Cso Client Services Guide
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Cso Client Services Guide as PDF for free.
More details
- Words: 3,600
- Pages: 24
CSO Services Guide - Summer 2009
www.chiefsecurityofficers.com
888-237-3899
1
CSO Services Guide - Summer 2009 Features •
CSO always strives to offer the “best practical” solution to problems that are identified during our assessments.
Services use web-based surveys, web-based collaboration tool, webinars, and teleconferences to reduce or eliminate travel costs
•
All security engineers have CISSP, CISA, and PCI QSA certifications
Most services are performed virtually to reduce or eliminate travel expenses
•
State-of-the-art forensics lab with the latest in forensics and investigative gear
Automated delivery mechanisms allow projects to be completed quickly
•
The CSO team is personable and pleasant to deal with. We can deal with people as well as technology.
•
All services are designed to be affordable for customers of all sizes.
•
•
Introduction CSO has developed this Service Guide to assist our customers in understanding CSO’s portfolio of Security, Compliance, Business Continuity, and Forensic services.
•
•
A Senior Professional Engineer is assigned to each project
This guide is designed to provide the information needed to select the correct services for their company.
•
An experienced Project Administrator is assigned to each project
www.chiefsecurityofficers.com
Differentiators
888-237-3899
2
CSO Services Guide - Summer 2009
External Vulnerability Assessment
Overview •
•
•
Deliverables •
A comprehensive examination of external network connections and Internet access points to identify security vulnerabilities, evaluate their seriousness, and communicate their risk to the customer. Most organizations are required to have an External Vulnerability Assessment performed per regulatory requirements.
Project Steps •
Determine external IP addresses that are in scope.
•
Run initial scans to determine the vulnerabilities that exist
•
Work with your team to remediate the deficiencies
•
Rescan you environment to confirm that deficiencies have been resolved
A quarterly External Vulnerability Assessment is considered an IT best practice.
Detailed report showing vulnerabilities ranked by severity with detailed suggestions on how to remediate
www.chiefsecurityofficers.com
888-237-3899
3
CSO Services Guide - Summer 2009 Overview
Computer Forensics
CSO provides a wide variety of computer forensics services such as data acquisition, data recovery and evidence gathering. Each client has different needs and each case is unique. We encourage you to contact us if you have questions about how we may assist you. Our support and technical services include:
•
Acquisition and analysis of running systems
Deliverables
•
RAM analysis
Detailed forensic report detailing procedures used to obtain information, criteria used to filter information, and what information was found.
•
Covert acquisition and analysis
•
Electronic evidence acquisition, search, filter and consolidation of data, from virtually any type of media including hard drives, backup tapes, CD-ROM, floppy disks, Zip disks and dongles.
•
Cell phone data and photo acquisition
www.chiefsecurityofficers.com
888-237-3899
•
EnCase Certified Engineers
•
Reduce risk of loss of original media as evidence can be processed onsite at your facility if desired
•
Expert investigators skilled at acquiring and delivering evidence from hostile and friendly environments
•
Experience with all e-mail and file types including deleted, encrypted and protected materials
•
Follow industry best practices to maintain the “chain of custody” evidence
•
Permanent deletion (beyond recovery) of sensitive data stored on hard drives
4
CSO Services Guide - Summer 2009
Security Health Check
Overview
•
Organizations must protect information from foreseeable threats to security and data integrity, and scrutinize how they manage data with a risk analysis of their current processes.
•
Organizations frequently know that they have security issues but they just don’t know where to start. The Security Health Check will highlight areas of greatest risk and provide a remediation roadmap.
The Security Health Check is a high-level overview of an organization’s security posture that utilizes a subset of controls from the ISO 27002 security framework Each of the selected controls is evaluated for compliance. A risk ranking is assigned to each control based on the level of compliance. Finally, specific recommendations are made to remediate any deficiencies and lower an organization’s risk posture.
Deliverables
www.chiefsecurityofficers.com
The ISO 27002 framework is an internationally-accepted code of practice/standard for information security management. The standard is applicable to all types of industries of every size. It addresses a specific set of recommended controls covering information security risks as related to accessibility, confidentiality, and integrity.
888-237-3899
5
CSO Services Guide - Summer 2009
Penetration Testing
Overview Periodic penetration testing helps a client identify security exposures in its security infrastructure and allows management to address the exposures before they become a problem.
Deliverables
www.chiefsecurityofficers.com
This service attempts to exploit known vulnerabilities and determine whether the vulnerability can actually be exploited. Many reported vulnerabilities found during scans are false positives and do not require remediation. It is critical to determine which vulnerabilities can actually be exploited and to apply resources to remediate these deficiencies.
