
B.Tech (MCTE) 28
2 Sachin Kumar April 2011 CISSP, CEH v9, CDFE, ISO
27001,Nexpose Certified
Administrator, Metasploit Certified
Administrator,B.Tech 11
3 Saurabh Seth April 2017 CEH, MCSE: Security, ITIL V3,ECSA,
CyberarK Vault Administrator, CPISI
– PCI DSS v3.2, Sourcefire Certified
Professional, Qualys Guard Security
Expert. MS Cyber Law 10
4 Kunal Bajaj September ISO 27001, B.Tech, MBA
2013 9
5 J.K February 2016 CEH v9, M.Tech 2
6 H.S April 2014 CEH v9, B.Tech, MBA (Result
Awaited) 2
7 P.B August 2017 CEH V9,Advanced Ethical
Hacking,Ethical Hacking and
Forensics, CSE 1
8 VI.R Jan 2017 M.Tech,B.Tech 1
9 P.S August 2015 M.Tech (ICT) 3
10 V.RA Dec 2016 B.E 1
11 J.W July 2017 B.Tech 1
12 A.T Sep 2014 B.Tech 3

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

S.No Brief Description of Work Details of Contact Person at Auditee


Organization (Name, email, website,
URL, Mobile telephone etc)
1 Vulnerability Assessmemt – 600 IP External Leading Aviation/ Airport Management
Pen Testing 100 IP Configuration Audit- 40 Company.
Devices Application Assessment- 20
2 Vulnerability Assessment -300 IPs Leading Internet Service Provider Company
Penetration Testing 50 Devices Configuration
Audit - 28 Devices
9 Vulnerability Management Implementation Leading Global Technology Company
across multiple countries for 40,000 IPs
13 Risk Assessment, ISMS Implementation, Leading Bank in Afghanistan
Network Security Audit
9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

• Metasploit,
• Nexpose,
• Nessus,
• Nipper,
• Netsparker,
• Checkmarx,
• Burp Suite,
• Nmap,
• Wireshark,
• Immunity Canvas,
• Immunity Silica,
• Hak5 (Pineapple Wifi),
• Social Engineering Toolkit
• Kali Linux
• Aircrack-ng.
• Cisco Global Exploiter,
• Ettercap.
• John the Ripper.
• Kismet.
• Maltego.
• Cuckoo
• Volatility
• sslstrip
• hping3
• dnswalk
 Proprietary – DDOS Assessment

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by < eSec Forte Technologies Pvt. Ltd.> on <Dec 02 2017>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Finest Minds Infotech Private Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

Finest Minds Infotech Private Ltd.


#90, 2nd Floor, 17th cross, 14th Main,
HSR Layout, Bangalore-560102

2. Carrying out Information Security Audits since : 2016

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : N
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : 01
PSU : 01
Private : 13
Total Nos. of Information Security Audits done : 15

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 06


Web-application security audit : 20
Wireless security audit : 00
Compliance audits (ISO 27001, PCI, etc.) : 05

6. Technical manpower deployed for information security audits :

CISSPs : 00
BS7799 / ISO27001 LAs : 02
CISAs : 00
DISAs / ISAs : 00
Any other information security qualification -CEH : 05
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee <organization> Information to Information
Security security

1. Akshat Jain 1+ Years 15+ Years MBA IIM-Lucknow

2. Utkarsh Garg 1+ years 2+ years M.Tech

3. Mukul Kantiwal 1+ Years 2+ Years B.TECH, CEH

4. Mridul Mundhra 1 Years 2 Years M.TECH

5. Nikhil Ajmera 1+ Years 2+ Years B.TECH

6. Rahul Singh 1+ Years 2+ Years B.TECH

7. Sandeep C S 1+ years 1 + years B.TECH


8. Abhishek Singh 3+ Months 1 Year B.TECH
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Application Security audit


 IT Security Audit, ISMS Consultancy /Audit
 Industrial Control Systems security audit
 Performance audit

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial
 Nessus
 WebInspect
 Acunetix
 Burp

Freeware
 Paros
 W3af
 nmap
 SQLMap
 Kismet
 Kali Linux
 Fiddler
 Wireshark
 BeEF
 Nikto
 Metasploit framework
 John the ripper

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))No

*Information as provided by Finest Minds Infotech Pvt Ltd on 03rd December 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Imperium Solutions
1. Name & location of the empanelled Information Security Auditing Organization :

Imperium Solutions,
#B4 Laxmi Niwas,
Opp Gokhale Hall (Bedekar School),
BPD Road, Naupada, Thane (W) 400602,
Maharashtra, India

2. Carrying out Information Security Audits since : Nov 2008

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months :

 Govt. : <number of> : 1


 PSU : <number of> : 1
 Private : <number of> : 13
 Total Nos. of Information Security Audits done : 21
(this includes internal audits conducted as part of ISO standard implementation)

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

 Network security audit: <number of> : 8


 Web-application security audit: <number of> : 6
 Wireless security audit: <number of> : 2
 Compliance audits (ISO 27001, PCI, etc.): <number of> : 7

6. Technical manpower deployed for information security audits :

 CISSPs : <number of> : 0


 BS7799 / ISO27001 LAs : <number of> : 3
 CISAs : <number of> : 2
 DISAs / ISAs : <number of> : 0
 Any other information security qualification: <number of>: 2
(MS in Information Security)
Total Nos. of Technical Personnel : 4

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. Imperium Information to Information
Solution Security security
1 Ms. Tasneam V 10 yrs 15 yrs CISA, Diploma Cyber
Law
2 Mr. Prakash D’Silva 4 yrs 4 yrs ISO 27001 Lead Auditor
3 Mr. Shrikant Iyer 7 yrs 7 yrs CISA, Certified external
auditor
4 Ms. Swedha Fernandes 5 yrs 20+ yrs Bank Auditor
5 Mr. Jude D’Costa 6 months 6 months MS in Information
Security
6 Mr. Kirankumar Patel 6 months 6 months MS in Information
Security
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value. : Hexaware Technologies Ltd.
(Audit and Re-Audit of 4 locations across the country and 1 location in Russia, Total of 30
servers and 20 network devices. Project Value – 3lks)

9. List of Information Security Audit Tools used ( commercial / freeware / proprietary)


 Commercial - Nessus,
 Freeware – NMAP, Kali Linux,
 Proprietary - None

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes / No (If yes,
kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by < Imperium Solutions> on <28th November 2017>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Kochar Consultants Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Kochar Consultants Private Limited - Mumbai

2. Carrying out Information Security Audits since : 2005

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 IT General Controls Review : Yes
 Vulnerability Assessment/Penetration Testing : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : Nil
PSU : 1
Private : 25+
Total Nos. of Information Security Audits done : 25+

5. Number of audits in last 12 months , category-wise


(Organization can add categories based on project handled by them)

Network security audit : 1


Web-application security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 2
IT General Controls Review : 5
IT Audit of Insurance Companies as per IRDA guidelines : 4
Process Reviews : 1
Regulatory Compliance Audits - Exchange Members : 25+
Annual Compliance System Audit, etc.
Audit of Wallet Companies as per RBI guidelines : 2
EKYC Audits as per UIDAI Guidelines : 2

6. Technical manpower deployed for information security audits :

CISSPs : Nil
BS7799 / ISO27001 LAs : 3
CISAs : 5
DISAs / ISAs : 2
Any other information security qualification: : 1
Total Nos. of Technical Personnel :
(* Some of the personnel have multiple certifications)

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience Qualifications related


No. Employee Kochar in to Information
Consultants Information security
Security
1. Pranay Kochar Jul-06 10 CISA, DISA
2. Sona Shah Jul-05 8 DISA
3. Mithun Lomate Mar-10 6 CISA, COBIT Assessor
4. Ganesh Mane Jan-16 7 OSCP, H3X, CFE, CPT
5. Vidya Kamath Feb-16 12 CISA, ISO 27001 LA
6. Varsha Ahuja Feb-16 2 CISA
7. Kamlesh Kale Jul-16 6 CISA, CISM, ISO 27001
LA
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Client Name: Leading Commodity Exchange

Scope of Work:

Sr. Activities
Reviewing and carry out necessary changes of Standard Operating Procedure (SOP) for
1. all the departments of the organization as per latest ISO 9001:2008, 14001:2004 &
27001:2013 standards for its improvement.
Review and carry out necessary changes of Information Security Policies / procedures /
2.
Plans / Risk Management report / Guidelines etc. and its implementation.
Carry out audit of internal process for each department and effectiveness of controls
3. implemented based on ISO 9001:2008, 14001:2004 27001:2013 and as per TOR of SEBI
circular CIR/CDMRD/DEICE/01/2015 dated November 16, 2015, excluding VA & PT.
Vulnerability Assessment and Penetration Testing (VA & PT) of all servers and network
4.
components.
Reviewing and updating BCP, DRP for new changes, if any and Review for area of
5.
improvement as per ISO 22301 standard.
Preparing Cyber Security & Resilience Policy considering the SEBI circular and industry
6.
best practices
7. Consultancy for Implementation of Cyber Security & Resilience Policy
Review the controls implementation against Guidelines for Protection of National Critical
8. Information Infrastructure issued by National Critical Information Infrastructure
Protection Centre, National Technical Research Organization

Locations: Mumbai & Delhi

Project Value: 15 lakhs.

List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

 Freeware Tools
o Nmap, Superscan and Fport - Port Scanners
o Metasploit framework, Netcat, BeEF , Cain & able, Hydra, John the ripper - Penetration
Testing & Password cracking
o Process explorer, Sigcheck - Windows Kernel & malware detection
o Netstumbler , Aircrack-ng suite & Kismet – WLAN Auditing
o OpenVas, W3af, Nikto - Vulnerability scanner
o Wireshark – Packet Analyser
o SQL Map
o Kali Linux and all tools inbuilt into it.

 Commercial Tools
o Nessus – Vulnerability Scanner
o Burp Suite, Acunetix - Web application auditing
o Passware: Password Cracking

9. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by <Kochar Consultants Private Limited> on <28/11/2017>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Larsen & Toubro Infotech Ltd

1. Name & location of the empanelled Information Security Auditing Organization :

LTI (A Larsen & Toubro Group Company)


L&T House,
Ballard Estate, Mumbai 400 001, India

2. Carrying out Information Security Audits since : 2012

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Network Penetration Testing : Yes
 Mobile Application Security testing : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 10+
PSU : 0
Private : 62+
Total Nos. of Information Security Audits done : 72+

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 6


Web-application security audit : 50+
Network Penetration Testing : 10+
Mobile Application Security testing : 4
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 2

6. Technical manpower deployed for information security audits :

CISSPs : 2
BS7799 / ISO27001 LAs : 7
CISAs : 2
DISAs / ISAs : 0
OSCP : 1
CEH : 24
CHFI : 2
CCNP and CCNA : 11
PCI DSS v3.2 Implementation : 1
CRISC : 1
OEM vendor certified professionals : 13+
Total Nos. of Technical Personnel : 170+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Experience
S. Name of Duration in Qualifications related to Information
No. Employee with LTI Information security
Security
3 years CISA, ISO 27001 LA, CEH, Certified
Pavankumar
1 12 years Qualys Guard Specialist, IBM QRadar
Shukla
SIEM Certified
3 years COBIT5, ISO 27001 LA, CEH v8, ECIH,
Nath Dibya ITIL, Prince2, Privacy and Data
2 8 years
Ranjan Protection (PDPF), PCI DSS v3.2
Implementation, Certified Sarbanes
Oxley Expert (CSOE), IBM QRadar,
Qualys Guard Certified Specialist
Pradeep 3 years
3 11+ years OSCP, ISO 27001 LA, CEH, CCNA
Mahangare
Hartley John 1 year
4 25 years MCSE, CCNP, CISSP
Dow
Rajesh 11 months
5 8 years ISO 27001 LA, CEH, CHFI, MCP
Sharma
Vijaykumar 2+ years CEH, ISO 27001, CISRA, ITIL V3 F, UK
6 13 years Government GCHQ-Certified CIPR
Reddy
Sudarsanan 1+ years
CEH , ISO Lead Auditor 27001:2013 ,
7 Sudheesh 6 years
McAfee SIEM Admin
Nambekkat
3+ months CISA, CRISC, PMP,
Prasanna
8 9 years CSX(Fundamentals), ISO 27001 LA,
Lalgudi
DCPP
Mayur 1+ years
9 8 years CEH, MCP
Somwanshi
10 Rahul Mehta 2+ months 14 years CEH
Vinayak 11 Months
11 6+ years CEH, CCNA
Sakhare
Aakanksha 1 Month
12 2+ years CEH, ISO 27001 LA
Deo
13 Nikhil Kasar 2.11 years 3+ years CEH
Chetansingh 2.11 years CEH, QualysGuard– Vulnerability
14 3+ years
Rathod Management
15 Ravi Teja 2.10 years 3+ years CCNA, CEH
16 Navin Mhatre 9 months 6 years CEH, ArcSight AESA, IBM Qradar
Chattopadhyay 1+ years
17 2 years CEH
Tishya
Fernandez 1+ years
18 6 years CEH
Dominic
19 Madhavan N 1+ years 6 years CCNA, CEH
1+ years Arcsight ESM Security Analyst, CEH,
20 Vijay Lalwani 3.9 years Certified Network Defender, ITILv3
Foundation, CCNA
Ameer 1+ years
21 5 years CEH
Prakash
22 Ankur Joshi 1+ years 8.3 years CEH
1 year CEH v9, ITIL v3, IBM QRadar Security
Mangesh
23 14 years Analyst, Symantec SEP Administration,
Salunkhe
CCNA
Deshpande 11 months
24 4 years CEH, Splunk Power User, Cyber Law
Amar Shishir
Bhandari 7 months
25 2.2 years CEH
Shahbaz A
Avugadda 1+ years
26 3.5 years CCNA R&S
Venkatesh
Chanda 1 year
27 4.5 years MCSA
Chiradip
4 months Palo Alto CNSE, CCSA, CCSE, CCNA
28 Rahul Rane 9.10 years Sec
1 month ArcSight Certified Security Analyst
(ACSA), Check Point Certified Security
Jitendra
29 13+ years Expert (CCSE), Qualys Vulnerability
Chaudhari
Management, Cisco Certified Security
Professional (CCSP)
Mahaldar 1+ years
30 9+ years CCIE Security, PALO ALTO ACE
Salman Qasim
1+ years CCNA, CCNP, Cisco ASA, Palo Alto
31 Rakesh Shirsat 11 years
ACE, ITIL V3
~0.5 month CISSP,CEH,CHFI,ISO27001,CPISI,ITIL-
32 Karthik P 7 years
F
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Client Volume Complexity Location Project Value

Leading Insurance Web and Mobile Business critical Remotely USD 65K
company in Apps Insurance (Mumbai)
Europe applications
used by end
users

One of the leading Banking Test in-line with Onsite from USD 16k
bank in middle application PCI standard client location
east (Middle East)

Leading Financial Web applications Business critical Remotely USD 35K


Services and Infrastructure products, (Mumbai)
Technologies in Security Internal and
Canada External assets

Multi-industry Web applications Penetration Remotely USD 15K


company and supporting testing as per (Mumbai)
infrastructure pen OWASP and PCI
test Standards

Leading Insurance Dynamic Focus on Remotely (Client USD 84K


company in US application protecting the ODC)
security test in insurance
SDLC information for
Business critical
application

Government body Application Business critical Remotely (Client INR 2.7 MN


of India security application for ODC)
assessment Govt. of India

Leading Insurance Application Business critical Remotely (Client USD 18 K


company in Security Insurance ODC)
Canada assessment and product
configuration
review

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial: IBM Appscan, IBM Source, Acunetix, Nessus, Burp Suite Pro, Checkmarx,
QualyGuard, HP Fortify

Freeware: WireShark, Nmap, Kali Linux, Metasloit, OpenVas, THC Hydra, John The Ripper,
SamSpade, Netcat, Nikto, Fiddler, Dirbuster, SQLMap, CSRFtester, SSLscan, Fiddler, Eco Mirage
etc.

Proprietary: iDiscover, SmartBoard for vulnerability tracking

10. Outsourcing of Project to External Information Security Auditors / Experts : No

*Information as provided by Larsen & Toubro Infotech Limited on 4th Dec 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Mirox Cyber Security & Technology Pvt Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Mirox Cyber Security & Technology Pvt Ltd


4th Floor Nila Technopark Trivandrum 695581 Kerala India

2. Carrying out Information Security Audits since : Since 2010

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : YES


 Web-application security audit (Y/N) : YES
 Wireless security audit (Y/N) : YES
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : YES
 Application VAPT : YES
(Vulnerability Assessment & Penetration Testing)
 Network VAPT : YES
(Vulnerability Assessment & Penetration Testing)
 Mobile Application VAPT : YES
(Vulnerability Assessment & Penetration Testing)
 IOT Security Testing : YES
 Social Engineering Test : YES
 Secure Code Review : YES
 Host Security Assessments : YES
 Database Security Audit & Assessment : YES
 Device Security Audit & Assessment : YES
 Telecom Security Audit & Assessment : YES
 SCADA VAPT : YES
 Electronic Security Audit : YES
 Risk Assessments : YES
 ERP Security Audit & Assessment : YES
 Infrastructure Security Audit : YES
 Big Data Security Audit & Assessment : YES
 Cyber forensic Analysis : YES
 Security Architecture Review : YES
 Data Center Security Audit & Assessment : YES
 Cloud Applications VAPT : YES
 Threat Assessment : YES
 SOC - Security Operation Center Audit & Assessment : YES
 Managed Security Service : YES

4. Information Security Audits carried out in last 12 Months :

Govt. : 2
PSU : 0
Private : 104
Total Nos. of Information Security Audits done : 106

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

 Network security audit : 12


 Application security audit & assessment : 20
 Penetration Testing : 25
 Wireless security audit : 7
 Compliance audits (ISO 27001, PCI, etc.) : 2
 Mobile Applications : 6
 IOT & Device Audit : 3
 ERP Audit : 1
 Database Security Audit : 3
 Security Architecture Review : 2
 Threat Assessment : 1
 Social Engineering Test : 5
 Cyber forensic Analysis : 3
 Risk Assessment : 1
 Infrastructure Security Audit : 5
 Electronic Security Audit : 10

6. Technical manpower deployed for information security audits :

CISSPs : <number of>


BS7799 / ISO27001 LAs : 1
CISAs : 1
Core Security Certifications : 10
Any other information security qualification : 6
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related to


No. <organization> Information Security Information security
1 Rajesh Babu 8 15 CEH/Security Expert
Certified/CISO/Risk
Assessment
2. Nidhin G 1 10 Lead Auditor ISO
27001:2005 , - ISO
22301:2012 , - ISO
9001:2015
(Information Security
Management System)

3. Harish V 1 2 CEH, Security Certified


4. Balaji G 1 2 CEH, Security Certified
5. Kavya B 1 3 M.Tech Cloud Security,
CEH, Security Certified
6 Kiran.R 1 2 CEH, Security Certified
7. Robin P 1 1 CEH, CHFI, Security
Certified

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Done the largest Infrastructure Security Audit and Assessment more than 5000
machines plus Enterprise UTM/IDS/IPS/SIEM/ Routers and other related IP based
devices etc. across the Global for an Fortune 500 US based company.

