1 A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information Group January, 2007 Copyright Citadel Information Group, Inc. All rights reserved.
2 P a g e 2 o f 22 Table of Contents Purpose of this White Paper... 3 The Information Security Management Program... 3 Information Security Management Program Objectives... 4 Evolving Requirements for an Information Security Management Program... 5 Managing the Security of Critical Information Assets... 6 Information Security Control Objectives... 6 Defense-in-Depth with Feedback... 7 The Fundamental Equation of Information Security... 8 Countermeasure Control Classes... 8 Information Security Critical Success Factors... 9 Management Control Domains Managing the Information Security Program Chief Information Security Officer (CISO) Information Security Steering Committee Information Security Responsibilities Creating an Information Security Culture Systemic Security Management: A Total Systems Perspective Evolving the Information Security Program Spiral Model SM Implementation Strategy Information Security Reference Documents Laws, Regulations, and Legal Responsibilities Information Security Governance Best Effective Information Security Practices Information Security Management Guides, Standards and Practices Technology Configuration Guides Information Crime Surveys Key Web Sites Citadel Information Group Appendix: Pro-Forma Information Security Policy Table of Contents... 21
3 P a g e 3 o f 22 Purpose of this White Paper The management of sensitive information is in a state of crisis. Over the last two years, businesses and other organizations have sent out more than 100,000,000 letters to Americans everywhere that their supposedly-private personal financial information has been lost to cybercriminals. Corporate intellectual property is every bit as much at risk... including financial information, sensitive sales and pricing information, private information of employees, key corporate strategies, proprietary processes, etc. If information has value, it is at risk. Never before has the confidentiality, availability and integrity of critical organizational information been so threatened. The threat is great and it is growing. As a result of this increasing threat, the fact that every part of the organization is vulnerable, and the underlying reality that solving the information security challenge requires senior management attention and leadership, senior executives have begun to pay increasing attention to securely managing critical information assets. The purpose of this Citadel White Paper is to provide guidance to senior executives who are charged with designing and implementing a cost-effective program to secure critical information assets. The Information Security Management Program Every organization has an information security management program. The program consists of the totality of all activities and expenditures the organization takes to protect sensitive information. The program may be formal with a specific executive tasked with management responsibility, or it may be informal with activities and expenditures spent as needed. Formal or ad hoc, proactive or reactive, effective or not, every organization manages the security of its critical information. Thus the key question is not Do you need an information security management program? The key question is How effective is your information security program.
4 P a g e 4 o f 22 Information Security Management Program Objectives The objective of an organization s Information Security Management Program is to prudently and cost-effectively manage the risk to critical organizational information assets. The risk that critical information is compromised The risk that critical information becomes unavailable The risk that critical information is changed without authorization Associated with risk is cost. Security incidents cost money. So does preventing them. The cost, for example, of a computer virus is the loss in productivity of an organization s personnel plus the time and expense for IT personnel to remove the virus and restore availability. The cost of a theft of a trade secret by a cyber-thief is the value of the trade secret. The cost of the theft of customer social security numbers is the cost of notifying customers plus any identity theft expenses provided to protect customers plus any legal expenses if there are law suits plus the loss of good will. Implementing security also has costs. Firewalls and other security technology take capital away from other uses. Information security personnel come at the expense of personnel who can directly more contribute to the bottom line. And every hour management spends in a security meeting, or personnel spend on security awareness training, is an hour that could otherwise also contribute to the bottom line. Thus the objective of any information security management program is to be like Goldilocks. Not too much. Not too little. Just right. Recalling Philip Crosby s book Quality is Free 1 and his seminal definition of the total cost of quality, one can analogously assign costs to security incidents and security prevention: Incident Recovery Costs Direct recovery costs Costs for lost productivity Fraud & embezzlement losses Intellectual property losses Legal & attorney costs Costs to value of brand Indirect community costs Security Prevention Costs Firewalls, Anti-Virus & Other Technology Security Management Costs, including executive management, IT management and security management Security Overhead Costs, including productivity loss from training, direct overhead from security controls, etc. 1 Quality is Free, Philip Crosby, Mentor Books, 1980
