Cyber Security: IMQ services for protecting products, software and infrastructure against cyber risks

Industry 4.0, smart plant engineering, the Internet of Things and the Internet of Everything have led to a major increase in IT systems’ exposure to the outside world. The attack surface has grown to the extent that it now reaches the everyday lives of all of us, and the physical dimension of attacks has been compounded by a cyber dimension whose role is beginning to predominate. Every device connected to the cloud or the internet is a potential point of attack for cyber criminals, so it is vital that both consumers and businesses take safety precautions.

IMQ’s services for cyber security are continuously evolving and upgrading so as to provide latest-generation support to protect businesses on an end-to-end basis:

  • Formal assessments
  • Audit with statements of conformity
  • Vulnerability Assessment & Penetration Test (VA-PT)

ICT security formal assessments

  • Formal assessment in accordance with the Common Criteria (ISO/IEC 15408): security assessment of ICT systems / products and of protection profiles, to obtain certification from OCSI, internationally recognized
  •  Support to organizations in defining Security Targets or Protection Profiles compliant to Common Criteria requirements

ICT security audit with statements of conformity

When formal evaluation for third-party certification against Common Criteria or against a reference standard is not possible, IMQ can support customers by providing an ICT security audit followed by a statement of conformity. In this case, the audit process is tailored to: the set of ICT security requirements established on the basis of all contractual and legislative obligations that may be applicable to the organisation requesting the statement and agreed and validated by the latter; verification in accordance with a bespoke method defined according to criteria of efficiency and effectiveness and taking account of all the applicable reference standards. 
In case of a positive outcome of the audit, a statement of conformity with the defined ICT security requirements can be issued by IMQ. 

Vulnerability Assessment & Penetration Test (VA-PT)

This involves providing an appropriate assessment of business impact and recovery plan recommendations, in accordance with the main standards and best practices (the list below is provides examples but is not exhaustive):

  • OWASP v4 for web application analysis
  • OWASP mobile security testing guide
  • ISECOM OSSTMM 3.0 for certain security checks
  • NIST CSRC indicates IT security best practices

The VA-PT service is offered for numerous fields, including:

  • Industrial automation: IoT and SCADA systems
  • Automotive: security analysis of the communication interfaces exposed by the on-board computer 
  • Mobile application, with reverse engineering of the code
  • Web application
  • Trust services: eIDAS/SPID/Regulated digital storage
  •  Security audit of IT HW/SW products, with code review 

Among the security audit activities there is also the possibility of conducting Phishing Assessment activities based on social engineering and social profiling, trying to exploit human errors to carry out a cyber attack aimed, for example, at compromising the access credentials and stealing private/sensitive data that should not be accessible to unauthorized parties

Why choose IMQ services?

In the field of IT assessments, IMQ is the only Italian company that:

  •  has an equipped laboratory dedicated to cybersecurity, accredited as Security Assessment Laboratory (LVS) by OCSI (civil context) and as Security Assessment Center (CE.VA.) by DIS/UCSe (military/governmental  context) according to the Common Criteria (ISO/IEC 15408), the standard underlying the release by OCSI and DIS/UCSe of internationally recognized certifications;
  • accredited laboratory IMQ according to ISO 17025 for vulnerability assessment (VA) on the infrastructures used by Trust Service Provider
  • is accredited by ACCREDIA as a Certification Body for management systems according to ISO 9001 (quality), ISO / IEC 27001 (information security), ISO / IEC 20000-1 (IT service management), ISO / IEC 22301 (business continuity);
  •  is accredited by ACCREDIA for the certification of trust service providers pursuant to the EIDAS Regulation, of digital storage and of SPID digital identity providers.
 Management system certification is the endorsement enjoyed by organisations that have chosen to equip themselves with efficient management systems and suitable skills and structures, aimed at continuous improvement. And the higher the prestige of the awarding body, the higher the value of the guarantee. Equipped with state-of-the-art technology, our laboratories have full capability to put products through all the checks required by the major European directives and international standards. The certifications issued by IMQ are synonymous with trust. They guarantee safety, performance, efficiency and quality standards. More than 10,000 companies have turned to IMQ to certify their products and stand out on the market. Notified body for the main EU directives, IMQ offers tests and CE certifications to assess the conformity of the products to the requirements required to be marketed on the European market. Inspections and audits validate the conformity of electrical installations, equipment, supplies and services with the applicable technical and legislative specifications. IMQ services add value and enhance brand image by distinguishing organisations that have invested properly in safety and quality. They are internationally recognised, managed by expert personnel and constantly updated, on the strength of IMQ’s membership of the main working groups on international standards. From the market’s point of view, IMQ services testify to the transparency and reliability of the organisations that choose them. And they cut time to market.