 Done The Security Testing for World's 3rd largest image and video content portal for an
UK based Enterprise. Its owned and stock more than 100 millions video and image
contents.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

S.No. Tools Opensource/Licensed


1 Acunetix Licensed
2 Nessus Licensed
3 SE-SMSer Opensource
4 acccheck opensource
5 ace-voip opensource
6 Amap opensource
7 arp-scan opensource
8 Automater opensource
9 bing-ip2hosts opensource
10 braa opensource
11 CaseFile opensource
12 CDPSnarf opensource
13 cisco-torch opensource
14 Cookie Cadger opensource
15 copy-router-config opensource
16 DMitry opensource
17 dnmap opensource
18 dnsenum opensource
19 dnsmap opensource
20 DNSRecon opensource
21 dnstracer opensource
22 dnswalk opensource
23 DotDotPwn opensource
24 enum4linux opensource
25 enumIAX opensource
26 EyeWitness opensource
27 Faraday opensource
28 Fierce opensource
29 Firewalk opensource
30 fragroute opensource
31 fragrouter opensource
32 Ghost Phisher opensource
33 GoLismero opensource
34 goofile opensource
35 hping3 opensource
36 ident-user-enum opensource
37 InSpy opensource
38 InTrace opensource
39 iSMTP opensource
40 lbd opensource
41 Maltego Teeth opensource
42 masscan opensource
43 Metagoofil opensource
44 Miranda opensource
45 nbtscan-unixwiz opensource
46 Nmap opensource
47 ntop opensource
48 OSRFramework opensource
49 p0f opensource
50 Parsero opensource
51 Recon-ng opensource
52 SET opensource
53 SMBMap opensource
54 smtp-user-enum opensource
55 snmp-check opensource
56 SPARTA opensource
57 sslcaudit opensource
58 SSLsplit opensource
59 sslstrip opensource
60 SSLyze opensource
61 Sublist3r opensource
62 THC-IPV6 opensource
63 theHarvester opensource
64 TLSSLed opensource
65 twofi opensource
66 URLCrazy opensource
67 Wireshark opensource
68 WOL-E opensource
69 Xplico opensource
70 BBQSQL opensource
71 BED opensource
72 cisco-auditing-tool opensource
73 cisco-global-exploiter opensource
74 cisco-ocs opensource
75 cisco-torch opensource
76 copy-router-config opensource
77 DBPwAudit opensource
78 Doona opensource
79 DotDotPwn opensource
80 HexorBase opensource
81 Inguma opensource
82 jSQL opensource
83 Lynis opensource
84 Nmap opensource
85 ohrwurm opensource
86 openvas opensource
87 Oscanner opensource
88 Powerfuzzer opensource
89 sfuzz opensource
90 SidGuesser opensource
91 SIPArmyKnife opensource
92 sqlmap opensource
93 Sqlninja opensource
94 sqlsus opensource
95 tnscmd10g opensource
96 unix-privesc-check opensource
97 Yersinia opensource
98 Armitage opensource
99 Backdoor Factory opensource
100 BeEF opensource
101 Commix opensource
102 crackle opensource
103 exploitdb opensource
104 jboss-autopwn opensource
105 Linux Exploit Suggester opensource
106 Maltego Teeth opensource
107 Metasploit Framework opensource
108 MSFPC opensource
109 RouterSploit opensource
110 Airbase-ng opensource
111 Aircrack-ng opensource
112 Airdecap-ng and Airdecloak-ng opensource
113 Aireplay-ng opensource
114 Airmon-ng opensource
115 Airodump-ng opensource
116 airodump-ng-oui-update opensource
117 Airolib-ng opensource
118 Airserv-ng opensource
119 Airtun-ng opensource
120 Asleap opensource
121 Besside-ng opensource
122 Bluelog opensource
123 BlueMaho opensource
124 Bluepot opensource
125 BlueRanger opensource
126 Bluesnarfer opensource
127 Bully opensource
128 coWPAtty opensource
129 crackle opensource
130 eapmd5pass opensource
131 Easside-ng opensource
132 Fern Wifi Cracker opensource
133 FreeRADIUS-WPE opensource
134 Ghost Phisher opensource
135 GISKismet opensource
136 Gqrx opensource
137 gr-scan opensource
138 hostapd-wpe opensource
139 ivstools opensource
140 kalibrate-rtl opensource
141 KillerBee opensource
142 Kismet opensource
143 makeivs-ng opensource
144 mdk3 opensource
145 mfcuk opensource
146 mfoc opensource
147 mfterm opensource
148 Multimon-NG opensource
149 Packetforge-ng opensource
150 PixieWPS opensource
151 Pyrit opensource
152 Reaver opensource
153 redfang opensource
154 RTLSDR Scanner opensource
155 Spooftooph opensource
156 Tkiptun-ng opensource
157 Wesside-ng opensource
158 Wifi Honey opensource
159 wifiphisher opensource
160 Wifitap opensource
161 Wifite opensource
162 wpaclean opensource
163 apache-users opensource
164 Arachni opensource
165 BBQSQL opensource
166 BlindElephant opensource
167 CutyCapt opensource
168 DAVTest opensource
169 deblaze opensource
170 DIRB opensource
171 DirBuster opensource
172 fimap opensource
173 FunkLoad opensource
174 Gobuster opensource
175 Grabber opensource
176 hURL opensource
177 jboss-autopwn opensource
178 joomscan opensource
179 jSQL opensource
180 Maltego Teeth opensource
181 PadBuster opensource
182 Paros opensource
183 Parsero opensource
184 plecost opensource
185 Powerfuzzer opensource
186 ProxyStrike opensource
187 Recon-ng opensource
188 Skipfish opensource
189 sqlmap opensource
190 Sqlninja opensource
191 sqlsus opensource
192 ua-tester opensource
193 Uniscan opensource
194 Vega opensource
195 w3af opensource
196 WebScarab opensource
197 Webshag opensource
198 WebSlayer opensource
199 WebSploit opensource
200 Wfuzz opensource
201 WPScan opensource
202 XSSer opensource
203 zaproxy opensource

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.)) No

*Information as provided by Mirox Cyber Security & Technology on 04-12-2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Panacea Infosec Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

Panacea InfoSec Pvt. Ltd.


226, Pocket A2, Pocket B,
Sector 17 Dwarka, Delhi, 110075

2. Carrying out Information Security Audits since : 2012

3. Capability to audit, category wise (add more if required)

 Network security audit : YES


 Web-application security audit : YES
 Wireless security audit : YES
 Compliance audits (ISO 27001, PCI, etc.) : YES
 Mobile Application Security Audit : YES
 Secure Code Review : YES
 Information Security Policy Formulation & Assessment : YES
 Cyber Forensics : YES

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 2
Private : 200+
Total Nos. of Information Security Audits done : 200+

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : 160+


Web-application security audit : 70+
Wireless security audit : 50+
Compliance audits (ISO 27001, PCI, etc.) : 200+
Mobile Application Security Audit : 30+
Secure Code Review : 50+
Information Security Policy Formulation & Assessment : 130+
Cyber Forensics : 2+

6. Technical manpower deployed for information security audits:

CISSPs : 1
BS7799 / ISO27001 LAs : 7
CISAs : 3
DISAs / ISAs : 0
CEH/OSCP/ECSA/CCNA : 5
Any other information security qualification : 14
Total Nos. of Technical Personnel : 20+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Duration Experience in
SL. Qualifications related to
LIST OF EMPLOYEES with Information
NO. Panacea Security Information security

1 A Kaushik 5 years 11+ years B.Tech., PCI QSA, CISSP


2 Y Shivde 2 years 13+ years CISA, CISM, PCI QSA, ITIL
3 A Kumar 3 years 4+ years CISA, PCI QSA, LA-ISO27001
3.2 years
4 J Khanna 10 + years LA-ISO27001, PCI QSA
months
CISM, CISA, CCNA, CCNA(S),
5 Sammy N 1+ years 8+ years PCI QSA
B.Tech., MSCLIS, Certified In
6 M SWARUP 1 year 5+ years defend (DLP), Juniper
Network Security SPIRING
7 JS RAJPUT 6 months 1+ years MSCLIS
8 C Gupta 6 months 7 years B.Tech., MSCLIS, CEH
PCI QSA, LA 27K:2013, LA
9 SF HUSSAIN 3 months 12+ years 25999, MCSE+I, MCA, M.Sc.
in computer science

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. One of overseas Leading Public/Private-Sector Banks - PCIDSS Compliance,


Managed Services (Quarterly, Annual), Secure Code Review, Application Security
Assessment
2. One of Largest BPO (Global) - PCIDSS Compliance, Managed Services (Quarterly,
Annual)
3. One of India’s Leading Aviation Companies – PCIDSS Compliance, Application
Security Assessment, Infrastructure Security Assessment
4. One of India’s Leading FMCG Companies – PCIDSS Compliance, Application Security
Assessment, Infrastructure Security Assessment, Consulting for ISO 27001
Implementation
5. One of Leading Telecom Service Provider – PCIDSS Compliance, Application
Security Assessment, Infrastructure Security Assessment, Consulting for ISO 27001
Implementation
6. One of India’s Leading Payment-Switch Companies – PCIDSS Compliance,
Application Security Assessment, Infrastructure Security Assessment
7. One of India’s Leading Public/Private-Sector Banks - PCIDSS Compliance,
Managed Services (Quarterly, Annual), SIEM Service, Secure Code Review, Application
Security Assessment, Consulting for ISO 27001 Implementation
8. One of India’s Leading e-commerce platform - PCIDSS Compliance, Managed
Services (Quarterly, Annual), SIEM Service, Secure Code Review, Application Security
Assessment

Project Value: Confidential


Maximum Count handled under Single project:
No. of Systems (Server, Desktops, Network Devices) Scanned: 1600
No. of Applications: 35

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

License
Tool Purpose
Type
Burp Suite Pro Licensed Application Security Testing
Nessus 5 Pro Licensed Vulnerability Assessment
Qualys Guard Licensed Network and Application VA
AppUse 4.3 Open source Mobile Application Pen Test
Echo Mirage Open source Network Proxy
Kali Linux Rolling Edition Open Source VAPT
Nipper Open Source Network Configuration File
SonarQube Open source Static Code Analysis
Nmap Freeware Port Scanner
SoapUI Freeware Web Services
Helix3 Freeware Computer Forensics
Oxygen Forensic Suit Commercial Mobile forensic
ProDiscover Forensic Commercial Computer Forensics
Rapid 7 Metasploit Community N/W and Application Pen Test

10. Outsourcing of Project to External Information Security Auditors / Experts: No

( If yes, kindly provide oversight arrangement (MoU, contract etc.))


*Information as provided by < organization> on <date>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Protiviti India Member Pvt Limited

1. Name & location of the empanelled Information Security Auditing Organization:

Protiviti India Member Private Limited,


15th Floor, Tower A,
Building No 5, DLF Phase III,
DLF Cyber City, Gurgaon-122002,
Haryana, India

2. Carrying out Information Security Audits since : September 2006

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
 Vulnerability Assessment and Penetration Test : Yes
 Web-Service / Interface Security audit : Yes
 Mobile Security Audit : Yes
 Secure Network Architecture Review : Yes
 MBSS and Hardening/Configuration Review : Yes
 Security Process Review and Cybersecurity Framework : Yes
 Secure Source Code Review : Yes
 APT/ Social Engg/ Phishing/ Red Team : Yes
 Cloud Security Risk Assessment : Yes
 Telecom Security Audit : Yes
 SCADA/ICS Security Audit : Yes
 Managed Security Services : Yes
 Security Operations Centre (SOC) Review : Yes
 Post-Product Implementation Review : Yes
 Cybersecurity Strategy and Security Trainings : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 0
Private : 56
Total Nos. of Information Security Audits done : 56

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 8


Web-application security audit : 36
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 12

6. Technical manpower deployed for information security audits :

CISSPs : 1
BS779 / ISO27001 LAs : 9
BS25999 LI : 1
CISM : 2
CISA : 4
COBIT Foundation : 2
CEH : 8
CCNA : 5
ITIL (Variant) : 5
CCNP : 1
Any other information security qualification : 5
Total Nos. of Technical Personnel : 37
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Sr. Name of Employee Duration Experience in Qualifications related to


No with Information Information Security
Protiviti Security
India
1 Nikhil Donde 3.10 22 M.B.A, CISSP, ISO 27001-LA,
BS25999 LI, COBIT
Foundation

2 Vijai Kanagaraj 6.71 16 B.Tech - 2000, BS7799 LI,


CISA, CISM, ITIL, CCNA,
CCNP, CEH

3 Mayank Vatsal 2.11 9 MBA - 2011, ISO 27001:


2005-LA, CISM
4 Joel Vadodil 2.97 9 B.E, MS - 2011, Iraje &
ARCOS PIM, Check Marx
Advanced Code Review,
Qualys Guard Security
Specialist
5 6.5
Moonis Ahmed 2.58 PGP - 2015, ITIL v3
6 Vijay Devre 2.33 5.1 MBA - 2012

7 Charan Karthi 0.00 5.8 MBA - 2013, CISA

8 Rahul Khubani 0.10 6.6 B.E

9 Ravi Etta 3.41 10 M.Sc. - 2010

10 Ashish Dwivedi 3.24 7.2 B.Sc - 2009

11 Diptarka Biswas 1.11 3.1 B.E - 2010

12 Mohammad Sikkandar 3.61 5.5 B.Sc - 2012, CSS - Certified


Sha Security Specialist
Investigating Internet Crimes
13 Sagar Shah 0.75 6 B.Sc (IT) - 2010, CISA,
CCNA, CEH
14 Nikita Noronha 3.03 3 MBA - 2014, ISO 27001:2013
LA
15 Akhib Nayaz 2.46 5 M.Sc - 2013, ISO
Mohammed A 27001:2013 LA
16 Saunhita Bhadra 1.96 3.5 COBIT Foundation, ITIL
Foundation
17 Megha Ghosh 1.00 8.1 B.Tech - 2010

18 Dheeraj Pendum 0.58 5.2 M.Tech - 2010

19 Rakesh Ramesh 2.68 3 MBA - 2014, ISO 27001:2013


LA, ITIL Foundation, CEH, EC
Council Security Analyst
20 Siva Sankaran 2.73 4.5 MBA - 2015, ITIL Foundation
Selvendran

21 Karan Shah 0.70 4 MCA - 2014, CEH

22 Vivek Kathayat 1.86 3.2 B.Sc IT - 2014, CCNA

23 Amit Khowala 0.89 2.1 ISO 27001:2013-LA, CEH

24 Sathwik Chakravartula 0.77 2.2 B.Tech - 2015 , CEH

25 Pranav Bhasin 1.72 4.7 CISA


26 Rajesh Benakannavar 0.64 2 B.E - 2013, ISO 27001:2013
LA, CEH
27 Ajay Gowtham 0.98 0.98 B.E - 2016, CCNA, CEH

28 MBA - 2017, ISO 27001:2013


Vrunda Naik 0.65 0.65
LA
29 4.7
Tipu Sait MD 0.56 B.Tech - 2010, CCNA
30
Ravi Prakash B 0.65 0.65 MBA - 2017
31
Nupur Mathur 0.65 0.65 MBA - 2017
32
Nisha Rani 0.65 0.65 MBA - 2017
33 1.61
Priyanka Joshi 1.61 M.Sc - 2016
34 1.16
Giridhar Ramesh 1.16 M.Tech - 2016, CEH
35 2.8
Chandra Sekhar 0.61 B.Tech - 2012
36 3.1
Manuj Rana 0.91 MBA - 2014
37 1.9
Sonal Sharma 1.68 B.E - 2014

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value:

Listed below are one of the largest projects handled in India and for an international Protiviti
firm:

Project Details Scope of Work

Telecom Security  Develop security benchmarking document comparing


Review for one of the standards and past experience across global telecom
largest telecom operators
operator in Brazil  Develop baseline documentation for 30 unique IT and
Telecom nodes
 External Penetration Testing on the Packet Core Network
 Develop access control mechanism document
 Develop network topology diagrams including connectivity
from Remote user/3rd party users, Platforms, Connections
between Digital Content Network and Multi Services
Network
 Define security assessment guideline
Information Security  External Vulnerability Assessment for 34 IP addresses
Assessment for a (websites: 14 Nos. and IP addresses: 20 Nos.)
leading  Internal Vulnerability Assessment for Servers (Virtual): 125,
Servers (Physical – Non-AIX): 14, Servers (AIX):10,
manufacturing
Hypervisors: 14,
company in India Storage – 4, Routers – 110, Switches – 54 managed
devices, Proxy – 2, Firewall – 3, Packet Shaper – 1, WAN
Accelerator – 1
 Security Configuration Review for Servers (Virtual): 125,
Servers (Physical – Non-AIX): 14, Servers (AIX): 10,
Hypervisors: 14, Storage – 4, Routers – 110, Switches – 54
managed devices, Proxy – 2, Firewall – 3, Packet Shaper –
1, WAN Accelerator – 1
 Application Security Assessment for 79 web applications
 Application Access Review for 2 applications
 IT Process Review
 Bill of Material Security
 Cloud Risk Assessment
 IT DR Review
 Security Roadmap
 Managed Security Service Scoping
 Re-Validation Testing
9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Sr. No License Tool Name Details


1 Commercial Tenable Nessus is a powerful network vulnerability scanner
Nessus developed in a user-friendly manner to make use of
default scanning policy or to create new policies based
on requirement. This tool could be used to scan the
extensive network for discovering the security
vulnerabilities.

2 Commercial Burp Suite Burp is a java based application developed with


Scanner advanced scanning techniques for penetration testers to
Professional find out security vulnerabilities in the application.

3 Commercial Acunetix Acunetix is leading web vulnerability scanner used by


Web penetration testers which include the most advanced
Vulnerabilit SQL Injection, and XSS black box scanning technologies.
y Scanner It automatically crawls applications and performs black
box and gray box hacking techniques which finds
security vulnerabilities.

4 Commercial Checkmarx Checkmarx is an application security solution designed


for Application Security Testing and Static Code Analysis
to identify known coding level vulnerabilities.

5 Open Source Kali Linux An advanced Penetration Testing Linux distribution used
for Penetration Testing, Ethical Hacking and network
security assessments.

6 Open Source THC-IPV6 THC-IPV6 is a penetration testing tool which will exploit
the protocol weaknesses of IPV6 and ICMP6 and includes
an easy to use packet factory library.

7 Open Source cisco-torch Cisco Torch is a mass scanning, fingerprinting and


exploitation tool to find the flaws in cisco devices and
exploit vulnerabilities.

8 Open Source PowerSploit PowerSploit is a group of Microsoft PowerShell scripts


that can be used in post-exploitation scenarios during
authorized penetration tests.

9 Open Source CryptCat CryptCat is a Unix utility which reads and writes data
across network connections, using TCP or UDP protocol
while encrypting the data being transmitted

10 Freeware OpenVas OpenVas is a framework of several services and tools


offering a comprehensive and powerful vulnerability
scanning and vulnerability management solution.

11 Open Source Fierce Fierce is a reconnaissance tool (PERL script) that quickly
scans domains using several tactics.
12 Open Source SHODAN Shodan is a search engine that lets the user find specific
types of computers connected to the internet using a
variety of filters. Shodan collects data mostly on web
servers (HTTP/HTTPS - port 80, 8080, 443, 8443), as
well as FTP (port 21), SSH (port 22), Telnet (port 23)
etc.

13 Open Source Scapy Scapy is a powerful interactive network packet


manipulation program.
14 Freeware Nmap Nmap is a free security scanner which will provides a
number of features for probing computer networks,
including host discovery and service and operating-
system direction. These features are extensible by
scripts that provide more advanced service detection,
vulnerability detection, and other features.

15 Freeware NetCat Netcat is a networking utility which reads and writes


data across network connections, using the TCP/IP
protocol.
16 Open Ettercap Ettercap is an open source network security tool for
Source/ man-in-the-middle attacks. It can be used for computer
Freeware network protocol analysis and security auditing.

17 Open Source Metasploit Metasploit is an exploitation framework that enables a


framework penetration tester to find, validate and exploit
vulnerabilities over network infrastructure. Framework
includes auxiliary modules, exploits, shellcode, encoders
etc.

18 Freeware Cain & Abel Cain & Abel is a password cracking tool. It allows easy
recovery of various kinds of passwords by sniffing the
network, cracking encrypted passwords using Dictionary.
ARP feature enables sniffing on switched LANs and Man-
in-the-Middle attacks

19 Open Source Zed Attack The OWASP Zed Attack Proxy (ZAP) is an opensource
Proxy (ZAP) proxy/vulnerability scanner which will automatically
discover security vulnerabilities in the applications

20 Open Source Nikto Nikto is an Open Source (GPL) web server scanner which
performs comprehensive tests against web servers for
multiple items, including over 3500 potentially
dangerous files/CGIs, versions on over 900 servers, and
version specific problems on over 250 servers

21 Open Source W3af w3af is a web application attack and audit framework
which aims to identify and exploit all web application
vulnerabilities

22 Open Source SQLMap SQLMAP is an penetration testing tool that automates


the process of detecting and exploiting SQL injection
flaws and taking over of database servers

23 Open Source Wireshark Wireshark is a network protocol analyzer which supports


/Freeware deep inspection of hundreds of protocols, live capture
and offline analysis of network packets.
24 Open Source Aircrack-Ng Aircrack-ng is a wireless pentest tool which supports
802.11 WEP and WPA-PSK keys cracking program that
can recover keys once enough data packets have been
captured.

25 Open Source BeEF Beef is a penetration testing tool that focuses on the
web browser. BeEF will hook one or more web browsers
and use them as beachheads for launching directed
command modules and further attacks against the
system from within the browser context.

26 Open Source Lucy LUCY is a social engineering frame work, which runs
different variations of phishing, malware and portable
media attack simulations to measure organizational
team's awareness of attacks.
27 Open Source Social The Social-Engineer Toolkit is a penetration testing
Engineering framework designed for Social-Engineering which has a
Toolkit number of custom attack vectors that allow you to make
a believable attack in a fraction of the time.

28 Open Source Maltego Maltego is a unique platform developed to deliver a clear


threat picture to the environment that an organization
owns and operates. It can be used to determine the
relationships and real world links between People, social
networks, Companies; Internet infrastructure such as
Domains, DNS names Netblocks, IP addresses, etc.

29 Freeware Fiddler Fiddler is a web debugging tool used in web application


security assessment, which logs all HTTP(S) traffic
between the computer and the Internet.

30 Open Source Enum4linux Enum4linux is a tool for enumerating information from


Windows and Samba systems. Key features supports by
Enum4linux are RID cycling , User listing, Listing of
group membership information, Share enumeration,
Password policy retrieval etc.

31 Freeware IFunBox IFunBox is a tool made for exploring and browsing


iPhone, iPad, and iPod touch file system. IFunBox will
help penetration tester during IOS assessment.