5 P a g e 5 o f 22 With the above in mind, one can alternatively define the objective of an organization s Information Security Management Program as minimizing the Total Cost of Security. Evolving Requirements for an Information Security Management Program The drivers behind an organization s information security management program are the evolving landscape of laws, regulations, and competition, as well as evolving information security best effective practices. 2 Organizations that hold personal, financial or health information of others are required to adhere to various federal and state laws and regulations. These include Gramm-Leach-Bliley (personal financial information) HIPAA (electronic protected health information) Sarbanes-Oxley, Paragraph 404 FTC Safeguards Rule FTC Regulation of Unfair and Deceptive Practices CA Civil Code Breach Disclosure (non-public personal information) CA (reasonable security measures) Organizations may also have various contractual requirements for information or data security. Credit card processors, for example, must conform to the Payment Card Industry Data Security Standard. 3 As organizations come to more deeply understand the competitive value of the information stored in their computer networks and the need to make that information securely available anytime and anywhere, they discern the need for a formal information security management program to assure that information is kept confidential, available, and correct.. An Arkansas court recently held that a company was not entitled to intellectual property protection because its information security controls were not adequately strong. Thus, the 2 For an overview of these, see An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Information Security Management Handbook, Fifth Edition, Vol 2, Auerbach, 2005 and An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Privacy & Data Security Law Journal, March Payment Card Industry Data Security Standard, Version 1.1
6 P a g e 6 o f 22 need to protect one s trade secrets is also acting to push an organization into proactive management of its information assets. 4 As organizations have increasing needs to share information with suppliers, customers, and other business relations they are increasingly becoming concerned with the information security capabilities of these third parties. Needs for third-party assurance are also driving an industry of information security auditors. Increasing numbers of organizations are having their information security audited by thirdparties. These information security audits are often a condition of information sharing. These kinds of information security audits may also be undertaken as a means of achieving a particular security designation. Examples include the SAS-70 Type II certification, which is quickly becoming a necessity for data centers, and the PCI Certification for credit card merchants and processors. An organization s information security management program must be built upon current and emerging information security effective best-practices. As the information security industry has evolved, the industry has tended to settle on four distinct models as to what constitutes a set of effective best-practices for managing the security of information: 5, 6 ISO Specification for an Information Security Management System ISO-17799: Code of Practice for Information Security Management CISSP: Certified Information Systems Security Professional ISACA: Information Security Management Maturity Model Managing the Security of Critical Information Assets Information Security Control Objectives While the prevailing consumer perspective of information security is that it is concerned with protecting the confidentiality of sensitive information, information security actually has 16 control objectives. 4 Open Secrets: Can You Claim Your Trade Secrets Were Stolen If Your Security Was Sloppy, CSO Online, June See also GAISP: Generally Accepted Information Security Practices, under development by the ISSA. 6 These effective best-practices are described in some detail in An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Information Security Management Handbook, Fifth Edition, Vol 2, Auerbach, 2005.
7 P a g e 7 o f 22 Confidentiality Integrity Availability Authentication Protect Detect Recover Comply These control objectives recognize that it is not enough to put all of one s security resources on protecting information. Information is under stealth attack and it is only prudent to commit resources to detecting attacks and to be sure that one can recover from attacks. And while compliance is linked to the other three columns it requires management oversight and corporate resources as well. Defense-in-Depth with Feedback Defense-in-depth means that no single vulnerability will result in the compromise of critical information; if a cyber criminal gets through one barrier, he ll soon run into another. A compromised user password might allow a cyber-criminal onto the corporate network but with defense-in-depth he still won t be able to access a server containing social security numbers. For that, he ll need to exploit another vulnerability. And even if he gets on the server, defensein-depth will keep him out of the social security database. Feedback means that management is watching the network and so is better able to protect information assets. With feedback, management would have a log entry showing the cybercriminal accessing the network and it would be alerted when the cyber-criminal started to attack the server. If the cyber-criminal found a way onto the network without a password, a robust feedback system could notify management at that point.