888-237-3899
•
Most companies are required to have an annual Penetration Test performed per regulatory requirements.
•
An annual Penetration Test is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Penetration Tests, the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
6
CSO Services Guide - Summer 2009
Internal Vulnerability Assessment
Overview A comprehensive examination of internal network connections, network equipment, servers, workstations, and laptops to identify security vulnerabilities, evaluate their seriousness, and communicate their risk to the client.
•
Most companies are required to have an annual Internal Vulnerability Assessment performed per regulatory requirements.
•
A quarterly Internal Vulnerability Assessment is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Internal Vulnerability Assessments the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
•
Companies have been put out of business as a result of a security breach.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
7
CSO Services Guide - Summer 2009
Wireless Security Assessment
Deliverables
www.chiefsecurityofficers.com
Overview CSO utilizes wireless equipment and tools to locate and assess wireless network security and to identify rogue access points. Wireless technologies do not have the physical access restrictions used in traditional wired environments. Fewer restrictions make it possible for someone in the lobby, the parking lot, or across the street to have access to a network carrying sensitive financial or corporate data, personnel or customer information, competitive data or trade secrets.
888-237-3899
•
Most companies are required to have regular Wireless Security Assessments performed per regulatory requirements.
•
A quarterly Wireless Security Assessment is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Wireless Security Assessments the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
8
CSO Services Guide - Summer 2009
Web Application Assessment
Deliverables
www.chiefsecurityofficers.com
Overview Similar to a penetration test, this service targets a specific web application and examines application level controls. The review assesses the ability of an attacker to manipulate or compromise the target application and possibly gain access to back end systems. The review consists of interviews, assessment of documentation, limited review of code, examination of connections to backend systems, and actual testing of the application using appropriate software tools.
888-237-3899
•
Web applications are constantly under attack and many store sensitive data.
•
Most companies are required to have regular web application scanning as a regulatory requirement.
•
Weaknesses in web application security can allow a network to be compromised or data stolen, even though strong external security is in place.
•
A quarterly Web Application Scan is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Web Application Scans, the leadership’s performance in protecting the enterprise may be called into serious question.
9
CSO Services Guide - Summer 2009
Database Vulnerability Assessment
Overview Database applications can pose a significant risk to an organization due to security vulnerabilities. Proactive securing of enterprise applications by discovering, assessing, and protecting databases against rapidly changing security threats helps reduce that risk. CSO gives organizations the confidence to extend business with customers, partners and suppliers across networks and the Internet.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
•
Database applications within the client’s infrastructure pose a significant risk due to security vulnerabilities and the critical nature of the data stored.
•
Database administrators usually have the highest level of access within an organization. It is important to monitor this access and identify areas where access rights can be tightened.
•
A large number of security breaches are internal, where data is extracted from databases that don’t have adequate security controls.
10
CSO Services Guide - Summer 2009 Overview
HIPAA The HIPAA Security Rule specifically focuses on the safeguarding of electronic Protected Health Information (ePHI). All HIPAA covered entities must comply with the Security Rule.
Deliverables
This assessment specifically focuses on protecting the confidentiality, integrity, and availability of ePHI, as defined in the Security Rule. The ePHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/ or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:
www.chiefsecurityofficers.com
888-237-3899
Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. Health Plans - Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs). Healthcare Clearinghouses - A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa. Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.
11
CSO Services Guide - Summer 2009 Overview
GLBA The Financial Services Modernization Act, or the Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. GLBA included rules to govern the collection, disclosure, and protection of consumers’ nonpublic personal information (NPPI) and personally identifiable information (PII).
Deliverables
Key information privacy rules in GLBA include Financial Privacy, Pretexting, and Safeguards Protection. The Financial Privacy Rule requires firms to establish a privacy agreement with its customer concerning the protection of the customer's NPPI (e.g. a consumer's name, address, social security number, account number, status as a customer, credit history, etc.).
The Pretexting rule pushes institutions to guard against pretexting or "social engineering" breaches, such as impersonating authorized persons or phishing. The Safeguards Rule requires financial institutions to create a written information security plan describing how the company protects current and former client NPPI.
Benefits Financial institutions must put in place a policy to protect consumer information from foreseeable threats to security and data integrity, and scrutinize how they manage private data with risk analysis on their current processes. Noncompliance can lead to fines of up to $100,000 per violation and imprisonment.
www.chiefsecurityofficers.com
888-237-3899
12
CSO Services Guide - Summer 2009 Overview
FISMA The Federal Information Security Management Act of 2002 - also known as Title III of the E-Government Act of 2002 - regulates federal information security. FISMA establishes greater management responsibility for information security as well as providing for significant oversight by the legislative branch.