32 Open Source SoapUI SoapUI is a most advanced web service testing


application for service-oriented architectures and
representational state transfers

33 Open Source Apk Tool A tool for reverse engineering Android .apk files
34 Freeware OllyDbg Debugger used for reverse engineering
35 Proprietary Clickjacking Clickjacking Tool helps in exploiting Clickjacking
Tool vulnerability in web application.

36 Proprietary Configuratio Configuration scripts to enumerate the environmental


n Scripts variables for OS, DB, Web servers

37 Freeware class-dump- Class-dump-z is a command-line tool used to extract


z Objective-C class interfaces from the application’s
installed packages. It is an efficient reverse engineering
tool used for extracting the source code of an iOS
application

38 Freeware Drozer Drozer is a tool used for automating android application


security assessment. Drozer helps to remotely exploit
Android devices, by building malicious files or web pages
that exploit known vulnerabilities.

39 Freeware AXMLPrinter AXMLPrinter2 is a command line tool used during the


2 reverse engineering of the android application’s apk. It is
used to extract the Manifest.xml file into a readable XML
format.
A
40 Freeware Postman Postman is a GUI tool used for developing API/Web
Services calls to the server. It is an efficient tool used
for performing assessment of SOAP/REST services.

41 Freeware EchoMirage Echo Mirage is a tool that hooks into an application’s


process and enables us to monitor the network
interactions being done. This process can be done with a
running process, or it can run the application on the
user’s behalf. It is an efficient tool for performing Thick
Client Application Security Testing.
42 Freeware ILSpy ILSpy is the open-source .NET assembly browser and
decompiler, it is used for extracting the source of
executables and dynamic link libraries in a readable
format. It is an efficient tool used for performing Thick
Client Application Security Testing.

43 Freeware Windows Windows Enabler allows the user to enable disabled


Enabler fields and controls such as buttons and tick boxes in a
windows from. It is an efficient tool used for performing
Thick Client Application Security Testing.

44 Freeware APK APK Analyzer provides a developer mode for analyzing


Analyzer and manipulating insecure activities in an android
application.

45 Freeware dex2jar Dex2jar is a command line tool used for converting the
“.dex” file of an android application into “.jar” file, post
extraction, the source code of an android application is
accessible in a readable format.

46 Open Source OpenSSL OpenSSL contains an open-source implementation of the


SSL and TLS protocols. It is used for determining the
strength of various SSL and TLS protocols.

47 Freeware Cycript Cycript allows for useful runtime analysis of a program


(such as for instance getting the complete view
hierarchy, or checking out the properties of an object),
and it allows for easy prototyping of a tweak (by hooking
methods with a Substrate bridge, changing objects
freely and calling functions, etc.).

48 Freeware Winhex WinHex is a universal hexadecimal editor, used for


extracting information from the local memory (RAM,
ROM, etc) of a client machine.

49 Open Source Android Android Studio is a GUI based development bundle


Studio which consists of tools used for developing and analyzing
Android applications. It consists of android debug bridge
which can be used as a command line tool to
communicate with connected Android devices.

50 Freeware Dir Buster DirBuster is a multi-threaded java application designed


to brute force directories and files names on
web/application servers. It is used to enumerate hidden
directories/files on the server.

10. Outsourcing of Project to External Information Security Auditors / Experts: Yes/No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by Protiviti India member Private Limited on December 4th, 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

SecureLayer7 Technologies Pvt Ltd.

1. Name & location of the empanelled Information Security Auditing Organization:

SecureLayer7 Technologies Private Limited


104, Suratwala Mark Plazzo, Hinjewadi – Wakad road,
Hinjewadi Pune 411057, Maharastra, India.

2. Carrying out Information Security Audits since : 2013

3. Capability to audit, category wise (add more if required)

• Network security audit : Yes


• Web-application security audit : Yes
• Wireless security audit : Yes
• SCADA security audit : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 9+
Private : 30+
Total Nos. of Information Security Audits done : 45+

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : 6+


Web-application security audit : 60+
Wireless security audit : 15+
Mobile application : 6+
IoT Security : 2+
Crypto Currency Security assessment : 4+
Source Code audit : 10+
Thick client : 9+

6. Technical manpower deployed for information security audits :

ESCA : 2
OSCP : 4
CEH : 14
Any other information security qualification : 4
Total Nos. of Technical Personnel : 24

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Security Audit for the Largest Pulp and Paper manufacturing company: The scope of the work
includes to perform yearly security audit for the network, Thick client applications, SAP
applications, HR applications, firewall review. As part of this assessment SecureLayer7
performed extensive penetration testing of the external 140 server IP address, 40+ application,
network architecture review. The project cost is $60,000.00 USD
Security audit for the largest Middle east bank: The scope of the work includes to perform the
mobile application, all banking applications, 1200 IP address vulnerability assessment and
penetration testing, middleware, ATM security assessment. The project cost was $12,1000.00
USD.
9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Commercial

1. Nessus
2. Qualys
3. Burp Suite

Freeware

1. Kali Penetration testing


2. Nmap
3. Nikto
4. Metasploit
5. OpenVas
6. Wireshark
7. NetCat
8. Brutus
9. Hydra
10. Hydra
11. W3af

10. Outsourcing of Project to External Information Security Auditors / Experts : NO

*Information as provided by SecureLayer7 Technologies Private Limited on 4 th Dec 2017

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

TUV SUD South

1. Name & location of the empanelled Information Security Auditing Organization:

TÜV SÜD South Asia Private Limited

Business Address:-
TÜV SÜD South Asia
Shiv Ashish, 2nd Floor,
Andheri - Kurla Road,
Behind Lathia Rubber Factory,
Saki Naka. Andheri (East),
Mumbai - 400 072, Maharashtra,
India.

2. Carrying out Information Security Audits since : 2006

3. Capability to audit, category wise (add more if required)

 Network security audit : Y


 Web-application security audit : Y
 Wireless security audit : Y
 Information Security Management System Audit
Compliance audits (ISO 27001, PCI, etc.) : Y
 Data Center Audit
 Third Party Security Audits
 Regulatory Audits (UIDAI, RBI, IRDA, EU GDPR, SEBI)
 Data Protection Audits
 PCI Compliance
 IOT Security Audit
 Digital Security Audit
 Forensics Audit

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 0
Private : 171
Total Nos. of Information Security Audits done : 171

5. Number of audits in last 12 months, category-wise (Organization can add categories based on
project handled by them)

Network security audit : 25


Web-application security audit : 18
Wireless security audit : 4
Compliance audits (ISO 27001, PCI, etc.) : 124

6. Technical manpower deployed for information security audits:

OSCP : 11
CEH : 18
ISO 27001 LA : 6
CISSPs : none
BS7799 / ISO27001 LAs : none
CISAs : none
DISAs / ISAs : none
Any other information security qualification
OSCE : 1
OSWE : 1
Total Nos. of Technical Personnel : 23
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with TÜV Information related to
SÜD South Security Information security
Asia Pvt. Ltd
1. Harshil Mehta 7 Months 6.5 Years OSCP, CEH, ECSA, ISO
27001 LA
2. Foram Mehta 6 Months 4.5 Years OSCP, CEH, ISO 27001
LA
3. Pritam Samuel 2+ Years 11+ Years ISO 27001 LA
4. Sujatha V 1.5+ Years 10+ Years ISO 27001 LA
5. Anjali Sharma 2+ years 11+ Years ISO 27001 LA
6. Karthikbabu 6.5+ Years 10+ Years ISO 27001 LA, CEH
Vijaykumar
7 Varun Nambiar 1 month 8+ Years

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Customer: One of world’s largest outsourcing and technology services specialist.

Complexity: End to End Global Compliance

Volume/ Locations: 500 locations+ across the globe

Project Value – INR 15 million+

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Name Description

Proprietary Tools

Check-O-Matic VAPT Reporting Tool – In-house Developed

TÜV SÜD Portal for PCI Compliance For PCI Merchants and Acquirers – In-house developed

PHP Security Audit Script Web application configuration review tool

Commercial Tools

Burp Suite Pro Web Vulnerability Scanner

Nessus Network Vulnerability Scanner

Qualys Vulnerability Exploitation Tool

Netsparker Web Vulnerability Scanner

Checkmarx Source Code Review Tool

Open Source Tools

Nmap Port Scanner, Fingerprinting

Netcat Network Utility

SOAP UI SAOP API testing

SuperScan Port Scanner

Snmp Walk SNMP Scanner

User2SID Windows Service Identifier

Sid2User Windows Service Identifier

John the Ripper Unix and Windows Password Analyzer


Metasploit Exploit Framework

Kali Linux OS for Penetration Testing

Paros HTTP/S Interception Proxy

Burp Suite HTTP/S Interception Proxy

Brutus Brute force password utility

Cookie Editor Firefox Plug-in to Edit Cookies

Netstumbler Wireless Network Detector / Sniffer

Kismet 802.11 Wireless Network Detector / Sniffer

MySQL Administration Tool Administration tools for SQL Database

GoCR OCR Reader

10. Outsourcing of Project to External Information Security Auditors / Experts : No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by TÜV SÜD South Asia Pvt. Ltd. on 4-Dec-2017.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Code Decode Labs Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Code Decode Labs Pvt. Ltd.


A - 02, ‘Cassiopeia Classic, Opp. Pancard Club,
Baner, Pune - 411045, (MAH), India.

2. Carrying out Information Security Audits since : 2010

1. Capability to audit , category wise (add more if required)

 Network Security Audit : Yes


 Web-Application Security Audit : Yes
 Wireless Security Audit : Yes
 Compliance Audits (ISO 27001, PCI, etc.) : Yes
 IOT Security : Yes
 Cloud Security : Yes
 SCADA Security : Yes
 Cyber Security Threat Analysis : Yes
 Website, Server & Firewall Security Testing & Auditing : Yes
 Physical Access Controls & Security Testing : Yes
 Software Product Security Testing - Threat Assessment : Yes
 Black Box & White Box - Vulnerability Assessment & Penetration
Testing (VA & PT) : Yes
 Embedded System Security : Yes
 Malware Reverse Engineering and Forensic Testing : Yes
 Security Code Review : Yes
 Business Continuity Management : Yes
 Disaster Recovery Planning Management (BCP & DR) : Yes
 Incident Response Management – SIEM & Analytics : Yes
 Red Teaming - Security and Response Management : Yes
 Cyber Security Awareness Drills : Yes
 Information security policy review and assessment against best
Security Practices : Yes
 Security Patching for Applications & Software : Yes
 Compliance Process Security Testing – GDPR, PCIDSS, ISMS, ISO 27001,
ISO 22301, COSO, COBIT, BASIL, SOX, HIPAA, NIST, ITU &
ENISA Security Matrix etc. : Yes
 ISP Network & Communication Security Devices Testing : Yes
 Block Chain Security and Cyber Analytics : Yes
 Mobile Application Security Testing and Development : Yes
 e - Commerce Architecture Security : Yes
 National Critical Infrastructure and Grid Security : Yes
 Cyber Operations and Defense Response Management : Yes
 Cyber Warfare Operational Security : Yes
 Managed Security Services (MSS) : Yes
 Building & Maintaining Security Operations Centre (SOC) : Yes

2. Information Security Audits carried out in last 12 Months:

Govt. : 09
PSU : 02
Private : 16
Total Nos. of Information Security Audits done : 27

3. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 04


Web-application security audit : 15
Wireless security audit : 03
Compliance audits (ISO 27001, PCI, etc.) : 15
4. Technical manpower deployed for information security audits :

CISSPs : 02
BS7799 / ISO27001 LAs : 02
CISAs : 01
DISAs / ISAs : 03
Any other information security qualification : 02
Total Nos. of Technical Personnel : 09

5. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. organization Information to Information security
Security

1 Amlesh Mendhekar 5 12 CISSP, CEH, CCSA


Microsoft Certified
Technology Specialist,
Prince2
2 Raghavendra Kulkarni 5 12
CISM, LA ISO 27001,ISO
9001 & 14001,
3 Sachin Singhai 5 12 PRISM, CEH, CHFI, LA
ISO 27001
4 Sandeep Walvekar 5 14 CISA, CCNA, OSCP,
GWAPT,LA ISO 27001
5 Vidhyadhar Gaikwad 5 5 PRISM, LPT, CHFI,LA ISO
27001
6 Ajitkumar Hatti 3 10 CEH, LPT
7 Ayyaj Sayyad 3 5 LA ISO 27001, GPEN

6. Below are details of specified Largest Project handled in terms of scope (in terms of volume,
complexity, locations etc.) along with project value, as follows -

S. Client & Location Details Project Scope & Delivery Details Project
No Value
. (In INR)
Red Teaming, Cyber Security Architecture Review, 65 Lakhs
APJII, Jakarta, Indonesia Cyber Security Operation Center, Security Incident
Management, VAPT, Web App PT, Security Code
1 Review, System Forensics & Malware Assessment,
URL -
https://www.apjii.or.id/ Information Security & Data Protection Awareness
Trainings
Cyber Security Architecture Review, Cyber Security 27 Lakhs
SGS McNet, Maputo,
Operation Center, Security Incident Management,
Mozambique
VAPT, Web App PT, Security Code Review,
2 Information Security & Data Protection Awareness
URL -
Trainings
https://www.mcnet.co.mz/
Home.aspx,
Security Incident Management, VAPT, Web 15 Lakhs
VEGA Industries - AIA Application Testing, Security Code Review, System
Engineering, Ahmedabad, India Forensics & Malware Assessment, Data Protection
3 & Information Security Awareness Drills &
http://www.aiaengineering Trainings
.com/
Red Teaming, Jugaad - Mobile App Security 18.5
Testing, Web Application Security, Cloud security, Lakhs
Cyber Security Architecture Development & SOC
4Ever Payments, Mumbai,
Lab Set-up, ISO 27001, PCI DSS, Security Incident
India.
Management Response Cell, Security Code Review,
4 System Forensics & Malware Assessment, Cyber
URL -
Incident Handling Awareness Trainings
http://www.4everpayment.
com/,

GOI, DRDO – Cyber Unit, Cyber Security Attack Simulation Analytics & 15 Lakhs
Bangalore, India. Incident Operational Response : Software,
5 Analytics & Report Documentation
URL -
https://www.drdo.gov.in/

7. List of Information Security Audit Tools used ( commercial/ freeware/proprietary) :

We utilize mix of all commercial, freeware & proprietary editions of these following tools with its
respective latest versions & updates -

1. Acunetics - v8.0
2. AppScan_8.0.2
3. Burp Suite Professional v1.5.01
4. Cain & Able
5. JohnTheRipper
6. SQLMAP
7. Kali Linux
8. Nikto
9. NMAP + Zen Map
10. ZAP
11. Wireshark
12. Metasploit
13. Netsparker
14. Web Inspect
15. Nessus
16. W3af
17. CSRFT Tester
18. Wapiti
19. Fiddler
20. SQL Ninja
21. Aircrack-ng
22. IronWasp
23. Nagios
24. Ettercap
25. Social Engineer Toolkit
26. Retina
27. Veracode –Vulnerability Analyzer Toolkit

8. Outsourcing of Project to External Information Security Auditors / Experts : No


(If yes, kindly provide oversight arrangement (MoU, contract etc.))

*Information as provided by - Code Decode Labs Pvt. Ltd. on 15/01/2018.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

TCG Digital Solutions Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

TCG Digital Solutions Private Limited. Registered Office and Head Office is in Kolkata.
The address is as follows:

TCG Digital Solutions Private Limited,


BIPPL Building, 16th Floor, Omega, Block EP & GP,
Sector V, Salt Lake Electronic Complex, Kolkata 700091

There are branch offices in Mumbai and Gurugram.

2. Carrying out Information Security Audits since : 2014

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : <none>
PSU : < Eastern Regional Load Despatch Centre, (ERLDC) – A Govt. of India Enterprise>
Private : <SREI Infrastructure Finance Ltd, MCPI Ltd, India Power Corporation Ltd. >
Total Nos. of Information Security Audits done : 5

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : <2>


Web-application security audit : <2>
Wireless security audit : <none>
Compliance audits (ISO 27001, PCI, etc.) : <1>

6. Technical manpower deployed for information security audits :

CISSPs : <1>
BS7799 / ISO27001 LAs : <4 >
CISAs : <1>
DISAs / ISAs : <none>
Any other information security qualification : <6>
Total Nos. of Technical Personnel : 14

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Sl. Name of Duration with Experience Qualifications Related to


No. Employee <TCG Digital> in Information Security
Information
Security
1 Col. Pankaj 1.0 years 22 yrs. CISA, CISSP, CEH
Verma
2 Sudipto Jena 3 years 18 yrs. CEH, CHFI, ISO 27001 LA
3 Tathagata Datta 3.5 years 18 yrs. CCNA, CEH, CHFI, ISO 27001 LA, ISO
20000 LA, ISO 22301 LA, PCI DSS
Implementer
4 Vikas Chauhan 3 years 12 yrs. COBIT 5 Foundation, ISO 27001 LA,
CCIE Security
5 Yogesh Kumar 1 year 15 yrs. Advanced Information Warfare
Courses (Indian Air Force), CCIE(R &
S)
6 Narayan Basak 3 years 5 yrs.
Advanced Cloud Security Auditing for
CSA Star, ISO 27001:2013 Lead Auditor
7 Somnath Dutta 2.5 years 12 yrs. Trend Micro Certified Professional For
Deep Discovery

Trend Micro Certified Security


Expert(TCSE)

Fortinet Certified Network Security


Professional (FCNSP)

Fortinet Certified Network Security


Administrator (FCNSA)

Cyberoam Certified Network & Security


Professional-(CCNSP)

Cisco Certified Network Associates


(CCNA)

Microsoft Certified Technology


Specialist

Websense Certified TRITON APX Pre-


Sales Engineer

8 Abir Atarthy 1.5 years 10 yrs. CEH, CHFI, Trained in cyber range
simulation
9 Dinendu Das 2 years 10 yrs.

Trend Micro Certified Professional For


Deep Discovery.
RedHat Certified Engineer
Websense Certified TRITON APX
Engineer
10 Sk. Ashir Uddin 1.5 years 5 yrs. CCNA
Trained McAfee Endpoint Security
Manager
Trained Fortinet UTM Manager
11 Chaitanya 16 years 12 yrs.
Veludandi CCENT, TMCPDS
12 Shamsher 16 years 6 yrs.
Bahadur Trained in cyber range simulation
13 Aniruddha Basak 1.5 years 1 yrs.
Trained in cyber range simulation
14 Trishit Biswas 1.5 years 1 yrs.
Trained in cyber range simulation

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

Vulnerability Assessment, Web Security Assessment and Penetration Test covering all ICT infra of SREI
Group spread across India. Value of the project was 34.8 Lac + taxes
9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Nessus,
Nmap,
Nikto,
Acunetix,
Brupsuit,
Appscan,
Hydra,
Netsparker,
Wireshark,
and some customized scripts.

10. Outsourcing of Project to External Information Security Auditors / Experts : No

(If yes, kindly provide oversight arrangement (MoU, contract etc.)

*Information as provided by < TCG Digital Solutions Private Limited> on <12th January 2018>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

ALLIED BOSTON CONSULTANTS INDIA PVT. LTD.

1. Name & location of the empanelled Information Security Auditing Organization:

ALLIED BOSTON CONSULTANTS INDIA PVT. LTD.