8 P a g e 8 o f 22 The Fundamental Equation of Information Security 7 The following equation illustrates the inter-relationships of the four primary information security variables. Information Risk = Threats * Vulnerabilities Countermeasures As discussed above, the management objective of the information security management program is to prudently and cost-effectively manage Information Risk. Threats to information are, for example, cyber thieves, competitors, disgruntled employees, foreign agents, earthquakes, etc. Vulnerabilities are weaknesses that allow a threat to attack information. Examples include unpatched servers and workstations, inadequately managed access control, weak passwords, untrained personnel, ill-defined employee termination procedures, inadequate incident response, disaster recovery and information continuity plsnning, etc. Countermeasures are those management actions taken to lower Information Risk to acceptable levels. These include improved technology and technology management, formal policies, employee training, and formal management structures. As the equation illustrates, information security vulnerabilities increase information risk while information security countermeasures decrease risk. Successfully managing information risk, therefore, lies in knowing one s vulnerabilities and applying effective countermeasures to them. Countermeasure Control Classes The information security industry has recognized three broad countermeasure control classes: 8 Administrative Technical Physical 7 The Fundamental Equation of Information Security was developed at TRW in the mid-1980s by Frank Quigley and Stan Stahl. The equation was developed in response to the need by the Defense community for a risk characterization aligned with the need to protect information confidentiality and ensure information availability. This is analogous to the predominant information security needs of 21 st -century organizations. 8 See, for example, All-in-One CISSP Certification Exam Guide, Shon Harris, McGraw-Hill,
9 P a g e 9 o f 22 Administrative controls include policies, standards, procedures, guidelines, personnel screening, awareness training, etc. Technical controls include network logins and passwords, firewalls, audit logs encryption, antivirus and Spam filters Physical controls include door locks, cameras, environmental controls, guards, etc. An organization should implement a defense-in-depth with feedback strategy with a combination of administrative, technical and physical controls. Information Security Critical Success Factors Information security has seven Critical Success Factors which must be implemented if an organization is to meet its information security control objectives Executive Management Responsibility: Senior management has responsibility for the firm s information security program, and this program is managed in accordance with the enterprise s information security policies. 2. Information Security Policies: The enterprise has documented its management approach to security in a way that complies with its responsibilities and duties to protect information. 3. User Awareness Training & Education: Information users receive regular training and education in the enterprise s information security policies and their personal responsibilities for protecting information. 4. Computer and Network Security: IT staff and IT vendors are securely managing the technology infrastructure in a defined and documented manner that adheres to effective industry information security practices. 5. Physical and Personnel Security: The enterprise has appropriate physical access controls, guards, and surveillance systems to protect the work environment, server rooms, phone closets, and other areas containing sensitive information assets. Background investigations and other personnel management controls are in place. 6. Third-Party Information Security Assurance: The enterprise shares sensitive information with third parties only when it is assured that the 3rd-party appropriately protects that information. 7. Periodic Independent Assessment: The enterprise has an independent assessment or review of its information security program, covering both technology and management, at least annually. 9 These are identified in An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Information Security Management Handbook, Fifth Edition, Vol 2, Auerbach, 2005.