Deliverables
CSO offers the following services to assist government agencies with compliance to FISMA information security standards: Implementation of plans to reduce the risk to the government's information assets.
Design and creation of managed services for tracking and reporting. Assistance with understanding evolving FISMA law and compliance requirements. Assistance with the creation of an annual report to the OMB and Congress on compliance with FISMA requirements. The creation and maintenance of FISMA required inventory of major systems.
Benefits
Development of an agency-wide efficient and measurable security program.
www.chiefsecurityofficers.com
888-237-3899
13
CSO Services Guide - Summer 2009 Overview
PCI CSO has been certified by the PCI Security Standards Council as a Qualified Security Assessor to perform PCI-DSS and PA-DSS assessments. CSO is also an Approved Scanning Vendor (ASV). These certifications allow CSO to assist clients in all aspects of PCI compliance.
Deliverables
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Benefits PCI-DSS applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
www.chiefsecurityofficers.com
888-237-3899
14
CSO Services Guide - Summer 2009
PA-DSS
Overview CSO has been certified by the PCI Security Standards Council as a Qualified Security Assessor to perform PA-DSS assessments. These certifications allow CSO to assist clients in all aspects of PCI compliance. PA-DSS is the Council-managed program to help software vendors and others develop secure payment applications.
Deliverables
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine down to the merchant.
Benefits
Furthermore, the bank will also most likely either terminate relationships or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
www.chiefsecurityofficers.com
888-237-3899
15
CSO Services Guide - Summer 2009
ISO 27002 Assessment
Deliverables
Overview The ISO 27002 Security Assessment is a professional security assessment that utilizes the ISO 27002 control framework. This assessment focuses on security (and overlapping privacy policies), procedures, physical access controls, technical access controls and internet/intranet controls. The assessment provides management with an opinion of what areas the organization may need to focus resources on to reduce its current level of risk. This service can be customized to address areas of risk relevant to PCI, HIPAA, Sarbanes Oxley, Graham Leach Bliley, FISMA, and FERPA. The ISO 27002 framework is an internationally-accepted code of practice/standard for information security management. The standard is applicable to all types of in-
www.chiefsecurityofficers.com
888-237-3899
Benefits Organizations must protect information from foreseeable threats to security and data integrity, and scrutinize how they manage data with a risk analysis of their current processes.
16
CSO Services Guide - Summer 2009 Overview
RI3PA
Deliverables Benefits
www.chiefsecurityofficers.com
888-237-3899
17
CSO Services Guide - Summer 2009
Business Impact Analysis
Overview The Business Impact Analysis (BIA) will identify and quantify the potential financial and business impacts of an interruption, providing the data required for an organization’s continuity strategy and plan. Through web-based surveys and in -person interviews CSO assesses the organization’s business applications—from supply chain management to enterprise resource planning systems and everything in between.
Deliverables
www.chiefsecurityofficers.com
Most clients are required to have a disaster recovery plan performed as a regulatory requirement. It is very difficult to write a disaster recovery plan without first performing a BIA. IT organizations typically struggle to obtain funding and executive support for disaster recovery planning. The BIA creates a business case that can be used to obtain the necessary funding and business sponsorship.
Applications are then prioritized according to business requirements and the criticality of each mission.
888-237-3899
18
CSO Services Guide - Summer 2009
Recoverability Health Check
Overview The Recoverability Health Check measures the ability for a business to meet the recovery objectives for its crucial business processes and applications. Our consultants help identify weaknesses in the current IT recovery environment, identify specific requirements that enable recovery from an unforeseen business disruption and recommend steps to help resume operations quickly and accurately.
Deliverables
www.chiefsecurityofficers.com
Recoverability today depends on complex relationships between multiple system-specific backup and recovery processes. Experience has shown that few companies can meet their expected recovery objectives. Without a process for continually reassessing backup and recovery processes against changes in business and IT systems, companies may find that what worked six
months ago no longer provides adequate protection.
CSO will conduct an evaluation of the client’s IT Recovery Program by reviewing previous internal and external assessments, recovery program technology and architecture plans, recovery program budgetary information and strategic plans, and participation in sessions and interviews.