2. Carrying out Information Security Audits since : 2006

3. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) : YES


 Web-application security audit (Y/N) : YES
 Wireless security audit (Y/N) : YES
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : YES
 System Security audit : YES

4. Information Security Audits carried out in last 12 Months:

 Govt. : 0
 PSU : 1
 Private : 5
 Total Nos. of Information Security Audits done : 6

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

 Network security audit : 3


 Web-application security audit : 2
 Wireless security audit : 0
 Compliance audits (ISO 27001, PCI, etc.) : 6
 System Security audit : 1

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 5
CISAs : 2
DISAs / ISAs : 0
Any other information security qualification:
1. CRISK : 1
2. Master’s Degree in Computer Management : 1
Total Nos. of Technical Personnel : 2

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related


Employee <organization Information to Information security
> Security
1. T. Ganguly 14 years 12 years ISMS LA
2. Premanand P.P. 6.5 years 21 years ISMS LA, CISP,
CISA,ISACA/COBIT
3. Sudhanwa 10 years 31 years ISMS LA, master’s
Joglekar Degree in Computer
Management
4. Satish Meda 2 years 12+ years ISMS LA, CISA, CRISK
5. Ajay Mathur 6 years 16 years ISMS LA
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

At Energy InfoTech Centre (a division of Chattisgarh State Power Distribution Company Ltd.), a state
government enterprise

 Contract for 4-year period


 Project value of Rs. 19,66,300/- + applicable taxes
 EITC is the IT arm of the Chattisgarh State Power group companies – there are 6 companies
to whom EITC provide IT support
 Scope of Work involved:
1st Year tasks included:

o Assessment of information security controls w.r.t. physical and logical access,


operations and communications, technical assessment of security, penetration testing,
IPR & other legal / regulatory compliances, identification & management of information
processing assets / facilities, contractual arrangements on security aspects with service
providers responsible for IT services delivery in organization, and software security
aspects.
o Perform risk assessment of the organizational processes for information security
o Assisting in implementing identified gaps/ weaknesses from assessment study of
security controls and risk assessment

1st year and subsequent 3 years on yearly basis tasks included:

o Review implementation of information security – including verification of intrusion /


hacking protection mechanisms deployed
o Training of EITC personnel on Information Security aspects
o Carry out periodical IT Audit verification checks and suggest areas for improvement

9. List of Information Security Audit Tools used( commercial/ freeware/proprietary):

Commercial Tools: Burp Suite, Nessus, Qualis ( On demand), Acunetix ( Cloud version)

Freeware tools: Kali Linux and applications, OWASP-ZAP, Open Vas, SQLMAP, Zenmap, Vega, Nikto,
Wire shark

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.)) ---

please find attached the Confidentiality Agreement signed by Satish Meda, Ajay Mathur and
Sudhanwa Joglekar

11. Whether organization has any Foreign Tie-Ups? If yes, give details : Yes/No

12. Whether organization is a subsidiary of any foreign based organization? : Yes/ No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : Yes/No

*Information as provided by Allied Boston Consultants India Pvt. Ltd. on 20-07-18

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

e.com Infotech I Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

e.com Infotech I Ltd


Level 3, Neo Vikram New Link Road
Andheri West
Mumbai 400058

2. Carrying out Information Security Audits since : 2017

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : NIL
PSU : NIL
Private : 15
Total Nos. of Information Security Audits done : 15

5. Number of audits in last 12 months, category-wise (Organization can add categories based on
project handled by them)

Network security audit : Part of our Comprehensive Audit Web-


application security audit : Part of our Comprehensive Audit
Wireless security audit : Part of our Comprehensive Audit
Compliance audits (SSAE 18, SOC& Cloud) : 11
SCADA/ICS : 2
GDPR & Privacy : 2

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 4
BS7799 / ISO27001 LAs : 4
CISAs : 4
DISAs / ISAs : NIL
Any other information security qualification : CEH, CISM etc. 4
Total Nos. of Technical Personnel : 6

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related to


Employee <e.com Infotech > Information Information security
Security
1. Ashwin 1 year 15 years CISSP, CCSK, CISA,
Chaudhary CISM, CRISC, CGEIT,
ISO27001LA, ITIL, PMP
2. Shaji Kurian 1 year 10+Years CISSP, CISM, CEH,
CCSK
3, Ashish Kunte 1 year 10+Years CISSP, CRISC, GIAC
4. Naushad 7 months 10+Years CISSP, CISA
Rajani
5. Mohan Bapat 5 months 10+Years CISA, ISO27001LA
6. GCS Sharma 4 months 10+Years CISA, CFE, ISO27001LA
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

Reliance Jio Data Centers covering Mumbai, Jamnagar and Nagpur for SSAE 18 SOC Audit

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Best in class as required.

10. Outsourcing of Project to External Information Security Auditors / Experts Yes/No : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

Currently No but in case we need to we will have proper due diligence, NDA, MOU and project will
be supervised and managed by one of our team members.

11. Whether organization has any Foreign Tie-Ups? If yes, give details Yes/No : Yes

Association with Accedere Inc USA for SSAE 18, SOC Attest Reports

12. Whether organization is a subsidiary of any foreign based organization? Yes/ No : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any Yes/No : No

*Information as provided by e.com Infotech I Ltd on July 14, 2018

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Grant Thornton India LLP

1. Name & location of the empanelled Information Security Auditing Organization :

Grant Thornton India LLP,


L 41, Connaught Circus,
Outer Circle, New Delhi. PIN - 110 001

2. Carrying out Information Security Audits since : 2008

3. Capability to audit , category wise (add more if required)

 Network security audit : Yes


 Web-application security audit : Yes
 Wireless security audit : Yes
 Compliance audits (ISO 27001, PCI, etc.) : Yes
 IOT security testing : Yes
 Mobile application security : Yes
 Configuration reviews : Yes
 Source code reviews : Yes
 API security assessments : Yes
 Cloud security : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 48
Total Nos. of Information Security Audits done : 48

5. Number of audits in last 12 months, category-wise (Organization can add categories based on
project handled by them)

Network security audit : 12


Web-application security audit : 7
Wireless security audit : 4
Compliance audits (ISO 27001, PCI, etc.) : 3

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 0
BS7799 / ISO27001 LAs : 13
CISAs : 9
DISAs / ISAs : 0
Any other information security qualification : 2 CCNA,
1 CHFI,
1 CCSA,
2 ISO 22301,
1 CISM,
2 SAP,
2 OSCP,
1 RHCE,
3 ITI
Total Nos. of Technical Personnel : 52

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required) Please refer to Annexure - 1
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

Leading IT / GT have examined client’s Facility Level Regions: 18


ITES Service Controls and Client services controls
Provider related system as of date and throughout Facilities
the period and the suitability of the design covered: 56
and operating effectiveness of client’s
controls to achieve the related control
objectives. Control areas covered are-
 Physical Security - Entity;
 Physical Security - Restricted Area;
 Human Resource;
 Master Service Agreement Monitoring;
 Data Security and Confidentiality;
 Environmental Controls, Capacity &
Continuity;
 Logical Access;
 Anti-virus;
 Global Telecom Operations;
 Back-up;
 Security Incident Management; and
 Other client specific control areas

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial Tools:

 Nessus
 Nipper
 Burpsuite

Freeware Tools:

 Metasploit
 Wireshark
 NMAP
 SQLMap
 Nikto
 MobiSF
 Metasploit
 Hydra
 Cain and Abel
 John The Ripper

The list of tools mentioned above are indicative

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : Yes
Yes, Grant Thornton India is part of the GT Member Firm network which is spread across the globe
in 130+ countries.

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details
Grant Thornton in India is a member firm within Grant Thornton International (GTIL), global
organization with member firms in over 130 countries.
Grant Thornton India LLP (formerly Grant Thornton India) is registered with limited liability with
identity number AAA-7677 and has its registered office at L-41 Connaught Circus, New Delhi,
110001. References to Grant Thornton are to Grant Thornton International Ltd (Grant Thornton
International) or its member firms. Grant Thornton International and the member firms are not a
worldwide partnership. Services are delivered independently by the member firms.
Member firms carry the Grant Thornton name, either exclusively or as part of their national practice
names and provide assurance, tax and advisory services to their clients. All member firms share
both a common global strategy and a common global culture focusing on improvement in quality of
service delivery, procedures to monitor quality, and the risk management methodology.
13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Grant Thornton India LLP on 19th July 2018.

Back
Annexure – I

S. Name of Employee Duration with Grant Qualifications related to Experience in Information


No. Thornton India Information security Security
LLP

1. Prashant Gupta August 2017  NA 17+years

2. Akshay Garkel September 2017  NA 17+ years

3. Lalit Vazirani January 2018  ISO 27001 LA, ISO 22301, 15+ years
Symantec DLP certified, Qualys
Guard certified

4. Venkatkrishnan G February 2017  CISA 20 years


 ISO 27001 certified

5. Rohit Das September 2017  ISO-27001 LI 10+ years


 CISA

6. Abhijeet Jayaraj November 2017  CEH 4.5


 OSCP

7. Shweta Pawar November 2015  ISO 27001: 2013 Lead Auditor 9 years
(ISMS)
 ITIL V3 Foundation

8. Raghavendra S November 2015  CISA(Certified Information 11+ Years


System Auditor) – Qualified
 COBIT 5
 ITIL Foundation Certified

9. S.Kishore Kumar July 2015  CISA (Certified Information 12+ Years


System Auditor)
 CISM (Certified Information
Security Manager)
 ISO 27001 LA
 ITIL Foundation certified
 COBIT Foundation certified

10. Krishna Jere October 2017 CCNA, CCSA, ISO 27001 LA 13+ Years

11. Dhananjay Deo April 2017 CISA, ISO 27001, COBIT 20+ Years

12. Harshit Mehra September 2017 ISO-27001 LA 5 years

13. Sandeep Sharma April 2013  Microsoft SAM 673, and 74-678 5+ years
 SCJP
 ITIL Foundation Certified

14. Syed Faisal Ali January 2016 SAP FI 11+ years

15. Radhika Nambiar September 2015 NA 10+ years

16. Umesh Jain February 2016  ISO 27001:2013 Lead Auditor 6+ years
 CEH (Certified Ethical Hacker)

17. Bhavna Nakra August 2017 ISO 27001:2013 Lead Auditor 3+ years

18. Manpreet Singh September 2017 OSCP(Offensive Security Certified 2+ years


Kheberi Professional)

19. Aditya Tiwari May 2017 ISO 27001:2013 Lead Auditor 6+ months
S. Name of Employee Duration with Grant Qualifications related to Experience in Information
No. Thornton India Information security Security
LLP

20. Akshaya Rane January 2016 NA 6+ Years

21. Ankit Gupta March 2015 NA 2.7 years

22. Ankitha Chinnapolu May 2017  Cisco Certified Network 3 years


Associate(CCNA),
 Red Hat Certified
Engineer(RHCE)
 ITIL

23. Ashish Sharma April 2017 ITIL Foundation 7 Months

24. Charu Lata April 2017 Sap (SD,FI) Trained 1.5 Years

25. Harsha kakkar March 2015 CISA(Certified Information System 6+ years


Auditor)

26. Lalit Sharma July 2012  DCPP (DSCI Certified Privacy 4+ years
Protection Certificate)
 ITIL Foundation Certified
 Certificate Program in Cyber Law
(SYMBIOSIS)

27. Makarand Ramesh June 2017  Lead Audit ISO 27001:2013 - 8 years
Kadave Information Security
Management System
 Diploma in Information Security
& Ethical Hacking

28. Muralikrishna Joshi February 2016 ITIL Foundation Certified 1.8 years

29. Sahas Arora July 2017 ISO 27001:2013 LI 4 months


compTIA Security+ (IT Security)

30. Santanu Paramanick May 2015 ISO 27001:2005 LA 7+ years

31. Srishti Gosain April 2017 Diploma/certificate in SAP (FICO) 3 years

32. Steadin Fernandes December 2015 ISO 27001:2013 4 Years

33. Allwyn Suares March 2016 CCNA, MCSA, 6+ Years

34. Saloni Sikdar July 2017 NA 3+ Years

35. Ankita Sinha December 2017  CISA, ISO 22301 LI 6+ Years

36. Sagar Gajara November 2017  CEH, CCI, Diploma in Cyber 4+ Years
forensics

37. Amit Bedwa December 2017  ISO 27001 LA, ISO 22301 LA, 2 years
ITSM

38. Praveen Sharma March 2018  NA 12+ Years

39. Sagar Garg April 2018  NA 5+ Years

40. Akshay Sharma June 2018  NA 3 Years

41. Rahul Kakkar June 2018  NA 2 Years


S. Name of Employee Duration with Grant Qualifications related to Experience in Information
No. Thornton India Information security Security
LLP

42. Aditya Tiwari May 2017  ISO 27001 LA 1.5 Years

43. Arvind Kumar April 2018  ISO 27001 LA, ISO 27001 LI, 4+ years
ERM

44. Debarchan Das June 2018  CEH, ECSA 3Years

45. Afzal Imam July 2018  CCNA 2 years

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Sonata Software Limited

1. Name & location of the empanelled Information Security Auditing Organization:

Sonata Software Limited ,


Bangalore

2. Carrying out Information Security Audits since : 2011

3. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : None
PSU : None
Private : 20
Total Nos. of Information Security Audits done : 20

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 3


Web-application security audit : 10
Wireless security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 5

6. Technical manpower deployed for informationsecurity audits:

CISSPs : None
BS7799 / ISO27001 LAs : 4
CISAs : 2
DISAs / ISAs : 5
Any other information security qualification : CEH- 5
Total Nos. of Technical Personnel : 12

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Employee Duration with Experience in Qualifications related


<organization> Information Security to Information security
1 NarasimhaRao 20 10 years  CEH
Akundi  ISO 27001 lead
auditor
 PMP
 GDPR lead
Implementer

2 Sharad Kumar 6 3  CEH


Patani
3 Vinit Bharadwaj 10 5  CEH, ISO 27001
LA,PMP, Cloud
Computing
Foundation

4 Chandra Sekhar P 4 4  CEH

5 Guru prasad 10 6  CEH


8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

IT management project (renewed annually) for a client based in India.Project includes secure IT
operations, Web application testing, network security management, continuous vulnerability and
patch management, data center security and Disaster recovery management. The annual
revenue is over INR 1.1Cr

9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

Network Penetration Testing:

KALI Linux, Nslookup, Dnsmap, Nmap, Firewalk, Hping, Nessus, Nikto, John the ripper, Sqldict,
Firewall Analysers

Vulnerability Scanning:

Qualys Guard , GFI Langaurd, Nessus Professional, Retina scan

Application Security Assessment

Burp suite, Paros, Wireshark, Accunetix, Netsparker, Metasploit framework, SQL Map,
customized python scripts

Social Engineering

Social Engineering Toolkit, Email campaigns

10. Outsourcing of Project to External Information Security Auditors / Experts : No

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : Yes

UK, US, Dubai,Qatar,Germany

*Information as provided by Sonata Software Limitedon20 July 2018

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Tech Mahindra Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Tech Mahindra Ltd.


Sharda Centre, Off Karve Road
Pune - 411004 (Maharashtra) India
Phone:+91 20 66018100

2. Carrying out Information Security Audits since : 2001

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y
 Third Party Security Maturity Audit : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 20
PSU : 1
Private : 2407
Total Nos. of Information Security Audits done : 2428

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 50


Web-application security audit : 2320
Wireless security audit : 0
Compliance audits (ISO 27001, PCI, etc.) : 2
Third Party Security Maturity Audit : 250

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 11
BS7799 / ISO27001 LAs : 20
CISAs : 10
DISAs / ISAs : 0
CEH : 85
CISM : 02
Total Nos. of Technical Personnel : 128

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. Name of Duration Experience in Qualifications


No. Employee with Tech Information related to
Mahindra Security Information
security
1 Peeyush 13 Years Security Audit CISSP, CCSP,
Srivastava and CBCP
assessment.
Cybersecurity
and Cloud
security
Program and
Project
management
2 Rahul Vaidya 14 Years Enterprise CCNA, CEH, ISO-
Security 27001 LA, ITIL
Consulting, V3.0
Security
Operations,
Delivery
Management,
Pre-sales Tech
Support, IS
audits
Program
management
3 Sumit 2 years Security Audit CEH,CCNA
Bhattacharya and
assessment.
Cloud security,
Application
Security,
Wireless
Security
4 Venkat 1 year Application CEH, OSCP,
Reddy Challa Security, Qualys Guard
Wireless Certified
Security,
Vulnerability
assessment
and
Penetration
testing
5 Mayuri 2 years Application CEH
Cherku Security,
Wireless
Security,
Vulnerability
assessment
and
Penetration
testing
6 Amit Kumar 5 years Mobile CEH, ISO-27001
Security, IOT
Security
7 Vishal 4 years Application CEH, SPLUNK
Chhabria Security,
Vulnerability
assessment
and
Penetration
testing, Mobile
application
Security

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

1. Australian Retail company


a) Scope & Volume : 250+ Third party security Audits
b) Locations : Australia & Mumbai
c) Project value : 2.59 mn $(Total contract value)
2. Leading US telecom company
a) Scope & Volume : 198+ web application security testing
b) Locations : USA , Mumbai
c) Project value : 7mn $(Total contract value)
3. Large Oil sector company
a) Scope & Volume : 2000 + Web application security testing
b) Locations : USA , Mumbai
c) Project value : 1 mn $(Total contract value)

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial:
Qualys Guard, IBM App Scan, Burp Suite Pro, Web Inspect, Checkmarx, HP Fortify, ISF
Security Health Check, ISF Benchmarking, Algosec.
Freeware:
NMap, Metasploit, SSL Digger, SSL Scan, SQL Map, MOB-SF, Quark, Drozer, SOAP
UI,Owasp Zap.

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes

( If yes, kindly provide oversight arrangement (MoU, contract etc.))

Third party ISAE 3402 audit has been outsourced to E&Y since 2015. This was a client
requirement. (Attached here for ready reference). As TechM has implemented, hence the
auditing was provided to third Party (E&Y)

11. Whether organization has any Foreign Tie-Ups? : NO

12. Whether organization is a subsidiary of any foreign based organization? : NO

13. Locations of Overseas Headquarters/Offices, if any : Yes

Jakarta

Tech Mahindra Ltd.


PT. Tech Mahindra Indonesia, AriobimoSentral 4th Fl. Suite # 403
Jl. HR. Rasuna Said Kav X-2, No. 5 12950
Jakarta
Phone:+62 212525760

China

Nanjing

Tech Mahindra Ltd.


Floor 4, Animation Building, No.11 Xinghuo Road
Pukou Hi-Tech Zone Nanjing city
Peoples Republic of China
Phone:+86 25 83506016

Shanghai

Tech Mahindra Ltd.


Room No. 23102, No. 498, Guoshoujing Road, Zhangjiang
Hitech Park, Shanghai
Peoples Republic of China
Phone:+86 21 50807600

Shenzhen

Tech Mahindra Ltd.


TianAn Yun Gu, Romm Nos.2201-2203, Phase I-3C
No.133, Xugang North road, Bantian, Sub District
Longgang dist. Shenzen, China PRC

Hong Kong

Tech Mahindra Ltd.


Level 7, Nan Fung Tower,
88 Connaught Road Central,
Central, Hong Kong.
Phone:+852 3796 7230
Fax:+852- 3796 7000

Japan

Kanagawa
Tech Mahindra Ltd.
Fujitsu Atsugi Technical Center, 3065, 3rd floor
Okada, Kanagawa, Tokyo, Japan
Phone:+ 81 5038040928

Tokyo

Tech Mahindra Ltd.


Tokyo Office, Toranomon 40 MT Bldg 6th Floor 5 - 13 - 1 Toranomon
Mitato-ku, Tokyo, 105-0001
Japan
Phone:+81 036402 5921

Malaysia

Cyberjaya

Tech Mahindra ICT Services ( Malaysia ) SDN. BHD.


Global Solution Center, Lot 12122, PersiaranApec,
63000 Cyberjaya, Selangor, Malaysia.
Phone:+60 3 88828001

Philippines

Cebu

Tech Mahindra Limited Tech Mahindra Limited


7/F Ebloc 3, Geonzon Road, Phase 2, 2 and 4/F JESA ITC Building, 90 General
Cebu IT Park, LahugApas, Maxilom Avenue,
Cebu City, Philippines 6000. Cebu City, Philippines 6000.
Phone:+63 32 4106491 Phone:+63 32 5126275

Manila

Tech Mahindra Limited Tech Mahindra Limited


5/F Felina Corporate Plaza, Eastwood 3/F eCommerce Plaza Building, Garden
Avenue, Eastwood City, Bagumbayan, Road, Eastwood City, Bagumbayan,
Quezon City, Metro Manila, Philippines Quezon City, Metro Manila, Philippines
1110. 1110.
Phone:+632 7360893 Phone:+632 6662821
Phone:+632 6619623 Phone:+632 7091673

Singapore

Tech Mahindra Ltd.


#06-01, Honeywell Building,
17 Changi Business Park Central 1,
Singapore - 486073
Phone:+65 6417 7201

South Korea

Seoul

Tech Mahindra Ltd.


16th Floor, Posco P&S Tower,
Teheran-ro 134, Gangnam-gu, Seoul, 135-923,
South Korea.
Phone:0082-2-20157652

Taiwan

Taipei

Tech Mahindra Ltd.


Room No. 8, Level 37, Taipei 101 Tower,
No.7 Section 5, Xinyi Road
Taipei City 11049, Taiwan
Republic Of China
Phone:+886 2 87582984

Thailand

Bangkok

Tech Mahindra Ltd. Tech Mahindra Ltd.


Suvarnabhumi Airport, AOT Building, 4th 54 BB Building, 13th floor, Unit No 1304
floor, SukhumvitSoi 21 (Asoke Road)
Room no. Z4-008, 999 Moo1 KlongtoeyNua
TambonNongprue, Amphoe Bang Plee Wattana, Bangkok 10110 , Thailand
Samutprakarn 10540 Bangkok Phone:+66 2 640 8170
Phone:+66 2 1346253

Vietnam

Hanoi

Tech Mahindra Ltd.


Suite 2136, 21st Floor
Capital Towers
109 Tran Hung Dao
HoanKiem District
Hanoi, Vietnam

Americas

Argentina

Buenos Aires

Tech Mahindra Argentina SA


Esteban ECHEVERRIA 1960
Código Postal B1604ABV
Florida Oeste -Pcia de Buenos Aires
Argentina
Phone:+54 11 52909252
Fax:+54 11 52909249

Bolivia

Santa Cruz

Tech Mahindra Bolivia S.R.L.