10 P a g e 10 o f 22 Management Control Domains These seven critical success factors play themselves out across three fundamental management control domains: 1. IT Infrastructure Security: Control elements in this domain identify specific point-in-time technical information security countermeasures. Examples include the security architecture; firewall rules; technical access controls; backup status; use of encryption; virus, worm, Trojan horse prevention; current patch levels; intrusion detection capabilities; etc. 2. Secure IT Management: This control domain contains information security management controls specific to managing the Information Technology infrastructure. Control elements in this domain include documentation of IT systems, procedures, etc; management of systems development and maintenance processes, including change control; incident response and disaster recovery planning; IT staff education; IT vendor security; etc. 3. Entity Security Management: This control domain contains management controls hierarchically above and outside of the management of the Information Technology infrastructure. Control elements in this domain include the chief information security officer, information security policies, employee education and awareness training, business process security, physical security, personnel security, etc. Information Security Critical Success Factors Entity Security Management Management Structure Information Security Policies Awareness Training & Education Computer and Network Security 3rd-Party Security Physical & Personnel Periodic Risk Assessments IT Security Management IT Infrastructure Security
11 P a g e 11 o f 22 The following chart takes these 3 management control domains to the next level of detail: Information Security Critical Success Factors Executive Management Responsibility Information Security Policies User Awareness Training & Education Computer and Network Security Physical and Personnel Security Third-Party Information Security Assurance Periodic Independent Assessment IT Infrastructure Security IT Security Management Entity Security Management Security Architecture & Design Access Control Firewall Policies Server Security Workstation Security Laptop / PDA / Blackberry Security Application Security Use of Encryption Updates & Patches Malware Controls Intrusion Detection & Protection Management Responsibility Communications and Operations Management System / Procedural Documentation Vulnerability Monitoring Systems Development and Maintenance Disaster Recovery Management Incident Response Management IT Staff Education IT Vendor Security Management Structure Policies Education and Training Asset Classification Personnel Security Physical / Environmental Security Business Continuity Management Business Process Security Compliance Management Information Security Metrics Managing Security of 3rd-Parties Risk And Vulnerability Assessment Managing the Information Security Program Chief Information Security Officer (CISO) Responsibility and authority for information security matters resides with a Chief Information Security Officer (CISO). The Chief Information Security Officer (CISO) often reports to a COO, CFO or CIO. As organizations come to recognize the criticality of information to their ongoing survival, more and more often the CISO is getting his or her own seat at the executive table. Information Security Steering Committee The CISO is supported by a cross-functional Information Security Steering Committee. In order to make sure that information security leadership and management extends across the organization, Steering Committee members need to include senior representatives of marketing, sales, operations, HR, finance and IT. Formal appointment to the Information Security Steering Committee is made by the COO in consultation with the CISO.
12 P a g e 12 o f 22 Information Security Responsibilities Everyone in an organization has a role to play in securing the organizations critical information assets. The following table provides an overview of these responsibilities. Functional Role Chief Executive Officer Chief Information Security Officer & Steering Committee Managers & Staff IT Organization Security Responsibilities Oversees and is accountable for overall security capacity Provide leadership Establish policies Coordinate implementation Responsible for risk and vulnerability assessment Implement policies & procedures Be aware Be vigilant Report vulnerabilities & attempted breaches Secure the IT infrastructure Securely manage IT Respond to incidents, breaches & disasters Increase knowledge, skills and capabilities Creating an Information Security Culture The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While information security policies, an awareness training program and the other required information security practices can define, regulate and impart information security knowledge these rarely have significant impact on people s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people. Until and unless we affect how people feel about the need to secure information... until and unless our people develop good information security instincts the gap between the dictates of information security policy and the behaviors of people will persist.
13 P a g e 13 o f 22 It is the role of culture to close this gap. 10 Systemic Security Management: A Total Systems Perspective A new conceptual framework for information security has recently been developed at USC s Institute for Critical Information Infrastructure Protection in collaboration with the American Center for Strategic Transformation. The framework provides a robust model for information security cultural change. It does this, in part, by extending the more traditional 3-node people, process, technology linear framework through which information security is traditionally considered to a dynamic non-linear framework that includes organizational design and strategy. The addition of the organizational design and strategy node to the classical 3-node framework introduces a powerful leverage point for proactive information security culture change. The framework also introduces three dynamic tensions linking organizational design and strategy to people, process, and technology: culture, governance, and architecture. Taken in its totality, this new framework identifies 10 leverage points for information security evolution: four nodes and six tensions. Nodes: Organizational Design / Strategy People Technology Processes Tensions: Human Factors Culture Governance Architecture Enabling & Support Emergence It is through the creative management of these ten leverage points that the management can evolve its desired proactive information security capability. 10 Organizational Culture and Leadership, 2nd Edition, Edgar H. Schein, Jossey-Bass, 1992, defines the culture of an organization as a pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems.