888-237-3899
19
CSO Services Guide - Summer 2009
Recovery Strategy Development
Deliverables
Overview The Recovery Strategy Development (RSD) will build on the findings from the Business Impact Analysis, and produce a cost/ benefit analysis of recovery strategy alternatives. The objective is to identify several recovery solutions with their associated costs and Recovery Time and Recovery Point Objectives. From these solutions, the client can select the strategy that it plans to pursue by balancing the costs of recovery alternatives with their Recovery Time and Recovery Point Objectives.
Most clients are required to have a disaster recovery plan implemented and tested as a regulatory and/or fiduciary requirement. The RSD continues the work of the BIA to create a detailed cost benefit analysis of alternative recovery strategies.
This service will review and analyze the client’s current documentation and information sources related to its environment and its disaster recovery requirements. The review will include the current recovery strategy, capabilities and requirements, and the current technical environment.
www.chiefsecurityofficers.com
888-237-3899
20
CSO Services Guide - Summer 2009
Disaster Recovery Plan
Overview The Disaster Recovery Plan is a comprehensive guideline for managing a disaster which affects the IT environment based on a selected recovery strategy. The objective of the Disaster Recovery Plan is to document a consistent, thorough and tested set of tasks, which are then assigned to specific teams within the organization who respond to a disaster situation.
Most clients are required to have a disaster recovery plan as a regulatory requirement. Organizations can incur losses in the hundreds of thousands and even millions of dollars for each hour of downtime.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
21
CSO Services Guide - Summer 2009 Overview
BCP Plan Preparation Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical business processes within a predetermined time after a disaster or extended disruption. This logistical plan is called a Business Continuity Plan.
Deliverables
www.chiefsecurityofficers.com
The Business Continuity Plan addresses the recovery of business processes and personnel regardless of whether they have a dependency on information technology for their operation. The recovery of IT resources is addressed in a Disaster Recovery Plan.
888-237-3899
Most clients are required to have a Business Continuity Plan as a regulatory requirement. Organizations can incur losses in the hundreds of thousands and even millions of dollars for each hour of downtime. 40% of all businesses that suffer a disaster and have no Business Continuity Plan never reopen. An organization may have an IT Disaster Recovery Plan, but without a Business Continuity Plan they will not know the documented steps to recover critical business processes. An organization needs both an IT Disaster Recovery Plan and a Business Continuity Plan.
22
CSO Services Guide - Summer 2009 Overview
Simple BCP Simple BCP is a web-hosted application that supports Disaster Recovery and Business Continuity Planning for small and mediumsized companies. CSO uses Simple BCP internally to deliver its portfolio of business continuity services to clients.
Deliverables
Clients find the generation of plans to be a painful process because they have no easy-to-use tools. A large number of clients maintain their disaster recovery and business continuity plans in Microsoft Word. This is an onerous task that results in most organizations having outdated plans.
Other business continuity packages on the market are difficult to use and expensive. You almost have to have a PhD in other vendor’s software to get it to run! There wasn’t a good choice for small and medium-sized companies, so what did we do? We wrote our own software! Simple BCP is a very easy to use, yet powerful tool for managing Disaster Recovery and Business Continuity Plans. Simple BCP was designed to have only one menu level, and therefore
www.chiefsecurityofficers.com
888-237-3899
23
CSO Services Guide - Summer 2009
About CSO
The CSO Team CSO’s staff includes dedicated Security Engineers, Forensics Engineers, and Business Continuity professionals who specialize in analyzing complex technology environments. CSO’s professionals are subject matter experts across the breadth of infrastructures, which comprise today’s multi-vendor environments.
www.chiefsecurityofficers.com
Chief Security Officers, LLC (CSO) is a national organization with corporate headquarters located in Scottsdale, AZ. CSO is in the business of helping customers manage their risks through effective security, compliance, business continuity, and computer forensic programs. Project Approach CSO services are well positioned to provide customers with an unparalleled set of skills to design, implement, and manage efficient security and continuity programs. Our consultants can facilitate the process of identifying security and business continuity risks, and their remediation that will lead to costeffective strategies to mitigate those risks and streamline efforts.
888-237-3899
In addition, CSO offers a broad spectrum of additional support options that include assessing current recovery capabilities, writing technical recovery scripts and plans, redesigning recovery networks, developing high availability solutions and out-tasking specific recovery staff functions. CSO offers our customers a complete range of Security, Compliance, and Business Continuity services through an experienced management team. Highlights include: Over 25 years of Security, Compliance, and Business Continuity experience. Security, Compliance, and Business Continuity engagements completed around the world.
24
www.chiefsecurityofficers.com
888-237-3899
1
CSO Services Guide - Summer 2009 Features •
CSO always strives to offer the “best practical” solution to problems that are identified during our assessments.