3er AnilloInterno – Barrio MarabolCalle Ricardo Chávez #570
Santa Cruz – Bolivia
Phone:+591-3-3450078
Fax:+591-3-3450079

Brazil

Alphaville

Tech Mahindra Brazil


Alameda Araguaia, 2044 - Tamboré
Barueri – SP, Brazil
Tour 1 – 8º. Floor - Rooms 808/809 06455-000

Rio de Janeiro

Tech Mahindra Brazil


PraçaPio X
98 - 11º andar - Centro - RJ - CEP. 20.091-040
Phone:(21) 3550-3100

Sao Paulo

Tech Mahindra Ltd.


Av. Maria Coelho Aguiar
215, Bloco C, Floor 5 - Jardim São Luís
São Paulo, SP 05804900
Phone:+55 11 2123-8100

Canada

New Brunswick

Tech Mahindra Ltd.


720 Coverdale Road, Unit A010.
Riverview Place, Riverview,
Moncton, New Brunswick, Canada. E1B3L8

Ontario

Tech Mahindra Ltd. Tech Mahindra Ltd.


1960 Eglinton Avenue East, 100 Consilium Place, Suite 200.
2nd Floor, Scarborough Toronto Scarborough, Ontario
Ontario M1L2M5 M1H 3E3.
Phone:+1 647 494 3374 Phone:+1 877 725 8579

Vancouver

Tech Mahindra Ltd.


999 Canada Place,
Suite 404, Vancouver,
British Columbia V6C 3E2
Phone:604-641-1363
Fax:604-641-1214

Colombia

Bogotá

Tech Mahindra Colombia S.A.S.


Cra.45 #97-50, Of.1102-03
Bogota, Colombia 110221
Phone:+571 6910056/ 6185594

Costa Rica

San Jose

Tech Mahindra Costa Rica S.A


Sabana Sur,
CalleMorenos 150 mt Sur del Supermecado AMPM,
Edificio color papaya, San Jose, Costa Rica
Phone:+506-403-025-87

Ecuador

Guayaquil

Techmahindra Del Ecuador


Kenedy Norte Manzana 1010 Solares 7,
8 y 9 Guayaquil , Ecuador
Phone:+59342684315
E_mail:[email protected]

Quito

Techmahindra Del Ecuador


Jose Herboso OE3-256
entre Benitez y Av. La Prensa
Phone:+593-2- 601-8789
E_mail:[email protected]

Guatemala

Tech Mahindra Ltd.


AvenidaReforma, 7-63 Zona 9,
Edificio Aristos Reforma, 4to Nivel,
Office# 401, Guatemala

Phone:+502-2334-3421
Fax:+502-2334-2648

Mexico

Mexico City

Tech Mahindra de Mexico S .de Tech Mahindra de Mexico S .de


TecnoParqueEje 5 Norte990, Technoparque, Ground Floor
Azcapotzalco, Santa Barbara, F Block, Mexico City
02230Ciudad de México, D.F. Mexico
E-mail: [email protected] E-
Phone:+52 (55) 416 43404 mail: [email protected]
m

Tech Mahindra de Mexico S .de


PROL Bernardo Quitana sur No.302
Col Centro sur, Queretaro
Queretaro
E-
mail: [email protected] 7609
0

Panama

Tech Mahindra Panamá, S.A


Via Simon Bolivar,
(Transistmica) Edif H. Herburgeroficina 5 y 10, Panama
Phone:+507 26 14 764

Peru

Lima

Tech Mahindra De Peru S.A.C Tech Mahindra De Peru S.A.C


Amador Merino Reyna #465, Edificio Av. Jose Guillermo Salvador Lara 489-
Trillium, 493
5th Floor, San Isidro, Lima - 15046 Primero PisoUrbanización Las Quintanas
Trujillo

United States of America

California

Tech Mahindra (Americas) Inc. Tech Mahindra (Americas) Inc.


1735 Technology Drive, 100 Pacifica, Suite 310,
Suite No. 575, San Jose, Irvine, California
California 95110
Phone:+1 408 707 1831

Tech Mahindra (Americas) Inc.


Fremont 10 (sba 02001) 6092
Stewart. Av Fremont
CA 94538-3152

Connecticut

Tech Mahindra (Americas) Inc.


334 Ella Grasso, Air Exchange Building,
Windsor Locks, Connecticut, 06096.

Florida
Tech Mahindra
501 Brickell Key Drive,
Suite 200, Miami,
Florida, 33131

Georgia

Tech Mahindra Americas Inc.


3655 North Point Parkway, Suite 675,
Alpharetta, Georgia 30005.

Illinois

Tech Mahindra (Americas) Inc.


10 N Martingale Road,
Suite No. 400, Schaumburg,
Illinois, 60173.

Kansas

Tech Mahindra
12980 Foster South Creek Building 1,
Suite 190, Overland Park,
Kansas 66213

Kentucky

Tech Mahindra (Americas) Inc.


9401 Williamsburg Plaza,
Suite 102, Louisville,
Kentucky 40222

Michigan

Tech Mahindra Americas Inc.


20700 Civic Center Drive
Suite 115 Southfield, 48076

Nebraska

Tech Mahindra (Americas) Inc.


Central Park Plaza, 222, South 15th street,
8th floor, Omaha, Nebraska 68102.

Nevada

Tech Mahindra (Americas) Inc.


Office 1 - 808,
College Parkway - Suite 102, 103 & 104,
Carson City,
Nevada 89703

New Jersey

Tech Mahindra (Americas) Inc. Tech Mahindra (Americas) Inc.


1001 Durham Avenue, Secaucus vXchnge 200B Meadowlands
Suite 101, South Plainfield, Pkwy,
New Jersey, 07080. Secaucus New Jersey 07094

New York

Tech Mahindra
Equinix NY9, 111 8th Avenue,
New York 10011

North Dakota

Tech Mahindra (Americas) Inc.


No.3320 WestracDr, Fargo
(North Dakota) United States of America

Ohio

Tech Mahindra (Americas) Inc. Tech Mahindra (Americas) Inc.


6000 Freedom Square, 200 West Prospect Avenue, Suite 701,
Suite 250, Independence, Ohio 44131. Cleveland, Ohio 44113.

Tech Mahindra (Americas) Inc.


4445 Lake Forest Place Suite 163,
Blue Ash, Ohio 45242.

Pennsylvania

Tech Mahindra Ltd.


200 North Warner Road,
Suite 420, King Of Prussia,
Pennsylvania 19406

Texas

Tech Mahindra (Americas) Inc. Tech Mahindra (Americas) Inc.


4965 Preston Park Boulevard, 2500 City West Blvd. Suite 300,
Suite 500, Plano, Texas, 75093 Houston, Texas, 77042.
Phone:+1 214-974-9907

Washington

Tech Mahindra (Americas) Inc Tech Mahindra (Americas) Inc


6801 185th Avenue NE, 15809 Bear Creek Parkway,
Suite 100. Redmond, Suite 310 & 400, Redmond,
Washington 98052 Washington 98052

Tech Mahindra (Americas) Inc


2001 6th Avenue, Suite 300,
Seattle, Washington 98121
Australia and New Zealand

Australia

Brisbane, Queensland

Tech Mahindra Ltd.


Level 16, Office Suite No.1605,
200, Mary Street,
Brisbane – 4000,
Queensland, Australia
Phone:+61 7 30313612

Canberra, ACT

Tech Mahindra Ltd.


Office Suite No.551,
Regus Canberra City West – Tower-A,
Level 5, 7 - London Circuit,
Canberra - 2600,
Australian Capital Territory.
Phone:+61 2 6169 4150

Chatswood, NSW

Tech Mahindra Ltd.


Level 7, 465 - Victoria Avenue,
Chatswood - 2067,
New South Wales, Australia.
Phone:+61 2 84848469

Melbourne, Victoria

Tech Mahindra Ltd.


Level 8, South Tower,
459 - Collins Street,
Melbourne CBD - 3000,
Victoria, Australia.
Phone:+61 3 99342700

North Sydney, NSW

Tech Mahindra Ltd.


Level 5, 100 - Pacific Highway,
North Sydney - 2060, New South Wales,
Australia.
Phone:+61 2 84848485

Perth, Western Australia

Tech Mahindra Ltd.


Level - 3, 267 - St. George Terrace,
Perth – 6000, Western Australia.
Phone:+61 8 92116142 / +61 8 92116103

New Zealand

Auckland

Tech Mahindra Ltd.


Level-6, Southern Cross Building,
59-67 High Street,
Auckland Central - 1010, New Zealand.
Phone:+64 9 2814742
Europe

Austria

Vienna

Tech Mahindra IT-Services GmbH


Albertgasse 35
1080 Vienna

Belgium

Brussels

Tech Mahindra Ltd. Tech Mahindra Ltd.


Twin House B, 3rd Floor, Neerveld 107, Raketstraat 40, 1st Floor
1200 Brussels, Belgium. Evere - 1130 Brussels
Phone:+32 27732400 Belgium
Phone:+32 28919310

Charleroi

Tech Mahindra Ltd.


Zone Industrielle
4ieme Rue nr.33,6040 Jumet
Belgium

Bulgaria

Sofia

Tech Mahindra Limited


3 Nikola Tesla Str., 8th floor,
Sofia One, 1574, Sofia.

Czech Republic

MladaBoleslav

Tech Mahindra Ltd.


StaromestskeNamesti No.84
MladaBoleslav, Czech Republic

Ostrava(Virtual Office)

Tech Mahindra Ltd.


28, rijna 3346/91, Moravska Ostrava
702 00, Czech Republic

Denmark

Copenhagen

Tech Mahindra Ltd.


Lautrupvang 2, 1st floor
2750 Ballerup, Copenhagen
Denmark
Phone:+45 44 78 30 37

Finland

Helsinki

Tech Mahindra Ltd, branch in Finland,


Lindström – House,
Lautatarhankatu 6 B 2 floor,
00550 Helsinki.

France

Paris

Tech Mahindra Ltd.


17 Avenue George V,
75008 Paris, France.

Phone:+33 01 44 43 47 20

Toulouse

Tech Mahindra Ltd.


Bâtiment Omega,
22 boulevard Déodat de Séverac,
31170 Colomiers.
Phone:+33 05 61 15 25 10

Germany

Berlin

Tech Mahindra GmbH NL Berlin


Grossbeerenstr. 2
12107 Berlin
Phone:+49 30 700 700 69

Dresden

Tech Mahindra GmbH


WashintonStr, 16/16A
dresden, Germany

Düsseldorf

Tech Mahindra GmbH


Fritz-Vomfelde-Strasse 8
40547 Duesseldorf
Phone:+49 211 205 408 18

Hamburg

Tech Mahindra GmbH Tech Mahindra GmbH


Channel 2, EG West Christoph-Probst-Weg 1
HarburgerSchlossstrasse 24 20251 Hamburg
21079 Hamburg Phone:+49 40 370251101
Phone:+49 40 743 60652
Phone:+49 40 743 60291

Muenchen

Tech Mahindra GmbH


88 North, Riesstrasse 20
80992 Muenchen
Phone:+49 89 5422540 06

Wiesbaden

Tech Mahindra GmbH


Borsigstr. 20
65205 Wiesbaden
Phone:+49 6122 50731-0

Wolfsburg

Tech Mahindra GmbH


Alessandro-Volta-Straße 20-26
38440 Wolfsburg
Phone:+49 536 189 8606 28

Hungary

Budapest

Tech Mahindra Ltd. Tech Mahindra Ltd.


Capital Square Office Building, Capital Square Office Building
2nd Floor, Tower – V, 7th Floor, Tower – 6
76, Váci street, 76, VáciUt
HU-1133 Budapest (Hungary) HU-1133 Budapest (Hungary)

Tech Mahindra Ltd.


5th Floor, Cityzen Building – VáciUt 37
District 13 Budapest
Hungary

Ireland

Dublin

Tech Mahindra Limited


1st floor, Riverside two, 43/49 sir john rogerson's Quay
Dublin 2

Northern Ireland

Tech Mahindra Limited


7th Floor, BT Riverside Tower, 5 Lanyon Place, BT1 3B
(Belfast) Ireland
Phone +44-02890 446530 | Avaya: 450000

Waterford

Tech Mahindra Business Services Limited


Ground & 1st Floor, Block A
IDA Business & Technology Park
Waterford, Ireland
Phone:0035351599047

Italy

Milano

Tech Mahindra Ltd. Italian Branch


Via A. Brocchi - LocalitàCastelletto,
20019 Settimo Milanese (MI).
Phone:+39 0284292002

Latvia

Riga

Tech Mahindra Ltd.


RIGA, Esplanade, 2nd and 7th floor
Dzirnavuiela 57a, Riga, LV-1010

Luxembourg

Senningberg

Tech Mahindra Ltd


5, Rue Heienhaff, (2nd Floor, Wing E),
L-1736 Senningerberg, Luxembourg.

Netherlands
The Hague

Tech Mahindra Limited


Maanplein 20, Gebouw 8 [TP8]
2516 CK, Den Haag, Netherlands
Phone:+ 31 70 3047700

Norway

Oslo

Tech Mahindra Norway AS


Campus TS
Martin Lingesvei 25,
1364, Fornebu
Phone:+47 67 82 72 72

Romania

Bucharest

Tech Mahindra Ltd.


Sector 1, str general c, Budisteanunr c, 2nd district,
etaj,- 3 camera 10, 010775 Bucharesti 17, C.A Rosetti,
C I F RO 23555450 Bucharest SECTOR 2, Romania
,Romania
Phone:+44 07918714701
Phone:+ 91 9866129769

Spain

Madrid

Tech Mahindra- LCC Wireless Communication Services


Espana Juan de Mariana, No. 178
Plant 3rd 28045 Madrid
Spain

Sweden

Gothenburg

Tech Mahindra Ltd.


Sörredsbacken 20,
Göteborg – 41878.
Phone:+463159687

Stockholm

Tech Mahindra Ltd.


Waterfront Building
Klarabergsviadukten 63
SE-111 64 Stockholm, Sweden
Phone:+46 708304334

Switzerland

Basel

Tech Mahindra Ltd.


Aeschenvorstadt 71,
4051 Basel
Phone:+41 (0)612254246
Fax:+41 61 225 42 49

Geneva

Tech Mahindra Ltd.


Chemin Chateau-Bloch 11, 1219
Le Lignon
Geneva, Switzerland
Phone:+41 (0) 022 879 9570
Fax:+41 (0)22 879 9579

Zurich

Tech Mahindra Ltd.


World Trade Centre,
Leutschenbachstrasse 95
8050 Zurich.
Phone:+44 (0)44 308 37 20/21/35
Fax:+41 44 308 3500

United Kingdom (UK)

Bristol

Tech Mahindra Ltd.


Aztec West 2430/2440 The Quadrant Aztec west
Almondsbury Bristol-BS32 4AQ

Crewe

Tech Mahindra Ltd.


Metasi House, DSP House
west street Crewe Cheshire CW1 3PA

Ipswich

Tech Mahindra Ltd.


LAB, BT PLC, Room W1-06
Columba house, Adastral Park
Ipswich, IP5 3 RE

London

Tech Mahindra Ltd.


63, Queen Victoria Street, EC4N 4UA (London)
United Kingdom
Phone:+44 (0)1908 553400

Manchester

Tech Mahindra Ltd.


1st Floor Laser House
Waterfront Quay
Salford, M50 3XW
Manchester, UK
Phone:+44 (0)161873 8001, +44(0)161873 7029

Milton Keynes

Tech Mahindra Ltd.


401 Grafton Gate East, Milton Keynes MK9 1AT
United Kingdom
Phone:+44 (0)1908 553400

Norfolk

Tech Mahindra Ltd.


Office 8, HethelEngeneering Centre
ChapmanwayHethel
Norfolk-NR14 8FB
Middle East

Bahrain

Manama

Tech Mahindra Ltd.


Al Salaam Tower, 11th Floor,
Diplomatic Area, Manama
Bahrain
Phone:+973 17534057

Qatar

Doha

Tech Mahindra Ltd.


Palm Tower – B
Level 43, Suite No.4306
Majlis Al Taawon Street,
West Bay, Doha, Qatar.
PO Box. No:13279.

Saudi Arabia

Al-Khobar

Tech Mahindra Ltd. Tech Mahindra Arabia Limited,


Al Bandareyah Trading Centre, Al Hugayet Skyline Tower,
Office No. 501 12th Floor, Al Khobar 31952,
Prince Faisal Bin Fahad Street, Al- Po Box No.31671,
Khobar 31952 Kingdom Of Saudi Arabia.
Kingdom of Saudi Arabia Phone:+966 505894866
Phone:+966138824076

United Arab Emirates

Abu Dhabi

Tech Mahindra Limited


Office No.1001, 10th Floor,
Al Faraá Corporate Tower,
13 Delma Street,
Behind trans ad & commercial court,
Abu Dhabi, UAE
Phone:+971 2 4414420
Fax:+971 2 4414421

Dubai

Tech Mahindra Ltd. Tech Mahindra Limited


Dubai Airport Free Zone - 6 B, Office No-1401-1408-1409, 14th Floor,
West Wing, Office No.832 Shatha Tower, Dubai Media City
Dubai P.O.Box-30810, Dubai, UAE
Phone:+971 4 3911700 Phone:+97143911700 (Reception)
Fax:+971 4 3911713 Fax:+97143911713

Africa

Chad

Ndjamena
Tech Mahindra Ltd
Quartier Béguinage, Rue 1029, BP 324,
Ndjamena, Tchad.
Phone:+235 600-100-10

Congo(B)

Pointe-Noire

Tech Mahindra Limited


Marcel Vincent Gomes, BP 542,
Building Ex-Bata Pointe-Noire,
Republic of Congo.

Democratic Republic of Congo

Kinshasa

Tech Mahindra Ltd.


Avenue Tombalbay, Immeuble, “Le Prestige” 1er Niveau
Kinshasa Congo (DRC)
Phone:+243999967394

Ethiopia

Tech Mahindra Ltd.


Millinium building, Bole
Addis Ababa, Ethiopia
Phone:+260 976620894

Gabon

Libreville

Tech Mahindra Ltd.


1st Floor CFAO Building, Libreville
Gabon
Phone:+241 04064697

Ghana

Accra

Tech Mahindra Ltd.


83, Spintex Road
Accra
Phone:+ 233 561166161

Kenya

Nairobi

Tech Mahindra Ltd


Block B, 6th Floor, Reliable Towers,
Mogotia Road, Westlands,
Nairobi, Kenya

Malawi

Lilongwe

Tech Mahindra Ltd.


City Mall Shops 1 – 7
Michinji Round about, P.O. Box - 1666
Lilongwe
Phone:+265 994205222

Nigeria

Abeokuta
Tech Mahindra Ltd.
3rd to 6th Floor, Opic Towers, Oke–Ilewo
Abeokuta - Ogun State
Phone:+234 8066792757

Lagos

Tech Mahindra Nigeria Ltd.


Coscharis Plaza
3rd Floor, 68A, AdeolaOdeku
Victoria Island, Lagos.
Phone:+234 8066792757

Rwanda

Kigali

Tech Mahindra Ltd


Boulevard de l’Umuganda - Aurore Building – Kacyiru,
P.O. Box 1902 - Kigali – Rwanda
Phone:+250726635298

South Africa

Cape Town

Tech Mahindra Ltd.


Unit 3, 2nd Floor, Rostra House, The forum North Bank Lane
Century City 7441, Cape Town
South Africa
Phone:+27 764006133

Johannesburg

Tech Mahindra Ltd. Tech Mahindra Ltd.


10th Floor, Office Towers, 5th Street, 676 on Gallagher Cnr Old Pretoria Road
Cnr&Rivonia and James Cresent
Sandton - 2196, Johannesburg Midrand, Johannesburg-2196
South Africa
Phone:+27 11 6762800

Uganda

Kampala

Tech Mahindra Ltd.


1st Floor, NIC Building 3, Pilkington Road,
Kampala, Uganda.
Phone:+256(0)782111318

Zambia

Lusaka

Tech Mahindra Ltd. Tech Mahindra Ltd.


