Proposal for VAPT

Submitted to: J L Morison (India) Ltd

 Document Version and Confidentiality clause

This document contains proprietary and confidential information of Cymune. No part of this document
may be reproduced, transmitted, stored in a retrieval system, nor translated into any human or
computer language, in any form or by any means, electronic, mechanical, optical, chemical, manual, or
otherwise, without the prior written permission of the owners, Cymune.

Document Control

Name of the Document Proposal for VAPT

Client J L Morison (India) Ltd

Date 25th March 2022

Revision 1.1

Author Yassir Ansari

Doc Type Strictly Confidential

Private and Confidential 2

Table of Contents

1 About Us...........................................................................................................................................- 4 -

2 Cymunize Your Enterprise! ...................................................................................................................- 5 -

2.1 Top Goals - ..................................................................................................................................- 5 -

2.2 What we do?................................................................................................................................- 5 -

3 Statement of Work...............................................................................................................................- 6 -

4 Security Audit – Our Approach & Benefit ...............................................................................................- 6 -

5 Methodology........................................................................................................................................- 7 -

6 Assumptions & Exclusions ....................................................................................................................- 8 -

7 Constraints ..........................................................................................................................................- 9 -

8 Customer Responsibilities .....................................................................................................................- 9 -

9 Investment Summary .........................................................................................................................- 10 -

10 Terms & Conditions ...........................................................................................................................- 10 -

Private and Confidential 3

1 About Us
Cyber Security, needless to mention has a new meaning with businesses going Digital. The more an
enterprise moves towards digital transformation, larger is the threat landscape that they are faced with.
Rise in the widespread use of technology is a double-edged sword, while it has enabled businesses to
do more, achieve more, it has also got with it a huge influx in cybercrime. For hackers, the possibilities
have increased exponentially, along with the potential rewards. Businesses need new capabilities to
keep themselves protected, and this involves not only incredible amount of their bandwidth to be in
stride with the most protected security posture, but it also poses a huge risk to their pace of innovation.

At Cymune we bridge the visible and the invisible Cyber Security gaps for the businesses
that aspire to be Digital with uncompromising approach to innovation. Our approach
involves us to broadly assess three main things across your “Core Domain” areas -

 Inherent Risk
 Process Maturity
 Operational Effectiveness

We understand that organisations are subject to increasing amounts of corporate and regulatory
requirements to demonstrate that they are managing and protecting their information appropriately,
whilst the threats from all quarters, including organised crime, nation-states and activists, are growing
in complexity and volume.

Understanding the Security Solutions Landscape

Evolving threats, expanding compliance risks, and resource constraints require a new approach. To
counter these cyber threats, one needs to have the hacker mind-set and we over the years have
reached such a mind-set after having acquired extensive capabilities and experience. Our tools,
processes and people are among the best in the industry with collective knowledge of having handled
several million incidents.

We understand the challenges our clients face every day – because many of our people have occupied
a seat on the other side of the table. We help businesses such as yours to fight against cybercrime,
protect patented data and diminish security risks. Our aim is always to help you transform your
business by removing any security hurdles with the help of our team of security experts and
technologists, operations specialists, researchers and ethical hackers.

At Cymune we improve your business operations by

 Leveraging our industry-wide experience in security

 Expertise in cutting-edge security technology
 Extensive portfolio of security services

We are the experts born out of LOCUZ - two decades of experience leading several transitions. In
these two decades we have immersed ourselves extensively in core data-centre related technologies
solving any & every Infrastructure challenge our clients have faced.

Cymunize Your Enterprise Today!

Private and Confidential 4

2 Cymunize Your Enterprise!
2.1 Top Goals -
We provide a layered security approach that addresses the infrastructure as a whole and deploying
multiple layers of protection reduces the risks of intrusions. Our security services comprise of processes
and technologies that provide secure access to your business applications and new endpoints. A
controlled exercise performed by security experts, conducting Information Security and Network
Security Assessments and Audits we can ensure your organization is immune to various threats and
vulnerabilities by taking various standards and best practices as benchmarks.

2.2 What we do?

Private and Confidential 5

3 Statement of Work
1. Scope of Audit Activity
 VAPT which includes 08 (Internal servers), 01 (Firewall) and 05 External IPs and 10 Desktops.
 Location Scope: Remote activity.

2. Effort Estimate & Project Plan

 It will take 7 to 8 man-days for VAPT.

4 Security Audit – Our Approach & Benefit

Vulnerability Assessment

Vulnerability Assessment tools uncover all possible network weaknesses, leaving customers
guessing as to which vulnerabilities pose real, imminent threats.

Penetration Testing

Penetration testing safely exploits vulnerabilities to eliminate "false positives" and reveal tangible
threats. Penetration test results enable IT staff to delineate critical security issues that require
immediate attention from those that pose lesser risks.