Services use web-based surveys, web-based collaboration tool, webinars, and teleconferences to reduce or eliminate travel costs
•
All security engineers have CISSP, CISA, and PCI QSA certifications
Most services are performed virtually to reduce or eliminate travel expenses
•
State-of-the-art forensics lab with the latest in forensics and investigative gear
Automated delivery mechanisms allow projects to be completed quickly
•
The CSO team is personable and pleasant to deal with. We can deal with people as well as technology.
•
All services are designed to be affordable for customers of all sizes.
•
•
Introduction CSO has developed this Service Guide to assist our customers in understanding CSO’s portfolio of Security, Compliance, Business Continuity, and Forensic services.
•
•
A Senior Professional Engineer is assigned to each project
This guide is designed to provide the information needed to select the correct services for their company.
•
An experienced Project Administrator is assigned to each project
www.chiefsecurityofficers.com
Differentiators
888-237-3899
2
CSO Services Guide - Summer 2009
External Vulnerability Assessment
Overview •
•
•
Deliverables •
A comprehensive examination of external network connections and Internet access points to identify security vulnerabilities, evaluate their seriousness, and communicate their risk to the customer. Most organizations are required to have an External Vulnerability Assessment performed per regulatory requirements.
Project Steps •
Determine external IP addresses that are in scope.
•
Run initial scans to determine the vulnerabilities that exist
•
Work with your team to remediate the deficiencies
•
Rescan you environment to confirm that deficiencies have been resolved
A quarterly External Vulnerability Assessment is considered an IT best practice.
Detailed report showing vulnerabilities ranked by severity with detailed suggestions on how to remediate
www.chiefsecurityofficers.com
888-237-3899
3
CSO Services Guide - Summer 2009 Overview
Computer Forensics
CSO provides a wide variety of computer forensics services such as data acquisition, data recovery and evidence gathering. Each client has different needs and each case is unique. We encourage you to contact us if you have questions about how we may assist you. Our support and technical services include:
•
Acquisition and analysis of running systems
Deliverables
•
RAM analysis
Detailed forensic report detailing procedures used to obtain information, criteria used to filter information, and what information was found.
•
Covert acquisition and analysis
•
Electronic evidence acquisition, search, filter and consolidation of data, from virtually any type of media including hard drives, backup tapes, CD-ROM, floppy disks, Zip disks and dongles.
•
Cell phone data and photo acquisition
www.chiefsecurityofficers.com
888-237-3899
•
EnCase Certified Engineers
•
Reduce risk of loss of original media as evidence can be processed onsite at your facility if desired
•
Expert investigators skilled at acquiring and delivering evidence from hostile and friendly environments
•
Experience with all e-mail and file types including deleted, encrypted and protected materials
•
Follow industry best practices to maintain the “chain of custody” evidence
•
Permanent deletion (beyond recovery) of sensitive data stored on hard drives
4
CSO Services Guide - Summer 2009
Security Health Check
Overview
•
Organizations must protect information from foreseeable threats to security and data integrity, and scrutinize how they manage data with a risk analysis of their current processes.
•
Organizations frequently know that they have security issues but they just don’t know where to start. The Security Health Check will highlight areas of greatest risk and provide a remediation roadmap.
The Security Health Check is a high-level overview of an organization’s security posture that utilizes a subset of controls from the ISO 27002 security framework Each of the selected controls is evaluated for compliance. A risk ranking is assigned to each control based on the level of compliance. Finally, specific recommendations are made to remediate any deficiencies and lower an organization’s risk posture.
Deliverables
www.chiefsecurityofficers.com
The ISO 27002 framework is an internationally-accepted code of practice/standard for information security management. The standard is applicable to all types of industries of every size. It addresses a specific set of recommended controls covering information security risks as related to accessibility, confidentiality, and integrity.
888-237-3899
5
CSO Services Guide - Summer 2009
Penetration Testing
Overview Periodic penetration testing helps a client identify security exposures in its security infrastructure and allows management to address the exposures before they become a problem.
Deliverables
www.chiefsecurityofficers.com
This service attempts to exploit known vulnerabilities and determine whether the vulnerability can actually be exploited. Many reported vulnerabilities found during scans are false positives and do not require remediation. It is critical to determine which vulnerabilities can actually be exploited and to apply resources to remediate these deficiencies.
888-237-3899
•
Most companies are required to have an annual Penetration Test performed per regulatory requirements.
•
An annual Penetration Test is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Penetration Tests, the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
6
CSO Services Guide - Summer 2009
Internal Vulnerability Assessment
Overview A comprehensive examination of internal network connections, network equipment, servers, workstations, and laptops to identify security vulnerabilities, evaluate their seriousness, and communicate their risk to the client.