Petroda House, Great North Road, P.O. 2nd floor, (Middle block) Petroda Towers
Box – 30770 North Great Drive Road, Lusaka Zambia
Lusaka, Zambia
Phone:+260 976620894

*Information as provided by Tech Mahindra Limited on 20th July 2018

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Talakunchi Networks Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Talakunchi Networks Pvt. Ltd. ,


Mumbai

2. Carrying out Information Security Audits since : 2016

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Yes


 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : Yes
 Mobile Security audit (Y/N) : Yes
 IoT Security Assessment (Y/N) : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : NA
PSU : NA
Private : 25+
Total Nos. of Information Security Audits done : 25+

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 20+


Web-application security audit : 20+
Wireless security audit : 3
Mobile Security audit : 10+
Compliance audits (ISO 27001, PCI, etc.) : 2

6. Technical manpower deployed for informationsecurity audits :

CISSPs : NA
BS7799 / ISO27001 LAs : 1
CISAs : 2
DISAs / ISAs : NA
Any other information security qualification : 4 CEH,
2 OSCP,
5 ECIH,
3 ECSA,
1 ECSP .net
Total Nos. of Technical Personnel : 20

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications


No. Employee <organization> Information related to
Security Information
security
1 Rahul Gala 2.2 Years 10.0 Years BE, OSCP,
CISA, CEH,
ECSA,
ECSP,GCIH, CEI
2 Vishal Shah 2.2 Years 10.0 Years BE, OSCP,
CISA,
CEH,GCIH,
FireEye
3 Pranjali Shah 2.2 Years 5.0 Years BE
4 Sujal Shah 2.2 Years 5.0 Years BE
5 Jay Shah 2.2 Years 4.0 Years BSc IT, ECIH
6 VidulaTendolkar 2.2 Years 2.2 Years BSc, ECSA
7 Harshil Shah 2.0 Years 2.0 Years BE, CEH

8. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Burp Suite Professional


SQLMAP
Wireshark
ZAP
Netsparker
Nikto
Web Inspect
CSRF Tester
Wapiti
Fiddler
SQL Ninja
W3af
WinHex
WebScarab
IDAPro
Drozer
MobSF
Nessus
Kali Linux
Metasploit
Nmap
Aircrack-ng
Cain & Able
JohnTheRipper
IronWasp
Nagios
Social Engineer Toolkit

9. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

10. Whether organization has any Foreign Tie-Ups? If yes, give details : No

11. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

12. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Talakunchi Networks Pvt. Ltd. on 18-Jul-2018

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Trusted Info Systems Private Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Trusted Info Systems Private Ltd.

2. Carrying out Information Security Audits since : 2002

3. Capability to audit , category wise (add more if required)

 Network security / Data Centre audit (Y/N) - incl VA-PT : Yes


 Web-application security audit / Mobile App - incl VA-PT : Yes
 Wireless security audit (Y/N) - incl VA-PT : Yes
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) - incl VA-PT : Yes
 SAP - GRC Implementation, Post implementation
review & support / Audit : Yes
 ERP / SAP security audit : Yes
 Telecom Security audit : Yes
 ICS / SCADA Audit : Yes
 Security Operations Centre Review / Audit / optimisation : Yes
 Payment Gateway security audit : Yes
 Incident Life cycle management / review : Yes
 PCI / DSS review / compliance / audit : Yes
 Source Code Review / SDLC Review : Yes
 Cyber Security / Information Security - related trainings : Yes

4. Information Security Audits carried out in last 12 Months :

Govt. : 1
PSU : 2
Private : 42
Total Nos. of Information Security Audits done : 45

5. Number of audits in last 12 months , category-wise (Organization can add categories based on
project handled by them)

Network security audit : 9


Web-application security audit : 31
Wireless security audit : 5
Compliance audits (ISO 27001, PCI, etc.) : 2

6. Technical manpower deployed for information security audits :

CISSPs : -
BS7799 / ISO27001 LAs : 3
CISAs : 4
DISAs / ISAs : 1
Any other information security qualification : 3
Total Nos. of Technical Personnel : 7

7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

S. No. Name of Duration with Experience in Qualifications related


Employee <organization> Information Security to Information security
1 Piyush Jain May 2002 15+ yrs CISA, ISMS-LA
2 SP Shah Singh May 2002 20+ yrs CISA, M Tech
3 Vijender Kaushik Dec 2016 15+ yrs CISA, ISMS-LA, MS
4 Virender Maini Jan 2004 14+ yrs CISA, CEH
5 Sanjay Gupta Feb 2005 11+ yrs ISA
6 Naveen Dham Dec 2016 10+ yrs ISMS-LA, PCI-DSS
7 Shiv Kumar Dec 2016 4+ yrs CCNA, B Tech
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.

- NW Security audit / Web App Security audit / ERP - SAP security audit - One of the top Indian
MNC - multiple manufacturing plants in India and abroad - worldwide spread computer network with
data centre and DRS sites in India - Multiple user domains - about 15000 employees.

- SAP - GRC Access Controls Review / Audit - top Indian MNC - Pharmaceutical mfg. industry - N/W
size & complexity - 100+ servers, 600+ nodes

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial :
- Nessus
- Burp
- Acunetix
- AppScan
- Core Impact
- Net Sparker
- Web Inspect
- Nipper
- EnCase Forensics from Guidance Software
- IDEA data analytics
- Check Marx
- Immunity Canvas

Open Source / Free-ware :


- Kali Linux suite of tools
- Parrot Security suite of tools
- Black Arch suite of tools
- N-map
- Zap
- Metasploit
- Nikto
- Sqlmap
- Netcat
- OpenVas
- w3af
- Tamper data, etc. etc.

Proprietary :
- SAP-GRC SoD conflict resolution tool

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by <organization> on <date>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Briskinfosec Technology and Consulting Pvt Ltd

1. Name & Location of the Empanelled Information Security Auditing Organization:

Briskinfosec Technology and Consulting Pvt Ltd


No.21,2nd Floor, Krishnamachari Rd, Tirumurthy Nagar,
Nungambakkam, Chennai, Tamil Nadu 600034

2. Carrying out Information Security Audits since : 2014

3. Capability to audit, Category wise

Network Security audit (Y/N) : Y


Web Application Security audit (Y/N) : Y
Wireless Security audit (Y/N) : Y
Physical Access Control & Security Testing (Y/N) : Y
Source Code Review (Y/N) : Y
Mobile Application Security (Y/N) : Y
Configuration Audit (Y/N) : Y
Cyber Forensics Investigation (Y/N) : Y
Penetration Testing (Y/N) : Y
Compliance Audit (ISO 27001, PCI, etc) (Y/N) : Y
RBI PSS Audits (Y/N) : Y
Information Security Awareness (Y/N) : Y
Information Security Training (Y/N) : Y
Red Teaming / Social Engineering (Y/N) : Y
Secure Network Architecture Review (Y/N) : Y
Cloud Security Audit (Y/N) : Y
Risk Assessment (Y/N) : Y
Risk Management (Y/N) : Y
Security Operations Center (SOC) Integration (Y/N) : Y
Post-Product Implementation Review (Y/N) : Y
Product Security Audit (Y/N) : Y
IOT Security Testing (Y/N) : Y
Social Engineering Services (Y/N) : Y
AI Endpoint Security (Y/N) : Y
WAF Implementation (Y/N) : Y
Virtual Security Team (Y/N) : Y
Thick Client Security Assessment (Y/N) : Y
Database Security Assessment (Y/N) : Y
API Security Assessment (Y/N) : Y
Host Level Security Assessment (Y/N) : Y
Website Security Assessment (Y/N) : Y
Security Process Review and Cybersecurity Framework (Y/N) : Y
Security Hardening and Configuration Review (Y/N) : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : N/A
PSU : N/A
Private : 85 Approximately
Total Nos. Of Information Security Audits done : 150 Approximately
5. Number of audits in last 12 months, category-wise (Organization can add categories based on project
handled by them)
S.NO Security Assessment Category Quantity (Approx.)
1 Web Application Security 60
2 Infrastructure Security 40
3 Mobile App Security 35
4 Cloud Security 20
5 Security Training Assignments 80
6 Secure Development Implementation 15

7 Vulnerability Assessment and penetration Test 75

8 Wireless Security Assessment 15


Compliance Security Assessment ISO 27001, HIPAA
9 10
etc.
10 API Security Assessment 40

6. Technical manpower deployed for information security audits

CISSP : 3 Approximately
BS7799 / ISO27001 Las : 4 Approximately
CISA : 3 Approximately
Any other information security qualification : 20 Approximately
Total Nos. of Technical Personnel : 30 Approximately

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations
Experience in
Duration with Qualifications related to Information
S. No. Name of Employee Information
Briskinfosec security
Security

1 Mr.Arulselvar Thomas 4 Years 8 Years CEH, PCI:DSS, BAPT, ISO 27001

2 Mr.Lakshmi Narayanan 2.5 Years 25 Years CISSP, CISA. PMP. ISO 27001

3 Mr.Devanand Kumar 4 Months 15 Years CISSP, CISA. PMP. ISO 27001

4 Mr.DineshChelladurai 2 years 2.5 years BAPT, CEH

5 Mr.Dawood Ansar 1.7 years 3 years CEH, ECSA

6 Mr.Venkatesh 1.5 Years 3 Years CEH, BNPT

7 Mr.Dharmesh Baskaran 1.1 years 2 years CEH, ECSA

8 Mr.Mohan Balaji Venkatesh 1 year 2.5 years CEH, BISE

9 Mr.Sathish Kannan 3 Years 4 Years CEH, ECSA, ISO 27001


8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc) along with project value.

Security assessment largest Software development company to meet ISO 27001


Compliance
More than 1000+ end-points, 50+ servers and 25 Applications
Project value: approximately INR: 15 Lakhs
Security assessment for India's 3rd Largest wired Internet Service Provider
100 servers, 5 Web Applications, 8 Thick Client application and 4 Mobile Application
Project value: approximately INR: 10 Lakhs
Security assessment for 25 years old IT Consulting company
5 Web Applications, 4 Mobile Application and 4 Training
Project value: approximately INR: 10 Lakhs
Security assessment for largest private bank at east Asia
2 Core Banking Apps, Swift Apps, 15 Servers, 5 Training
Project value: approximately INR: 30 Lakhs

9. List of Information Security Audit Tools used (Commercial / Freeware / Proprietary)

S.NO. NAME DESCRIPTION


COMMERCIAL TOOLS
1 Burp Suite Pro Web Vulnerability Scanner
2 Nessus Network Vulnerability Scanner
3 Qualys Vulnerability Exploitation Tool
4 Netsparker Web Vulnerability Scanner
5 Checkmarx Source Code Review Tool
6 Nexpose Network Vulnerability Scanner
7 Acunetix Web Vulnerability Scanner
8 Web Inspect Web Vulnerability Scanner
9 Appscan Web Vulnerability Scanner
10 AlienVault OSSIM SIEM Tool
11 Nipper Configuration Audit Tool
FREEWARE TOOLS
1 Nmap Port Scanner
2 Netcat Network Utility
3 SOAP UI SOAP API Testing
4 SuperScan Port Scanner
7 Metasploit Expolit Framework
8 Kali Linux Penetration Testing OS
9 Brutus Password Bruteforcing
10 Cookie Editor Browser Addon for Cookie editor
11 Netstumbler Wireless Network Scanner / Sniffer
12 Kismet Wireless Network Scanner / Sniffer
13 SQLMap SQL Injection Testing
14 Zenmap Port Scanner, Fingerprinting
15 Frida Reverse Engineering Tool for Mobile
16 Radare2 Reverse Engineering Tool
17 Mob-SF Mobile Application Scanner
18 Wireshark Web Debugging tool
19 Fiddler Web Debugging tool
20 Nikto Web App scanner
21 Peach Python Based fuzzer framework
22 Ettercap Network Sniffing tool
23 Dex2jar Reverse Engineering Tool
24 Jd-gui Mobile application code review
25 Androguard Reverse Engineering Tool
26 Drozer Reverse Engineering Tool
27 OpenVAS Web App scanner
28 Hping3 Port Scanner
29 Snort SIEM Tool
30 Qark APK Static analysis tool
31 AndroBugs APK Static analysis tool
32 Inspeckage Android and iOS analysis tool
33 iNalyzer iOS Dynamic Analysis tool
34 IntroSPY iOS and Android Blackbox Testing
35 BadKarma Network and Web Scanner
36 Watchdog Network scanner

10. Outsourcing of project to External Information Security Auditors / Experts :No

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Crossbow Labs LLP

1. Name & location of the empanelled Information Security Auditing Organization:

Crossbow Labs LLP


146, 5th Floor, Gopal Towers, Ramaiah Street,
H.A.L II Stage, Bangalore – 560008

2. Carrying out Information Security Audits since : Nov 2014

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 100
Total Nos. of Information Security Audits done : 100

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 30


Web-application security audit : 15
Wireless security audit : 15
Compliance audits (ISO 27001, PCI, etc.) : 40

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 2
BS7799 / ISO27001 LAs : 5
CISAs : 2
DISAs / ISAs : 0
Any other information security qualification :
C.E.H - 4
PCI – 5
PA - 1
ECSA - 1
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee Crossbow Information Security to Information security
Labs LLP
1 Rosan Thomas 3 Years 7 years CISSP, CISA, ISO
27001 LA & PCI QSA
2 Deepak Umapathy 3 Years 8 years ISO LA 27001 PCI QSA
3 M.K. Prasad 2 Years 5 Years C.E.H
4 Kirubakaran 1.5 years 5.5 years LA ISO 27001
Parkunan
5 Nithiyanandam 3years 4.5 C.E.H ISO 27001 LA
6 Arpit Rohela 1.7 Years 1.7 Years C.E.H, E.C.S.A
7 Sardar Salim 1.8 1.8 C.E.H SECURITY +
Shaikh
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Lulu International Group, U.A.E

13 Server Locations, 300 + IP addresses that includes DC, Network devices and POS locations.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary): Nessus,


Metasploit, Exploitpack, Burpsuite, Bolt (Data finder tool), Compliance management tool.

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Crossbow Labs LLP on 06th FEB 2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

CyRAAC Services Private Limited

1. Name & location of the empanelled Information Security Auditing Organization:

CYRAAC SERVICES PRIVATE LIMITED


BANGALORE

2. Carrying out Information Security Audits since : 2017

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 1
Private :
(Etyacol, Fincare, Samasta, ITC Infotech, Zeotap, Firstsource, DTDC,
Mphasis, Marlabs, Market Xpander, Axis Cades, Rang De, BeMore)
Total Nos. of Information Security Audits done:

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 3


Web-application security audit : 30
Wireless security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 9

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 1
BS7799 / ISO27001 LAs : 1
CISAs :
DISAs / ISAs :
Any other information security qualification :
CEH (2),
CISM (1),
CBCP (1),
PCI DSS QSA (1)
Total Nos. of Technical Personnel : 14

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Allcargo Logistics – Rs 13 Lakhs


ECU Worldwide - Rs 13 Lakhs
Ernst & Young – Rs 18 Lakhs
9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

Network Security, Web Application Security, Wireless Security Audit

Tool Detail
Nessus Professional Infrastructure Scanning
Qualys Web Application Scanning
Fortify Web Inspect Web Application Scanning
Burp Suite Penetration Testing
Metasploit Penetration Testing
NMAP Infrastructure Scanning
Wireshark Infrastructure Scanning
Charles Infrastructure Scanning
Nikto Penetration Testing
SQLmap Penetration Testing

Compliance Audits

LogicGate

10. Outsourcing of Project to External Information Security Auditors / Experts : No

(If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by CYRAAC SERVICES PRIVATE LIMITED on 7th Feb 2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Netrika Consulting India Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

Netrika Consulting India Pvt. Ltd.

2. Carrying out Information Security Audits since : 2015

3. Capability to audit , category wise (add more if required)

 Network security audit : (Y)


 Web-application security audit : (Y)
 Wireless security audit : (Y)
 Compliance audits (ISO 27001, PCI, etc.) : (Y)

4. Information Security Audits carried out in last 12 Months :

Govt. : None
PSU : None
Private :
Delhivery Pvt Ltd , Audio Magick, Fairfax , Risq Group
Total Nos. of Information Security Audits done : 5

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 7


Web-application security audit : 6
Wireless security audit : 6
Cyber Forensics : 3
Mobile Forensics : 1
Compliance audits (ISO 27001, PCI, etc.) : 3
6. Technical manpower deployed for information security audits :

CISSPs : none
BS7799 / ISO27001 LAs : 3
CISAs : none
DISAs / ISAs : none
Any other information security qualification :
EC Council Certified Ethical Hacker( CEH), ISO20000 , ISO 9001 2000 LA
Total Nos. of Technical Personnel : 7

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. No. Name of Employee Duration with Experience in Qualifications related to


<organization> Information Security Information security

1. Nikit Jain 6 Month 3 CEH

2. Mohnish Gehlot 1.5 Years 3 CEH

2. Vaibhav Pulekar 1.8 Years 7 CEH , ISO 27001: 2013


LA

3. Harshwardhan 1.8 Years 7 CEH , ISO 27001 : 2013


Rawat LA
4. Deepak Singhal 1 Month 10 ISO:270001 LA,
ISO:20000

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value – Delhivery Private Ltd (Implemented ISO 27001 : 2013 for their
organization, Carried our surveillance audit) , Annual Review of ISMS & Implementation of
controls for ISO 27017 (Security controls for cloud services) . Project Scope was their corporate
office in Gurgaon. Total Project value Approx – 5.5 L

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Commercial - Burpsuite , Netsparker

Freeware -Zed Attack Proxy (ZAP), Vega, SQLMap Burpsuite OWASP SQLi

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13.Locations of Overseas Headquarters/Offices, if any : Yes

Dubai
SAIF ZONE , Q1-06-141/C
PO Box – 124932
Sharjah Airport Free Zone

Singapore
Regus Vision Exchange
2 Venture Drive
Level #24-01 - #24-32
Singapore 608526
+65 87308006

Sri Lanka
32 Uswatte Road,
EtulKotte,Kotte,
Sri Lanka

*Information as provided by Netrika Consulting India Pvt. Ltd. on 07-02-2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

NSEIT Ltd.

1. Name & location of the empanelled Information Security Auditing Organization :

NSEIT Ltd, Trade Globe,


Ground Floor, Andheri-Kurla Road,
Andheri (E), Mumbai - 400 059.PIN 400059.

2. Carrying out Information Security Audits since : 2016

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Y
 Mobile-application security audit (Y/N) : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 3
PSU : 3
Private : 8
Total Nos. of Information Security Audits done : 100 plus

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 10 plus


Web-application security audit : 40 plus
Wireless security audit : 2
Compliance audits (ISO 27001, PCI, etc.) : 5
Information security policy review : 4 plus

6. Technical manpower deployed for informationsecurity audits :

CISSPs :
BS7799 / ISO27001 LAs : 1
CISAs :
CEH : 4
ECSA : 1
Total Nos. of Technical Personnel : 8

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security
Giriraj Jadhav 0.9 yrs 12 yrs Cambridge Certified
Linux Associate
Cambridge Certified
Security Associate
Cambridge Certified
Internet Associate

Microsoft Certified
Professional (MCP)
Khushboo Sharma 0.7 yrs 11 yrs
Mittal Amrutbhai 2.3 yrs 3 yrs
Patel
Sagar Karan 2.9 yrs 16 yrs Cambridge Certified
Security Associate
Cambridge Certified
Internet Associate
International Associate
– Association Of
Certified Fraud
Examiners
CEH – Certified Ethical
Hacker
CIW Security Analyst

International Associate
– Association Of
Certified Fraud
Examiners.
Vidula Tendolkar 0.5 yrs 3.2 yrs ECSA
Sayed Abbas Raza 0.4 yrs 1.10 yrs CEH
Sneha Kawadgave 1.1 yrs 1.1 yrs CEH
Bhavesh Patil 0.3 yrs 3 yrs CEH, ISO 27001 LA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value. Cyber Security Architecture and Configuration review for a
payment gateway in India. 55 lacs

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

Sr Testing Environment Tool Name Commercial/


No Freeware/Proprietary
1 Web Appsec Burp Suite Professional Commercial
2 SQLmap Freeware
3 Dirbuster Freeware
4 Wireshark Freeware
5 Winhex Freeware
9 Mobile Appsec Android SDK Freeware
10 GenyMotion Freeware
11 ApkTool Freeware
12 Dex2Jar Freeware
13 JD-Gui Freeware
16 Burp Proxy Commercial
17 iOS Simulator Freeware
18 Cydia Freeware
20 iTools Freeware
22 iNalyzer Freeware
23 Androbugs Freeware
24 Network VAPT NMap Freeware
25 Nessus Commercial
27 TestSSLScan Freeware
28 SSLScan Freeware

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by NSEIT Ltd. on 08/02/2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Pyramid Cyber Security & Forensic Pvt. Ltd.