Security Audit Services can help you in

1. Find Configuration errors
2. Identify and patch Application loopholes in server code or scripts
3. Expert Advice on data that could have been exposed due to past errors
4. Testing for known vulnerabilities
5. Reducing the risk and enticement to attack
6. Advice on fixes and future security plans

VULNERABILITY ASSESSMENT PENETRATION TESTING

Testing Scope Scans for all potential network Identifies vulnerabilities and determines if they can
vulnerabilities. actually be exploited.
Vulnerability Categorizes vulnerabilities based on Tests vulnerabilities on specific network resources,
Relevance standardized, theoretical enabling prioritization of remediation efforts.
information - not customized to the
tested network.
Usefulness of Test Provides false positives, identifying Exploits vulnerabilities, identifying only those that
Results vulnerabilities that cannot be pose actual threats to network resources.
exploited.
Network Connection Does not address connections Exploits trust relationships between network
Testing between network components. components to demonstrate actual attack paths.
Remediation Delivers long lists of vulnerabilities, Assesses the potential risks of specific
Assistance limiting remediation options to vulnerabilities, allowing users to patch only what is
widespread patching. necessary and to test the effectiveness of patches
and other mitigation strategies, such as intrusion
prevention.

Testing of Other Does not simulate attacks to test Launches real-world attacks to determine if other
Security Investments IDS, IPS or other security security investments are functioning properly.
technologies.

Private and Confidential 6

 Security Risk Only identifies missing patches, Safely mimics the actions of a hackers and worms,
Assessment making it impossible to truly assess providing risk evaluations based on tangible network
security risks. threats.

5 Methodology
The VAPT Methodology described here incorporates the best security testing practices of the industry
conforming to Information Security compliance standards and Locuz commitment to ensure the highest
possible confidentiality. The methodology needed to perform this test allows for a systematic checking
for known vulnerabilities and pursuit of potential security risks.

VAPT Process Flow

Vulnerability Assessment Methodology

Private and Confidential 7

Penetration Testing Methodology

6 Assumptions & Exclusions

Cymune has assumed the following about this service quotation:
 Customer has provided all the relevant information to Cymune in the context of this project.
 Customers’ IT infrastructure associated with this project does not currently have any known
problem or issue/s.
 Customer has copies of valid licenses for the software and / or applications need to be installed,
applicable to this quotation. Customer will provide the necessary hardware, Connectors, cables
and media etc required for the service.
 All pricing is based on work being completed during business hours. If a requirement exists for
these services to be delivered outside of business hours, please notify your account
representative who will arrange for the proposal / rates to be amended. The Cymune definition
of business hours are Monday to Friday, 9am to 6pm excluding national and state based public
holidays.
 Cymune reserves the right to re-price service should quantity or scope changes.
 Hardware & Software procurement are not a part of the scope.

Private and Confidential 8

  Time required by customers to provide & process the documents made, the time required by
customer to arrange equipment, procure items, arrange interviews will not be a part of the
estimated project timelines.
 Any other locations not explicitly defined in the geographical scope would be out of scope.

Cymune has excluded the following from this service quotation:

 Any additional hardware or software configuration not listed in this document.

 Modification of the customer’s application software.
 Development of custom solutions including scripting if not mentioned in the scope above.
 Upgrading of any existing firmware or applications not listed in this document.
 Application or Operating System compatibility testing.
 Routing of interconnect cabling through walls, ceilings, or between rooms.
If Customer requires Cymune to provide any of these excluded services, the project schedule and cost
may be affected. If the project has commenced, this will be managed through the project change
request (CR) process and your approval will be sought for any additional charges prior to the
implementation of any changes.

7 Constraints
Cymune has identified the following constraints for this service quotation:

 The project cannot begin until Cymune has a purchase order for the project.
 Limited environment knowledge.

8 Customer Responsibilities
Cymune has identified the following customer responsibilities for this service quotation:
 To provide a single point of contact as well as backup contact for reporting any problems during
service.
 Customer will provide the appropriate accesses to their premises, systems, processes & policies.
 Provide access to the Customer’s systems and networks as necessary to perform the services
during normal business hours, or at mutually agreed timeframes.
 Customer will arrange for downtimes as required
 Ensure all environment and operational requirements are met prior to implementation.
 Verify the equipment location (work site) is prepared to perform the engagement services.
 Provide basic configuration information for network and authentication requirements.
 Provide installed and tested power, network, and telephone connections.
 The completion of any required tasks contained in this proposal within the timeframes allocated.

Private and Confidential 9

9 Investment Summary

S# Particulars Total Amount

1 VAPT for onetime activity (Remotely ) INR 1,30,000

10 Terms & Conditions

1. All prices in INR and the price quoted is exclusive of GST@18% or as applicable at the time of
billing
2. Payment Terms: 100% advance along with PO
3. Order to be placed on: Cymune Cybersecurity Services PVT Limited, 4th Floor, 401, Krishe
Sapphire, Main Road, Madhapur, Hyderabad TG 500081
4. The offer is valid until 27 March 2022.
5. Provisioning of services timeline would be at least 1-2 weeks from the date of PO.
6. Note-
a. Above activity will be done remotely only.
b. We cannot perform VAPT for desktops and laptops if they are in different networks.
7. Confidentiality - We agree that we will hold in strict confidence all the information obtained
during our fieldwork on this assignment and will not disclose such information to others or used
such information except in connection with the performance of the services agreed in this
proposal.

Submitted by: Yassir Ansari

Cymune Cyber Security Services Pvt. Ltd.

Private and Confidential 10