•
Most companies are required to have an annual Internal Vulnerability Assessment performed per regulatory requirements.
•
A quarterly Internal Vulnerability Assessment is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Internal Vulnerability Assessments the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
•
Companies have been put out of business as a result of a security breach.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
7
CSO Services Guide - Summer 2009
Wireless Security Assessment
Deliverables
www.chiefsecurityofficers.com
Overview CSO utilizes wireless equipment and tools to locate and assess wireless network security and to identify rogue access points. Wireless technologies do not have the physical access restrictions used in traditional wired environments. Fewer restrictions make it possible for someone in the lobby, the parking lot, or across the street to have access to a network carrying sensitive financial or corporate data, personnel or customer information, competitive data or trade secrets.
888-237-3899
•
Most companies are required to have regular Wireless Security Assessments performed per regulatory requirements.
•
A quarterly Wireless Security Assessment is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Wireless Security Assessments the leadership’s performance in protecting the enterprise may be called into serious question.
•
Clients do not want their name in the paper as a result of a security breach. An organization’s good name can be severely tarnished in the event of a security breach.
8
CSO Services Guide - Summer 2009
Web Application Assessment
Deliverables
www.chiefsecurityofficers.com
Overview Similar to a penetration test, this service targets a specific web application and examines application level controls. The review assesses the ability of an attacker to manipulate or compromise the target application and possibly gain access to back end systems. The review consists of interviews, assessment of documentation, limited review of code, examination of connections to backend systems, and actual testing of the application using appropriate software tools.
888-237-3899
•
Web applications are constantly under attack and many store sensitive data.
•
Most companies are required to have regular web application scanning as a regulatory requirement.
•
Weaknesses in web application security can allow a network to be compromised or data stolen, even though strong external security is in place.
•
A quarterly Web Application Scan is considered an IT best practice.
•
If a client has a security breach and they have not been performing regular Web Application Scans, the leadership’s performance in protecting the enterprise may be called into serious question.
9
CSO Services Guide - Summer 2009
Database Vulnerability Assessment
Overview Database applications can pose a significant risk to an organization due to security vulnerabilities. Proactive securing of enterprise applications by discovering, assessing, and protecting databases against rapidly changing security threats helps reduce that risk. CSO gives organizations the confidence to extend business with customers, partners and suppliers across networks and the Internet.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
•
Database applications within the client’s infrastructure pose a significant risk due to security vulnerabilities and the critical nature of the data stored.
•
Database administrators usually have the highest level of access within an organization. It is important to monitor this access and identify areas where access rights can be tightened.
•
A large number of security breaches are internal, where data is extracted from databases that don’t have adequate security controls.
10
CSO Services Guide - Summer 2009 Overview
HIPAA The HIPAA Security Rule specifically focuses on the safeguarding of electronic Protected Health Information (ePHI). All HIPAA covered entities must comply with the Security Rule.
Deliverables
This assessment specifically focuses on protecting the confidentiality, integrity, and availability of ePHI, as defined in the Security Rule. The ePHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/ or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:
www.chiefsecurityofficers.com
888-237-3899
Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. Health Plans - Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs). Healthcare Clearinghouses - A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa. Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.
11
CSO Services Guide - Summer 2009 Overview
GLBA The Financial Services Modernization Act, or the Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. GLBA included rules to govern the collection, disclosure, and protection of consumers’ nonpublic personal information (NPPI) and personally identifiable information (PII).
Deliverables
Key information privacy rules in GLBA include Financial Privacy, Pretexting, and Safeguards Protection. The Financial Privacy Rule requires firms to establish a privacy agreement with its customer concerning the protection of the customer's NPPI (e.g. a consumer's name, address, social security number, account number, status as a customer, credit history, etc.).
The Pretexting rule pushes institutions to guard against pretexting or "social engineering" breaches, such as impersonating authorized persons or phishing. The Safeguards Rule requires financial institutions to create a written information security plan describing how the company protects current and former client NPPI.
Benefits Financial institutions must put in place a policy to protect consumer information from foreseeable threats to security and data integrity, and scrutinize how they manage private data with risk analysis on their current processes. Noncompliance can lead to fines of up to $100,000 per violation and imprisonment.
www.chiefsecurityofficers.com
888-237-3899
12
CSO Services Guide - Summer 2009 Overview
FISMA The Federal Information Security Management Act of 2002 - also known as Title III of the E-Government Act of 2002 - regulates federal information security. FISMA establishes greater management responsibility for information security as well as providing for significant oversight by the legislative branch.