1. Name & location of the empanelled Information Security Auditing Organization:

Pyramid Cyber Security & Forensic Pvt Ltd,


FB-05, NSIC Software Technology Park Extension,
Okhla Industrial Estate,
New Delhi-110020, India

2. Carrying out Information Security Audits since : 5+ Years

3. Capability to audit, category wise (add more if required)

 Network security audit–(Y/N) : Yes


 Web-application security audit–(Y/N) : Yes
 Wireless security audit–(Y/N) : Yes
 Compliance audits (ISO 27001, GDPR, ISNP, HIPAA) : Yes
 IT Risk Assessment – (Y/N) : Yes
 Mobile Application Security Testing – (Y/N) : Yes
 Compliance audit as per Government of India
Guidelines (RBI, SEBI etc.) (Y/N) : Yes
 Incident Response (Y/N) : Yes
 Forensics Analysis (Y/N) : Yes
 Source Code Review (Y/N) : Yes
 Red Team Assessment (Y/N) : Yes
 Threat Hunting and Analysis (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 1
PSU : 0
Private : 20+
Total Nos. of Information Security Audits done : 21+

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 5


Web-application security audit : 10
Wireless security audit : 2
Mobile Application Testing : 3
Compliance audits (ISO 27001, ISNP : 5
Source Code Review : 1
RBI Security Compliance Audits : 3
Forensic Analysis : 15
Incident Response : 2

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 0
BS7799 / ISO27001 LAs : 2
CISAs : 2
DISAs / ISAs : 1
Any other information security qualification:
OSCP : 2
OSWP : 1
CISM : 1
ITIL : 2
CEH : 2
Total Nos. of Technical Personnel : 20
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security
1 Dinesh Bareja 8 Years 18+ Year CISA,CISM, ITIL
2 Sunil Yadav 10 Years 20+ Years BE, ACE
3 Harpreet Singh 6 Months 6+ Years B.Tech, OSCP, OSWP
4 Deepankar Arora 1.5+ Years 3 Years OSCP
5 Praveen Sahu 4+ Years MS- Cyber Law &
Information Security,
ISO27001 & HIPAA
6 UmmelMeel 2+ Years 3+Years B.Tech, CEH, Diploma
in Cyber Law
7 Ravi Kant 9 Months 2+ Years CISA, DISA, SIX
SIGMA Green Belt, CEH
v8, ISO27001LA, ITIL,
COBIT-5
8 Salman Mehboob 5+ Years 6+ Years M.Tech, ACE, ISO
Khan 27001 LA
9 Rahul Kumar 2.5 Years 5 Years B.Tech, ACE,
ISO27001LA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

1. Conducted Network Security & Web Security Audit for complete internet facing
infrastructure of an Oil and Energy Company in Africa.
2. Conducted Malware Incident Response along with Network Security Audit and Network
Sanitization for MFI, Kenya

9. List of Information Security Audit Tools used( commercial/ freeware/proprietary):

Freeware
1. Nmap - Port Scanner
2. Maltego - Recon
3. OWASP ZAP - Proxy
4. Nikto – Vulnerability Scanner
5. Xsser – Vulnerability Scanner
6. Dirb/Dirbuster – File/Directory Enumeration tool
7. Empire – Post Exploitation Framework
8. Koadic – Command & Control (C2)
9. DNSscan – DNS Recon
10. Metasploit Framework – Exploitation
11. OpenVAS – Vulnerability Scanner
12. BurpSuite Community Edition – Vulnerability Scanner
13. Dirsearch
14. Veil-Evasion
15. Shellter
16. Immunity Debugger
17. WinDBG
18. MobSF Mobile Security Framework
19. Hping – TCP ping utility
20. Wireshark – Network Packet Capture
21. SQLMAP – SQL Injection Exploitation tool
22. John (Johnny) – Password cracking tool
23. Hashcat – Password cracking tool
24. NetCat – Network Swiss Army Knife
25. WafW00f – WAF Evasion tool
26. SET – Social Engineering Toolkit
27. CredSniper – Phishing Exploitation tool
28. Aircrack-ng – Wireless Exploitation Toolkit
29. Fiddler – Man-In-The-Middle Proxy
30. Sys-Internal Toolkit – Windows System Analysis & Malware Detection

Commercial
31. Metasploit Pro
32. Nessus Professional
33. BurpSuite
34. Shellter Pro
35. IDA Pro
36. Nipper
37. Accessdata FTK
38. VoundIntella
39. NetSparker

Propriety
 Custom Python Exploitation Scripts
 Siege Exploit Builder

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Pyramid Cyber Security & Forensic Pvt Ltd on 08-02-2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Wings2i IT Solutions Pvt. Ltd.

1. Name & location of the empaneled Information Security Auditing Organization:

Wings2i IT Solutions Private Limited,


No 80, 3rd Floor, BOSS SQUARE,
1st Cross, 2nd Main, BTM 2nd Stage
Bangalore, Karnataka, INDIA 560076

2. Carrying out Information Security Audits since : 2010

3. Capability to audit , category wise (add more if required)

 Network security audit (Y/N) : Y


 Web-application security audit (Y/N) : Y
 Wireless security audit (Y/N) : Y
 Compliance audits (ISO 27001, PCI, SOC2, HIPAA,etc.)(Y/N) : Y
 Cloud Platform Configuration audit : Y
 Medical device Security audit : Y
 Mobile Application Testing : Y
 PII / Data Privacy Audits : Y

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 180+
Total Nos. of Information Security Audits done : 180+

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 50+


Web-application security audit : 47
Wireless security audit : 11
Compliance audits (ISO 27001, PCI, SOC2, HIPAA,etc.) : 50+
Cloud Platform configuration Audit : 3
Medical device Security audit : 1
Mobile Application Testing : 9
PII / Data Privacy Audits (GDPR/Canada/US/Australia) : 8

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 1
BS7799 / ISO27001 LAs : 12
CISAs : 2
DISAs / ISAs : 0
Any other information security qualification:
(CEH , DSCI LA , CPISI etc.) : 17
Total Nos. of Technical Personnel : 17
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Duration with Experience in Qualifications related


No. Employee Wings2i Information Security to Information
security
1 Vinod Kumar 10years 20+ Years Certified Lead Auditor
Agrasala - ISO 27001,22301,
20000, DSCI Certified
Lead Assessor for
Data Privacy, ITIL V3
Expert, ITIL4
Foundation,
2 Praveen Kumar 10 years 20+ Years Certified Lead Auditor
Reddy - ISO 27001,
22301,CISSP, CISA,
CCNA, MCSE and CCA,
DSCI Certified Lead
Assessor for Data
Privacy,ITIL V3
Foundation.
3 Reena 9.5 Years 20+ Years Certified Lead Auditor
Ramachandran - ISO 27001,
22301,ITIL V3
Foundation.
4 Rajesh V Nair 6years 12 Years CISA, CCEP, CPISI,
Certified Lead Auditor
– ISO 27001, 22301.
5 Gokul C Gopinath 1.5 Years 8 years Jncia-Junos,CE|H
Certified Lead Auditor
- ISO 27001, 22301,
CCNA CCVP .
6 A Sai Jitendra 2.5 Years 2.5 years Certified Lead Auditor
27001,22301, CDAC-
DITISS.
7 Harsh Jalan 2 Years 8+ years Certified Lead Auditor
27001, 22301, ITIL V3
Certified
8 Varun Sankaran 1 Year 6 Years Certified Lead Auditor
ISO/IEC 27001,
22301, ITIL
Foundation (V3)
9 Sumesh V .5 Years 7 Years CCVP/ CCNP,CCNA,
AFCEH.
10 Puneeth S 4 Years 4 years Certified Lead
AuditorISO
27001,22301, AWS
Solution Architect –
Associate,ITIL V3
Foundation Certified.
11 Azenio Prakash C 3 year 4 years Advanced Google
Analytics,Certified
Lead Auditor ISO
27001, 22301, ITIL V3
Foundation Certified.
12 Susmita Rani Kha 1 year 3 Years Lead Auditor 27001.
13 Gourab Sahoo 2 Years 3 Years BTech.
14 AmitrajGurram 2 Years 2 Years CCNA.
15 Ragith KR 1 Year 2 Years BTech.
16 Penjuri 1 Year 1 Year BTech.
Nagavardhan
17 Shashank 1 Year 2 Years 2 Months CEH, CertifiedLead
Awadhut AuditorISO
27001,Network
Security Professional,
Certified in Advance
Java
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Sl no Organization Activity Locations Project Value


&Domain

1 Major telecom ISMS Implementation, Algeria ~ 10000000


provider Maintenance, Compliance,
Network & Application
Audits

2 Major Healthcare Cyber Security (Network, Hospitals ~ 2000000


Service Provider Application, Wireless and across
in India Medical device Security Multiple
Audits) and Risk Location in
assessment India

3 Major Mobile VAS ISMS compliance Bangalore ~ 4000000


Platform provider maintenance and audits,
Since 2010 Network, Application and
wireless security Audit

4 Major BI product/ ISMS Compliance Bangalore, ~3200000


Platform provider Implementation and Audit, Pune,
Product Security Audit Mumbai,
UK, Japan,
US

5 Major Data ISMS Compliance Bangalore, ~ 4000000


Analytics service maintenance and audits, Austin
Provider Data analytics Platform
(web, Mobile), Network and
wireless security Audits,
Data privacy and SOC2
Compliance Audits, HIPAA
trainings

6 Financial printing Network, Applications, Multiple ~1000000


service provider Wireless and Device location
for Banks security Audits across
India

9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

1. Commercial

1. Nessus Pro –Network security Audit


2. Burp Suit Professional – Web Application Security Audits
3. Nipper Studio

2. Freeware
1. Nmap
2. Nikto
3. Netcat
4. Wireshark
5. Kali
6. Metasploit
7. Mozilla Firefox security Addons
8. Firewalk
9. HPing
10. HTTrack
11. OWASP ZAP
12. OWASP Mantra
13. Xenotix
14. John The Ripper
15. Paros
16. Wikto
17. Ethereal
18. Brutus
19. Rips
20. IronWasp
21. Fiddler
22. Tamper Data
23. OpenVas
24. W3af
25. Exploit Database
26. SQL Map
27. Hydra
28. Android Debug Bridge
29. AndroBugs Framework
30. Apktool
31. ByteCode Viewer
32. Drozer
33. Dex2Jar
34. Jd-Gui
35. SQLite Database Monitor
36. Pidcat

3. Proprietary
1. Own developed Scripts for XSS, OS, AWS, and Database Security Audits

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes


Outsourcing of compliance audits to certified compliance auditing organizations.
Control Mechanisms:Contracts, NDA with the organization and auditing personalReview of the
audit report before submission.

11. Whether organization has any Foreign Tie-Ups? If yes, give details : Yes
Accreditation bodies like PECB, PeopleCERT, Gaming Works and
partnership with multiple organization in Middle East

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Wings2i IT Solutions Pvt Ltd on 18-Feb-2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Zulon Consulting

1. Name & location of the empanelled Information Security Auditing Organization:

Zulon Consulting,
2/203,Vahatuk Nagar, Amboli,
Andheri(W) Mumbai- 400058.

2. Carrying out Information Security Audits since : 2016

3. Capability to audit , category wise (add more if required)

 Network security audit : 10+


 Web-application security audit : 15+
 Wireless security audit : 5+
 Compliance audits (ISO 27001, PCI, etc.) : 4

4. Information Security Audits carried out in last 12 Months :

Govt. : 2+
PSU : 2+
Private : 30+
Total Nos. of Information Security Audits done : 40+

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Details of Contact Person at


Brief Description of Auditee Organization (Name,
Sr. Category Additional Info
Work email, website URL, Mobile,
telephone)

Name: Priti Shah

Email ID: [email protected]

Audit as per RBI Organisation: PMCB


1 Pvt. PMCB
requirements
Website: www.pmcbank.com

Phone number: (022) 6780 4174


Extn: 4174

Name: Ravindra Pathar

Audit as per RBI Email ID:


2 Pvt. GPPJSB
requirements [email protected]

Organisation: GPP Bank


Website:www.gpparsikbank.com

Phone Number: 022-25456524

Name: DK Gosavi

Email ID:

[email protected]

Audit as per RBI


3 Pvt. Organisation: KJSB KJSB
requirements

Website: www.kalyanjanata.in/

Phone Number: 9322705900

Name: Pankaj Khandelwal

Email ID:
[email protected]

Audit as per PCI


4 Pvt. ISG
requirements
Organisation: ISG

Website: www.insolutionsglobal.com

Phone Number: 9820820497

Name: Vikram Idnani

Email ID: Vikram.Idnani@trent-


tata.com

Organisation: TATA Trent


Audit as per RBI
5 Pvt. Tata – Trent
requirements

Website:
www.tata.com/company/profile/Trent

Phone Number: 9920620325

Name: Sreeram GC

Audit as per ISO27001


6 Pvt. Email ID: [email protected] TATA TRUST
requirements

Organisation: TATA Trust


Website: www.tatatrusts.org

Phone Number:9962589935

Name: Rajendra Bhalerao

Organisation: National Payments


Corporation of India (NPCI)
Section 8 Audit as per PCI
7 NPCI
Company requirements
Website: https://www.npci.org.in/

Phone: 7045958873

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 2
BS7799 / ISO27001 LAs : 6
CISAs : 2
DISAs / ISAs : 1
Any other information security qualification :
PCI QSA, CRISC, CEH, OSCP
Total Nos. of Technical Personnel : 15

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Experience
Duration with
S. in Qualifications related to
Name of Employee Zulon
No. Information Information security
Consulting
Security
1 Anshuman Dubey 16-Aug 7 ISO27001LA, ITIL.
ISO 27001 LA, ITIL
2 Hamza Qureshi 16-May 4 Foundation
3 Sharon Saldanha 16-Sep 4 CEH, CND, ESCA, CHFI

CCNA, Advance Diploma in


4 Niraj Yewlekar 16-Jan 8 Computer Hardware & Web
Technology

5 Devdutta Gawade 16-Feb 8 ISMS LA

ISO 27001 LA, ITIL, MCSE,


6 Xavier M.S 16-Jan 18
CISSP, GDPR Foundation

7 Murali Krishnan 17-Jan 4 ISO27001LA, ITIL.


8 Bhagyashree Mulgund 16-Aug 6 ISO27001
9 Narendra Sahoo 16-Jan 25 CISSP, CISA, ISMS LA, CRISC
10 Sayed Asad 16-Dec 4 CEH

CEH, Post Graduate Diploma


11 Sneha Desai 16-Feb 4 in IT Infrastructure, Sys-tem
and Security (PD-DITISS)
8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Projects Volume Complexity Locations


InSolutions Global – Into card printing, card Payment processor to Mumbai, Pune, Delhi
Compliance processing, payment some of the largest and Bangalore
Management application development – banks and merchants
We support end to end in India
compliance
PMCB – Compliance End to end compliance One of the largest 100 locations across
Management Co—operative bank Maharashtra
GPPJSB – Compliance End to end compliance One of the largest Co- 75 locations across
Management operative bank Maharashtra

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary):

1. Rapid7 NeXpose
2. IBM Rational AppScan.
3. NESSUS.
4. GFI Languard.
5. Acunetix WVS.
6. QualysGuard.
7. BurpSuite.
8. MetaPacktPublishingoit.
9. Nikto.
10. Wikto.
11. BackTrack Security Distro.
12. Paros Proxy.
13. Nmap.
14. Exploits DB from “astalavista”, “packetstormsecurity”, “exploitdb” etc.
15. Google Hack DataBase.
16. Inhouse customized Scripts.
17. Zero Day Scripts / Exploits.
18. Other Tools (As when required by the type of work).

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by Zulon Consulting on 18th February 2019.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

AQM Technologies Pvt Ltd

1. Name & location of the empanelled Information Security Auditing Organization:

AQM Technologies Pvt Ltd.


Mumbai, India

2. Carrying out Information Security Audits since: 2001


(erstwhile AUDITime Information Systems Ltd.)

3. Capability to audit, category wise (add more if required)


Network security audit (Y/N): Y
Web-application security audit (Y/N): Y
Wireless security audit (Y/N): Y
Compliance audits (ISO 27001, PCI, etc.) (Y/N): Y
Cyber Security & CSOC Audits Y
Cloud & DC, DR, BCM (ISO 22301) Audits Y
Source Code Reviews Y
IT Application / ERP Audits Y
IT Security & Infrastructure Audits Y
Vulnerability Assessments & Pen Testing (Mobile/WebApps) Y
Third Party / Outsourcing / Vendor Audits Y
Functional Audits (BFSI/CBS/ Treasury / GL/ Recon) Audits Y
SWIFT / ATMs/ Switch/ API/ Payment Gateway Audits Y
Data Migration & Pre / Post Implementation Audits Y
IT M&A / Due Diligence Audits Y
Concurrent / Continuous Audits – DC, Application, Privileged Access
Y
Audits
Assurance of IT Audits Y

4. Information Security Audits carried out in last 12 Months:

Govt.:<number of>: 33
PSU:<number of>: 23
Private:<number of>: 48
Total Nos. of Information Security Audits done: 104

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)
Network security audit: 14
Web-application security audit: 57
Wireless security audit: 01
Compliance audits (ISO 27001, PCI, etc.): 16
Mobile/API PT: 06
Data Migration Audit: 03
Cloud Security Audit 01
AUA KUA Audit 02
ITCR AUDIT 09
Software Licensing 01
Source Code Reviews 02
Special / other Audits 07
Concurrent Audit 18
TOTAL 137
6. Technical manpower deployed for informationsecurity audits:
CISSPs: 0
BS7799 / ISO27001 LAs: 5
CISAs: 6
DISAs / ISAs: 0
Any other information security qualification:
CISM,CISE, CCNA,CND CISC, CDAC (PG-DITISS),MSC
forensic science, Diploma in Cyber Law, CEH,CDAC
(ITSS),Networking, Win Ad & Linux, CHFI, ECSA,Internet
crime investigation.
Total Nos. of Technical Personnel: 23

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)
Experience in Qualifications related
Sr. Duration with
Name of Employee Information to Information
no. AQM
Security security
1 Madhav Bhadra 18 Years 18 Years CA,CISA, CISM
2 Ritesh Kotecha 12.5 Years 12.5 Years CA, CISA
3 Dhruti Patel 15 Years 15 Years CISA, ISO 2000
CISA, CISM, ISO 27001
4 Rasika Manoj Patil 3 Years 3 Years
LA
Sanjay Jitendra CISA, PG DCM, ITIL, ISO
5 2.5Years 18 Years
Parikh 27001 LA
CISE, CCNA, CEH,
6 Pravin Kumar Singh 2 Years 4.5Years
CYVECTOR
7 Pratik M Chotaliya 2 Years 2.6 Years ECSA, CEH, CND CISC
8 Shekhar Bhatnagar 2 Years 15+ Years MCSE, CCNA, CEH
9 Ruchika Agrawal 2 Years 2 Years CDAC (PG-DITISS)
Gaurav Kumar
10 1 Year 2.9 Years ISO 27001 LA
Naradmuni Pandey
MSC forensic science,
ISO 27001 LA, CCNA,
Kiran Prakash Joshi 1 Year 1 Year
CEH, LINUX
11 Administration
CEH v9, Cyber Law, ISO
12 Nimesh S Kacha 1 Year 1 Year
27001 LA
Mahesh Vaman
1 Year 1 Year CDAC (ITSS)
13 Harkulkar
Akash Bharat
14 1 Year 1 Year CDAC (ITSS)
Chavan
Chaitanya Santosh
1 Year 1 Year CDAC (ITSS)
15 Anant
16 Ashish Kumar Saini 3 Years 3 Years CDAC (ITSS)
17 Smita Sharma 1 Year 1 Year CDAC (ITSS), CEH v10
CEH, Internet Crime
18 Vrushali P. Shirke 1 Year < 2Years
investigation
CDAC (ITSS),
Sanjay Kumar Verma 2 Years < 3Years Networking, Win Ad &
19 Linux Admin
CEH, CHFI, ECSA, ISO
Ankit Sunil Sharma < 1 Year < 1 Year
20 27001 LA
21 Devender Tinwal < 1 Year < 1 Year CISA
Durgesh
22 < 1 Year < 1 Year CDAC (ITSS), CEH v10
PratapraoBadgujar
23 KajolMogra < 1 Year < 1 Year MSC forensic science

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.
1. State level APEX &DCCBs (Single Tender)
1. Apex Bank – 1 No.
2. DCC Banks – 19 Nos.
2. Total Branches : 620 Branches
3. Scope of audits:
1. Application Audits (HO level)
2. Application Audits (Branches)
3. IT Control Review Audits
4. Network & Security Audits
5. Data Migration Audits
6. Risk Assessments
4. Project Value: ~ INR 17.7 million

9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

Tool Name Purpose


Acunetix Web Application VA
Burpsuite Web App, Mobile App, API VAPT,
SoapUI API VAPT
IBM Appscan Source Code Review & Web App PT
Nessus Server VA, Network VA, Cloud VA
Python scripts (proprietary) Server/Network/Web application VAPT
Logcat Mobile Application VAPT

Other Tools
Mobile application VAPT, Web Application VAPT, Server VAPT,
Kali Linux
Network + WiFI VAPT.
JD-GUI / DEX2JAR/
Mobile Application VAPT
APKTOOL/ Drozer/ MOBSF
POSTMAN Web services and API Testing automated tool
WireShark Network protocol analyzer

Ettercap network sniffing / intercepting / logger for ethernet LANs

OWASP Zed Attack Proxy/


Web application security scanning
SQLMap/ Iron Wasp/ Nikto
SSL Qualys server lab SSL Scanner

Internet security services checks/ assessment (eg: anti-fraud


NetCraft / NMAP
and anti-phishing services and PCI scanning, Port scanning)

Metasploit Framework /
Exploit code development framework for Pentesting
Netcat
EchoMirage Thick Client VA & PT

10. Outsourcing of Project to External Information Security Auditors / Experts: No


If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details: No

12. Whether organization is a subsidiary of any foreign based organization? No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any: No

*Information as provided by AQM Technologies Pvt Ltd.On31st July 2019.

