Firehawk

Consulting
The following report was prepared on behalf of
SwiftTech.

Thank you for giving Firehawk Consulting the

opportunity to review your security posture in
anticipation of performing a SOC II security
assessment.

We hope you find the notes below as you begin

your journey. Please do not hesitate to contact us if
you have further questions.
For

SwiftTech
 Firehawk
Consulting
After review, Firehawk has noted the following areas of concern. You may wish to consider updating policy and security
controls based on your current business goals, risk management posture, and compliance considerations.

Controls
Data Storage
• VPC3 File storage supports only AES-128 encryption
• Databases in production environment are unencrypted
End User Management
• Internal Network users require a 7-character password
• Passwords never expire
• VPN access does not require MFA
Network Controls
• TLS v1.1 is used between the cloud production environment and SwiftTech’s physical location
• Application development Tiers are not logically segmented from Business Application servers
Patching and Vulnerability Management
• Development Tier servers are unpatched and contain multiple vulnerabilities
Secure Software Development
• Application code is not scanned for vulnerabilities before being published into production environment
SwiftTech
Speed, Flexibility, Success
 VPC1 VPN Users

Web Servers
VPC2 Internet

HA 192.168.1.x
VPC3

Database Servers Log Management

and Monitoring
File Storage
HA Internal Applications
Test

Dev Backup and Analytics

Network Diagram
Revision: xx/xx/xx
Confidential
Internal Users
Inputs Multi-tenant Service Internal Processing
Company Registration Web Servers
Company Name
Company Contact Info Code
User Registration

Data
HA Test
User Information (Private)
Role Assignment
Data Input Database Servers Backup and Analytics Customer Acquisition
Project Details (Secret) and Communication
Data
Project Timelines
Related Documentation HA Processing

Data Data
Internal Applications
-De-identification
-Analysis

Data Flow Diagram

Revision: xx/xx/xx
Confidential
Security Posture (1.) SwiftTech

Swiftech risk posture its Risk Accepting. because they are willing to take
risks, in the document they relate that saas is best product, but they
don't want to sacrifice their commitment to agile software
development and falling fast their brand statement says speed,
flexibility and success they create their product in fast.
Relevant Frameworks (2.) SwiftTech

1- NIST security framework.

2- Vendor risk management.
3- NIST Risk management.
Audit Against Frameworks (3.) SwiftTech

• - Change it from AES-128 to AES-256.

• - Encrypt the database for security reasons.
• - Password shall be at least 8 or more character in length.
• - Password shall be expired in 30 or more days.
• - TLS V 1.2 is secure.
• - Application tiers shall be segmented from business application
servers.
• - You have to update the servers.
• - Update the application code.
Governance Mechanisms for End-User SwiftTech
Management Controls (6.)
1- Password length:
Password should be at least 12 character long , it must contain at least 1 or 2 upper case to prevent your
account from attackers.

2- MFA:
Should be used more than one factor in order to enable strong authentication.
3- Logs attempts
After 3 incorrect logs security alarm should activate.