Deliverables
CSO offers the following services to assist government agencies with compliance to FISMA information security standards: Implementation of plans to reduce the risk to the government's information assets.
Design and creation of managed services for tracking and reporting. Assistance with understanding evolving FISMA law and compliance requirements. Assistance with the creation of an annual report to the OMB and Congress on compliance with FISMA requirements. The creation and maintenance of FISMA required inventory of major systems.
Benefits
Development of an agency-wide efficient and measurable security program.
www.chiefsecurityofficers.com
888-237-3899
13
CSO Services Guide - Summer 2009 Overview
PCI CSO has been certified by the PCI Security Standards Council as a Qualified Security Assessor to perform PCI-DSS and PA-DSS assessments. CSO is also an Approved Scanning Vendor (ASV). These certifications allow CSO to assist clients in all aspects of PCI compliance.
Deliverables
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Benefits PCI-DSS applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
www.chiefsecurityofficers.com
888-237-3899
14
CSO Services Guide - Summer 2009
PA-DSS
Overview CSO has been certified by the PCI Security Standards Council as a Qualified Security Assessor to perform PA-DSS assessments. These certifications allow CSO to assist clients in all aspects of PCI compliance. PA-DSS is the Council-managed program to help software vendors and others develop secure payment applications.
Deliverables
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine down to the merchant.
Benefits
Furthermore, the bank will also most likely either terminate relationships or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
www.chiefsecurityofficers.com
888-237-3899
15
CSO Services Guide - Summer 2009
ISO 27002 Assessment
Deliverables
Overview The ISO 27002 Security Assessment is a professional security assessment that utilizes the ISO 27002 control framework. This assessment focuses on security (and overlapping privacy policies), procedures, physical access controls, technical access controls and internet/intranet controls. The assessment provides management with an opinion of what areas the organization may need to focus resources on to reduce its current level of risk. This service can be customized to address areas of risk relevant to PCI, HIPAA, Sarbanes Oxley, Graham Leach Bliley, FISMA, and FERPA. The ISO 27002 framework is an internationally-accepted code of practice/standard for information security management. The standard is applicable to all types of in-
www.chiefsecurityofficers.com
888-237-3899
Benefits Organizations must protect information from foreseeable threats to security and data integrity, and scrutinize how they manage data with a risk analysis of their current processes.
16
CSO Services Guide - Summer 2009 Overview
RI3PA
Deliverables Benefits
www.chiefsecurityofficers.com
888-237-3899
17
CSO Services Guide - Summer 2009
Business Impact Analysis
Overview The Business Impact Analysis (BIA) will identify and quantify the potential financial and business impacts of an interruption, providing the data required for an organization’s continuity strategy and plan. Through web-based surveys and in -person interviews CSO assesses the organization’s business applications—from supply chain management to enterprise resource planning systems and everything in between.
Deliverables
www.chiefsecurityofficers.com
Most clients are required to have a disaster recovery plan performed as a regulatory requirement. It is very difficult to write a disaster recovery plan without first performing a BIA. IT organizations typically struggle to obtain funding and executive support for disaster recovery planning. The BIA creates a business case that can be used to obtain the necessary funding and business sponsorship.
Applications are then prioritized according to business requirements and the criticality of each mission.
888-237-3899
18
CSO Services Guide - Summer 2009
Recoverability Health Check
Overview The Recoverability Health Check measures the ability for a business to meet the recovery objectives for its crucial business processes and applications. Our consultants help identify weaknesses in the current IT recovery environment, identify specific requirements that enable recovery from an unforeseen business disruption and recommend steps to help resume operations quickly and accurately.
Deliverables
www.chiefsecurityofficers.com
Recoverability today depends on complex relationships between multiple system-specific backup and recovery processes. Experience has shown that few companies can meet their expected recovery objectives. Without a process for continually reassessing backup and recovery processes against changes in business and IT systems, companies may find that what worked six
months ago no longer provides adequate protection.
CSO will conduct an evaluation of the client’s IT Recovery Program by reviewing previous internal and external assessments, recovery program technology and architecture plans, recovery program budgetary information and strategic plans, and participation in sessions and interviews.
888-237-3899
19
CSO Services Guide - Summer 2009
Recovery Strategy Development
Deliverables
Overview The Recovery Strategy Development (RSD) will build on the findings from the Business Impact Analysis, and produce a cost/ benefit analysis of recovery strategy alternatives. The objective is to identify several recovery solutions with their associated costs and Recovery Time and Recovery Point Objectives. From these solutions, the client can select the strategy that it plans to pursue by balancing the costs of recovery alternatives with their Recovery Time and Recovery Point Objectives.