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

Bharat Electronics Limited

1. Name & location of the empanelled Information Security Auditing Organization :

BHARAT ELECTRONICS LIMITED


Registered &Corporate Office
Outer Ring Road, Nagavara
Bengaluru – 560045, Karnataka

Representing all its 9 units at Bengaluru, Ghaziabad, Pune, Machlipatnam, Chennai,


Panchkula, Navi Mumbai, Kotdwara, Hyderabad and 2 Central Research Laboratories
at Bangalore and Ghaziabad.
2. Carrying out Information Security Audits since : August 2015

3. Capability to audit, category wise (add more if required)


 Network security audit (Y/N) : Yes
 Web-application security audit (Y/N) : Yes
 Wireless security audit (Y/N) : No
 Compliance audits (ISO 27001, PCI, etc.) (Y/N) : Yes
Gap analysis w.r.t ISO 27001
 Secure SDLC Review (Y/N) : Yes
 Secure Code Review (Y/N) : Yes

4. Information Security Audits carried out in last 12 Months :


Govt. : <number of> - Nil-
PSU : <number of>Infrastructure VAPT for BEL Units – 4;
Application VAPT for the defence customers – 11,
ISO 27001 Compliance audits for BEL Units –2
Private : <number of> -Nil-
Total Nos. of Information Security Audits done: -17-

5. Number of audits in last 12 months, category-wise (Organization can add categories based on
project handled by them)
Network security audit: <number of> -4-
Web-application security audit: <number of> -11-
Thick-client application security audit : <number of> -5-
Wireless security audit:<number of> -Nil-
Compliance audits (ISO 27001, PCI, etc.,):<number of> -2-
6. Technical manpower deployed for informationsecurity audits :
CISSPs : <number of> -Nil-
BS7799 / ISO27001 LAs : <number of> -10-
CISAs : <number of> -Nil-
DISAs / ISAs : <number of> -Nil-
Any other information security qualification:
M.Tech (Information Security) :<number of> -2-
M.Tech (Cyber Security) : <number of> -2-
M.Tech (Cyber Law & Information Security) : <number of> -1-
NPT :<number of> -2-
CEH:<number of> -4-
CCNSP :<number of> -2-
CHFI :<number of> -1-
ACE :<number of> -1-
Total Nos. of Technical Personnel : 21
7. Details of technical manpower deployed for information security audits in Government and Critical
sector organizations (attach Annexure if required)

Duration
Experience in
Sl. with Qualifications related to
Name of Employee Information
No. <BEL> in Information security
Years Security (in Years)
M.Tech (Information
1. Kunal Mohan Sadalkar 8 7
Security)
M.Tech (Information
2. Neeraj Kumar 5 7 Security), CHFI V8, ACE
3. Jagan Mohan Rao B 20 8 PMP, Trained on CISSP
PMP, ISMS LA, CCNSP,
4. Shylaja K 20 15 Trained on CCISO & CISSP
M.Tech (Software
5. Bhagya Lakshmi A N 15 4 Systems), PMP, ISMS LA,
NPT, Trained on CISSP
M.Tech (Cyber Security),
6. Poornima M 10 2
CEH
7. Swathi M D 9 4 CEH
8. Antony Benedict Raja G 9 5 CEH
9. Tarun Jain 9 5 Trained on CISSP
10. Deepak D 7 3 NPT, CEH
M.Tech (Software
11. AnushreePriyadarshini 4 1
Engineering), CEH
12. Akshatha S 0.7 0.7 -
M.Tech (Cyber Security),
13. SandeepGadhvi 0.7 1
ISMS LA
M.Tech (Cyber Law &
14. Viplav 0.7 0.5
Information Security)
15. Vaman A Naik 33 5 ISMS LA
16. Praveen Kumar H T 18 13 ISMS LA, CCNSP
17. Madhavi M 15 2 PMP, ISMS LA
18. Mrityunjaya P Hegde 9 3 PMP, ISMS LA
19. Srinivas T 26 8 ISMS LA
20. DeeprajShukla 10 4 ISMS LA
21. Padmapriya T 8 1 PMP, ISMS LA

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations etc.)
along with project value.
Information Systems Infrastructure Audit of BEL-IS Ghaziabad comprising of Antivirus Server,
DC, ADC, Radius, WSUS, Nagios, BEL_Sampark-Intranet Mail server,Web applications,
Switches/Routers and Firewall for both Intranet and Internetwork.
9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Freeware Commercial Proprietary


Wireshark/ TCPDump Ettercap Dsniff Nessus NSAT
Kali Linux Ferret Lynis Nexpose Scripts
Nmap/ Zenmap Hamster NSLookup Metasploit Pro
Sqlmap IP scanner Netcat Burpsuite
Nikto Yersinia OmegaDB Acunetix
Hydra Ethereal OpenZap HP WebInspect
John the Ripper Echo Mirage OpenVAS HP Fortify
Putty WebScarab Hping IBM Appscan
Whois Tor’s Hammer Fiddler Maxpatrol
Scapy W3af SSLTest Codenomicon
Pyloris Sparta HTTPMaster beSTORM
LOIC Directory Buster Curl IDAPro
CSRF Tester SMTP Ping WireEdit
Ollydbg Hash-Identifier Process Hacker
MBSA Cisco Auditor Armitage
TestSSLServer SysInternals Open SSL
Suite
Python / Powershell Cain and Abel Browser Plugins
Scripts

10. Outsourcing of Project to External Information Security Auditors / Experts : Yes/No


( If yes, kindly provide oversight arrangement (MoU, contract etc.)
11. Whether organization has any Foreign Tie-Ups? If yes, give details : Yes/No
12. Whether organization is a subsidiary of any foreign based organization? : Yes/ No
If yes, give details
13. Locations of Overseas Headquarters/Offices, if any : Yes/No

New York Singapore Srilanka


Bharat Electronics Limited Bharat Electronics Limited Bharat Electronics Limited
53, Hilton Avenue 06-01, PSL Industrial No. 385, 1st Floor
Garden City Building Landmark Building, Galle
New York – 11530, USA 156, Maopherson Road Road
Singapore – 348 528 Colombo – 03, Srilanka
Oman Myanmar Vietnam
Bharat Electronics Limited Bharat Electronics Limited Bharat Electronics Limited
No. 0402Z214, 2nd Floor No. 53, The Strand Square 10th Floor, TNR Power
Building No.4 Level 2, Unit #. 209, Strand Hanoi
Knowledge Oasis Muscat (KOM) Road Vietnam
PO Box 200, Postal Code 123, PabedanTsp, Yangaon,
AI Rusayl, Sultanate of Oman Myanmar

*Information as provided by <BHARAT ELECTRONICS LIMITED> on <08.08.2019>

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

HKIT Security Solutions

1. Name & location of the empanelled Information Security Auditing Organization :

HKIT Security Solutions

2. Carrying out Information Security Audits since : 2012

3. Capability to audit , category wise (add more if required)


 Network security audit : (Y)
 Web-application security audit : (Y)
 Wireless security audit : (Y)
 Compliance audits (ISO 27001, PCI, etc.) : (Y)

4. Information Security Audits carried out in last 12 Months :

Govt. : 5
PSU : 25
Private : 20
Total Nos. of Information Security Audits done : 50

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : 20


Web-application security audit : <25
Wireless security audit : 5
Compliance audits (ISO 27001, PCI, etc.) : 5

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 4
BS7799 / ISO27001 LAs : 10
CISAs : 5
DISAs / ISAs : 5
Any other information security qualification :
PhD (info Sec), GDPR, CSA-STAR, Certified Forensic Detectives, PIMS
Total Nos. of Technical Personnel : 24

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information Security to Information security
1 Dr. Harsha HKIT Security 12 Years PhD (Info Sec), GDPR,
Solutions LA, CSA-STAR, PIMS,
2 Ms. Gayathri HKIT Security 8 Years ISO LA, Certified Cyber
Solutions Security Expert,
Certified Forensic
Detective
3 Mr. Snehil HKIT Security 8 years CCNA, Certified SANS
Solutions Cyber Security , PET

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

 Sify Pan India Cyber Security Audit


 Hathway Cyber Security Audit Pan India
 Bosch (APAC) Cyber Security Audit (VAPT)
 Delhi Indira Gandhi International Airports (T1, T2, T3)
 Mumbai International Airports (T1, T2,T3)
 SIT (5000 Nodes Infra) Cyber Security and Network Security Assessments
 Aadhaar Enrollment Application (KA)
 MRPL Mangalore (Oil & Gas)

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

Scanners: Qualysguard, Nmap, Nessus, Acunetix , Burpsuite Pro


Sniffers: Wireshark, Ettercap, Win Dump, Tcpdump, dsniff, network-miner.
Packet crafting: Nemesis, Scapy
Password Crackers: Ophcrack, Brutus, Cain n Abel, L0pht crack, Hydra
Others: Burp, Paros, Achilles, Firewalk, Fragroute, httptunnel, snmpwalk, Netcat, Fport,
WebGoat, BinText, PmDump, PwDump, HTTPrint, WinHTTrack, Sam Spade, WEPCrack,
Kismet,
Reverse Engineering: gdb, Ollydbg, Filemon, Regmon, TCPmon, BinText, Java
Decompiler, flare, flasm.
Exploitation: Metasploit Framework, custom exploits

Methodologies: OSSTMM, OWASP, NSA Security guidelines, OCTAVE.

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details

13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by HKIT Security Solutions on 29th July 2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

IBM India Private Limited


1. Name & location of the empanelled Information Security Auditing Organization:
IBM India Pvt. Ltd
No.12, Subramanya Arcade, Bannerghatta Road,
Bangalore, Karnataka - 560029, India

2. Carrying out Information Security Audits since : 2000

3. Capability to audit, category wise (add more if required)

 Network security audit (Y/N) - Yes


 Web-application security audit (Y/N) - Yes
 Wireless security audit (Y/N) - Yes
 Compliance audits (ISO 27001, PCI, etc.) - Yes

4. Information Security Audits carried out in last 12 Months:

Govt. : 0
PSU : 0
Private : 3*
* We have some more projects, as we are under NDA, we cannot furnish at this
moment
Total Nos. of Information Security Audits done : 15+

5. Number of audits in last 12 months, category-wise (Organization can add categories based
on project handled by them)

Network security audit : 10


Web-application security audit : 4
Wireless security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 0

6. Technical manpower deployed for informationsecurity audits:

CISSPs : 6
BS7799 / ISO27001 LAs : 6
CISAs : 0
DISAs / ISAs : 0
Any other information security qualification : 350+
Total Nos. of Technical Personnel : India 500+
and Global 8000+

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

Experience in
S. Duration with Qualifications related to
Name of Employee Information
No. <organization> Information security
Security
1 Mreetyunjaya Daas 3 Years 9 Months 10 + Years CEH
2 DevdattaMulgund 1 Year 10 Months 7+ Years CISSP
3 Ravindra Singh Rathore 1 Year 8 Months 5+ Years CEH
4 SanketBhogale 1 Year 9 Months 10+ Years CISSP
5 Ankit Tripathi 1 Year 8 Months 4+ Years

1. CEH
6 Mohit Jain 4 Months 10 + Years 2. ISO 27001-2013
3. ECSA

7 Saurabh Kumar 1 Year 8 Months 5+ Years CEH


8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Vulnerability Management for one of the largest Telco Network Operator in India

Project:

Vulnerability management for one of the largest Telco network operator (Client) in India with
approximately 160 million customers.IBM as an IT security service provider manages the
security Assessment and Vulnerability management lifecycle for Client Applications and Network
infrastructure components.

Service Offerings:

1. External Penetration Testing: 150 IP's, Frequency: Half Yearly


2. Internal Penetration Testing: 1500 IP's, Frequency: Half Yearly
3. Application Penetration Testing : 48 URL's, Frequency: Half Yearly
4. Internal Vulnerability Assessment: 11000 IP's, Frequency: Half Yearly

Key Activities:

1. Perform bi-annual Application Security Assessment on all client applications


2. Perform application security assessment of new applications before production
deployment
3. Perform Network Penetration testing and Vulnerability assessment of defined
network assets
4. Track and govern the closure of issues within defined timeframe. Guide the
development and network team for closure

Highlights:

1. Project team performed review of current set-up and validated the scope for
Security Assessment activities. It included Applications and network infrastructure
assets
2. Defined the periodicity or recurring activities and scope of non-periodic ad-hoc
activities
3. Performed security assessment of applications and network assets in scope.
4. Delivered the report to relevant recipients including development team and client
security team
5. Document and track the status of issues. Govern the application team for closure of
issues in defined timeframe. Conducted meetings and knowledge transfer sessions
with development team to guide them for issue closure
6. Re-test the closure of issues and certify them for go ahead

9. List of Information Security Audit Tools used(commercial/ freeware/proprietary):

Freeware : 14
Commercial : 4
Proprietary : 5
Total Nos. of Audit Tools : 23
Freeware:
1. Metasploit: Penetration Testing Framework
2. NMAP : Port scanner
3. RAT : Router and firewall benchmarking
4. Wireshark - Protocol analyzer
5. MBSA : Windows security assessment
6. Nikto : Web Applications security
7. SNMPWalk : Router and network management
8. CAIN &Able : Traffic sniffing and Password cracking
9. Brutus : Password cracking
10. JohntheRipper : Password cracking
11. W3AF: Application auditing framework
12. Maltego: Intelligence and forensics application.
13. Unicornscan: Port Scanner and Information gathering.
14. Aircrack
Commercial:
1. Nessus : Network Vulnerability Assessment
2. IBM Appscan : Web Systems & Applications security
3. BurpsuiteProfessional : Web Systems & Applications security
4. Nipper Studio : Network Device Configuration Review

Proprietary Tools:
1. Windows server Security assessment scripts
2. Unix/Linux/AIX server security assessment scripts
3. Oracle security assessment scripts
4. MSSQL security assessment scripts
5. ASP and Java Scripts : Web application assessment

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : Yes


If yes, give details

IBM Corporate Office Address: IBM Corporation, 1 New Orchard Road, Armonk, New York
10504-1722, United States

13. Locations of Overseas Headquarters/Offices, if any : Yes

IBM Corporate Office Address: IBM Corporation, 1 New Orchard Road, Armonk, New York
10504-1722, United States

*Information as provided by IBM India Pvt. Ltd on 2-August-2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

ProgIST Solutions LLP

1. Name & location of the empanelled Information Security Auditing Organization :

ProgIST Solutions LLP,


102, B3 Wing, Rosa Gardenia, Kasarvadavli, Ghodbunder Road,
Behind HyperCity, Thane – West, 400615

2. Carrying out Information Security Audits since : May 2017

3. Capability to audit , category wise (add more if required)

 Network security audit


 Web-application security audit
 Wireless security audit
 Compliance audits (ISO 27001, PCI, etc.)
 Information security policy revi=ew and assessment against best security
practices
 Information Security Testing
 Process Security Testing
 Internet Technology Security Testing
 Communications Security Testing
 Application security testing
 Wireless Security Testing
 Physical Access Controls & Security Testing
 Network Security Testing
 Software Vulnerability Assessment
 Penetration Testing

4. Information Security Audits carried out in last 12 Months :

Govt. : 0
PSU : 0
Private : 20+
Total Nos. of Information Security Audits done : 20+

5. Number of audits in last 12 months , category-wise (Organization can add categories based
on project handled by them)

Network security audit : 4+


Web-application security audit : 50+
Wireless security audit : 1
Compliance audits (ISO 27001, PCI, etc.) : 3

6. Technical manpower deployed for informationsecurity audits :

CISSPs : 1
BS7799 / ISO27001 LAs : 3
CISAs : 1
Any other information security qualification:
CEH : 8
CISE :
CHFI : 1
CIPR : 1
C-CTIA : 2
C-ATPA : 2
ECSA : 1
Total Nos. of Technical Personnel : 20+
7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required)

S. Name of Employee Duration with Experience in Qualifications related


No. <organization> Information to Information
Security security
Ashlesha Bhagat CCNA, Certified Cyber
Threat Intelligence
Analyst, Certified APT
Dec 2017 3.2 years Analyst
Suman Sinha July 2018 2.5 years CEH, CND
BinalKathiriya Feb 2017 1.6 years CEH, CND
Deepak Bhatt Sept 2017 1.10 years CEH
Suraj Mulik Sept 2017 7.5 years CISE
Jagdish Sahu

CISP, ISMS – Lead


Implementer
Sept 2018 6 years Professional
BharadwajaMaringanti Feb 2018 6+ years CEH, CCNA
Gurpreet Sandhu Jun 2018 3+ years CHFI, CIPR, CEH
Chaithanya Rao May 2017 11+ years CEH, CISSP
Bhavin Bhansali July 2017 21 years CISA
Mohit Kalmetar CISEH, BSI PCI DSS
Implementation
Sept 2017 3.5 years Training
SadichhaSapkal Certified Cyber Threat
Intelligence Analyst,
July 2017 6.5 years Certified APT Analyst.
Savio Fernandes Oct 2017 10.8 years ECSA, CEH
Ronak Bhojani Jan 2018 1.5 years CEH, CISC, CPFA
SiddheshRane July 2018 0.5+ years ISMS Lead Auditor

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations
etc.) along with project value.

Project Volume Complexity Location Project Value

Banking Application Core Channel Critical internet Mumbai XX,XX,XXX


Banking facing application

DDOS Simulation Drill 1 GBPS Critical network Mumbai XX,XX,XXX

HR portal VAPT 6 roles and 20 Critical HR Mumbai X,XX,XXX


review modules application

Vendor Risk 50 Critical vendors India XX,XX,XXX


assessment servicing customer
data

9. List of Information Security Audit Tools used (commercial/ freeware/proprietary):

NMAP, BURSUITE, NESSUS, RAPID7 NEXPOSE, METASPLOIT, SQLMAP, KALI LINUX, SIFT
WORKSTATTION, ENCASE, FTK, W3AF, ACUNETIX, NETSPARKER, WIRESHARK, RAINBOW
TABLES, AIRCRACK-NG, NETCAT, SCUBA DB VA SCANNER, ELK, ONAPSIS, REDLINE, IDA,
SNORT, CAIN & ABLE, ZAP, TCPDUMP, CANVAS, SET KIT, SQLNINJA, BeEF, SYSINTERNALS,
OPENVAS, NAGIOS, ETTERCAP, MALTEGO.

10. Outsourcing of Project to External Information Security Auditors / Experts : No


( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : No

12. Whether organization is a subsidiary of any foreign based organization? : No


If yes, give details
13. Locations of Overseas Headquarters/Offices, if any : No

*Information as provided by ProgIST Solutions LLP on 06/August/2019

Back
Snapshot of skills and competence of CERT-In empanelled
Information Security Auditing Organisation

XYSec Labs Private Limited

1. Name & location of the empanelled Information Security Auditing Organization :

Xysec Labs Private Limited (Appknox),


Location - Bangalore, India

2. Carrying out Information Security Audits since : 2014

3. Capability to audit, category wise (add more if required)

 Network security audit : (Y)


 Web-application security audit : (Y)
 Wireless security audit : (N)
 Compliance audits (ISO 27001, PCI, etc.) : (N)

4. Information Security Audits carried out in the last 12 Months:

Govt. : 10
PSU : 45
Private : 320
Total Nos. of Information Security Audits done : 260

5. Number of audits in the last 12 months, category-wise (Organization can add categories
based on project handled by them)

Network security audit : NA


Web-application security audit : 80
Wireless security audit : NA
Compliance audits (ISO 27001, PCI, etc.) : NA

6. Technical manpower deployed for information security audits :

CISSPs : 2
BS7799 / ISO27001 LAs : 0
CISAs : 2
DISAs / ISAs : 0
Any other information security qualification : -
Total Nos. of Technical Personnel : 9

7. Details of technical manpower deployed for information security audits in Government and
Critical sector organizations (attach Annexure if required) - NOT APPLICABLE FOR US.

S. Name of Employee Duration with Experience in Qualifications related to


No. <organizatio Information Security Information security
n>

8. Specify Largest Project handled in terms of scope (in terms of volume, complexity, locations,
etc.) along with project value.
Unilever Mobile Application Security Testing
550 Mobile Applications VAPT.
Project Value - 1.5 Crore INR.
Location - Unilever Industries. Tower A. The Business Precinct. Prestige Shantiniketan,
Bangalore, India.

9. List of Information Security Audit Tools used ( commercial/ freeware/proprietary): Appknox


(proprietary), Burp Suite(commercial), Open-source Tools: nmap, radamsa, metasploit, ILspy,
Dnspy, Frida
10. Outsourcing of Project to External Information Security Auditors / Experts : No
( If yes, kindly provide oversight arrangement (MoU, contract etc.))

11. Whether organization has any Foreign Tie-Ups? If yes, give details : Yes

12. Whether organization is a subsidiary of any foreign based organization? : Yes


If yes, give details
Subsidiary of Singapore Registered company - Xysec Labs Pte Ltd. Complete Management Team
sits and works out of Bangalore, India.

13. Locations of Overseas Headquarters/Offices, if any : Yes,


Singapore is Headquarter.

*Information as provided by Xysec Labs Private Limited on 29th July 2019

Back

-Top-

You might also like