Most clients are required to have a disaster recovery plan implemented and tested as a regulatory and/or fiduciary requirement. The RSD continues the work of the BIA to create a detailed cost benefit analysis of alternative recovery strategies.
This service will review and analyze the client’s current documentation and information sources related to its environment and its disaster recovery requirements. The review will include the current recovery strategy, capabilities and requirements, and the current technical environment.
www.chiefsecurityofficers.com
888-237-3899
20
CSO Services Guide - Summer 2009
Disaster Recovery Plan
Overview The Disaster Recovery Plan is a comprehensive guideline for managing a disaster which affects the IT environment based on a selected recovery strategy. The objective of the Disaster Recovery Plan is to document a consistent, thorough and tested set of tasks, which are then assigned to specific teams within the organization who respond to a disaster situation.
Most clients are required to have a disaster recovery plan as a regulatory requirement. Organizations can incur losses in the hundreds of thousands and even millions of dollars for each hour of downtime.
Deliverables
www.chiefsecurityofficers.com
888-237-3899
21
CSO Services Guide - Summer 2009 Overview
BCP Plan Preparation Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical business processes within a predetermined time after a disaster or extended disruption. This logistical plan is called a Business Continuity Plan.
Deliverables
www.chiefsecurityofficers.com
The Business Continuity Plan addresses the recovery of business processes and personnel regardless of whether they have a dependency on information technology for their operation. The recovery of IT resources is addressed in a Disaster Recovery Plan.
888-237-3899
Most clients are required to have a Business Continuity Plan as a regulatory requirement. Organizations can incur losses in the hundreds of thousands and even millions of dollars for each hour of downtime. 40% of all businesses that suffer a disaster and have no Business Continuity Plan never reopen. An organization may have an IT Disaster Recovery Plan, but without a Business Continuity Plan they will not know the documented steps to recover critical business processes. An organization needs both an IT Disaster Recovery Plan and a Business Continuity Plan.
22
CSO Services Guide - Summer 2009 Overview
Simple BCP Simple BCP is a web-hosted application that supports Disaster Recovery and Business Continuity Planning for small and mediumsized companies. CSO uses Simple BCP internally to deliver its portfolio of business continuity services to clients.
Deliverables
Clients find the generation of plans to be a painful process because they have no easy-to-use tools. A large number of clients maintain their disaster recovery and business continuity plans in Microsoft Word. This is an onerous task that results in most organizations having outdated plans.
Other business continuity packages on the market are difficult to use and expensive. You almost have to have a PhD in other vendor’s software to get it to run! There wasn’t a good choice for small and medium-sized companies, so what did we do? We wrote our own software! Simple BCP is a very easy to use, yet powerful tool for managing Disaster Recovery and Business Continuity Plans. Simple BCP was designed to have only one menu level, and therefore
www.chiefsecurityofficers.com
888-237-3899
23
CSO Services Guide - Summer 2009
About CSO
The CSO Team CSO’s staff includes dedicated Security Engineers, Forensics Engineers, and Business Continuity professionals who specialize in analyzing complex technology environments. CSO’s professionals are subject matter experts across the breadth of infrastructures, which comprise today’s multi-vendor environments.
www.chiefsecurityofficers.com
Chief Security Officers, LLC (CSO) is a national organization with corporate headquarters located in Scottsdale, AZ. CSO is in the business of helping customers manage their risks through effective security, compliance, business continuity, and computer forensic programs. Project Approach CSO services are well positioned to provide customers with an unparalleled set of skills to design, implement, and manage efficient security and continuity programs. Our consultants can facilitate the process of identifying security and business continuity risks, and their remediation that will lead to costeffective strategies to mitigate those risks and streamline efforts.
888-237-3899
In addition, CSO offers a broad spectrum of additional support options that include assessing current recovery capabilities, writing technical recovery scripts and plans, redesigning recovery networks, developing high availability solutions and out-tasking specific recovery staff functions. CSO offers our customers a complete range of Security, Compliance, and Business Continuity services through an experienced management team. Highlights include: Over 25 years of Security, Compliance, and Business Continuity experience. Security, Compliance, and Business Continuity engagements completed around the world.
24
Related Documents
Cso Client Services Guide
May 2020 5
Web Services Client Development
November 2019 23
Client&services Brand1
November 2019 4
Client&services Rutherford
November 2019 5
Client&services Chen Dunn
November 2019 12