14 P a g e 14 o f 22 Evolving the Information Security Program Spiral Model SM Implementation Strategy While auditors, Boards, and the CEO may want senior management to snap its fingers and voila, security is arrived, the real world insists otherwise. As the industry has learned, information security is an ongoing process of balancing evolving threats and vulnerabilities with cost-effective countermeasures so as to keep residual risk at acceptable levels. In this way, information security program management is like other performance improvement challenges and is, therefore, amenable to the same strategies as have proven effective in other performance improvement domains. Every formal performance improvement programs is based on a performance improvement methodology, along the lines of, for example Deming s famous Plan-Do-Check-Act methodology for improving manufacturing systems. A similar model, better suited to the continuous improvement of systems of management than is Deming s, is Citadel s proprietary Spiral Model SM. 11 The Spiral Model is a powerful easy-to-use methodology for evolving performance systems, including information security management systems. The Spiral Model supports continual learning and the application of that learning to the information security needs of the organization. And it does so in real-time, at the moment of need, supporting what Fritz Dressler has called evolution on the fly. The Spiral Model has its origins in three earlier performance methodologies. One is the famous Plan-Do-Check-Act method taught by Deming. A second is the OODA cycle observe, orient, do, act that emerged in fighter pilot studies in the 1950s. The third is a systems development methodology developed at TRW. Like the Spiral Model, all embrace the fundamental arrow of purposeful evolution: Action, Feedback, Synthesis. There are four basic steps to the Spiral Model: Assess the situation Decide what to do to improve the situation Plan the improvement project Implement the improvement plan 11 Spiral Model is a proprietary methodology of Citadel Information Group, Inc.
15 P a g e 15 o f 22 The Spiral Model is illustrated in the following diagram. Decide Information Security Improvement Objectives Information Security Requirements & Expectations Assess Current Information Security Capabilities and Needs Plan Information Security Improvement Implementation Information Security Management System Continuous Improvement Implement Information Security Improvement Plan Critical to the use of the Spiral Model is to properly scope each cycle s assessment. An absolutely complete information security risk and vulnerability assessment would look at every component of a company s security program down to a level akin to counting paper clips. It would be a top-to-bottom assessment of the complete organizational security profile and it would look deeper than any cyber criminal might, far beyond the value of the information in need of protection. Obviously, this level of assessment would be a waste of time and a waste of money. In order to properly scope the information security risk and vulnerability assessment it is important to consider the assessment in the broader context of an organization s ongoing need to improve its information security risk profile. Using this chart, one scopes an information security risk and vulnerability assessment as follows: Identify information security requirements and expectations. Map these requirements and expectations against the seven critical success factors and three management control domains. This provides the total context for the organization s information security management program. It also establishes the total extent of the information security risk and vulnerability assessment. Considering organizational budget, information security requirements, and the current knowledge of your security profile, identify the specific components to be assessed during the current Spiral. This can be a complete assessment, a component assessment, or even a sub-component (assess compliance with customer requirements, assess the business
16 P a g e 16 o f 22 continuity plan, etc). Also identify the depth to which these components are to be assessed. 12 There are two complementary strategies for scoping a formal assessment Top-Down Strategy: The available budget is spread somewhat equally across all assessment components. The depth of the assessment is then determined by the available budget Bottom-Up Strategy: In this strategy a particular component as assessed as deeply as available budget allows What makes both of these strategies work is the knowledge that an assessment is just one step of an ongoing management process to effectively secure the organization s critical information assets. As the Spiral Model illustrates, one will have ongoing opportunities to increase the breadth and the depth of subsequent information security assessments. Information Security Reference Documents Laws, Regulations, and Legal Responsibilities Federal Laws & Regulations 1. Office of Comptroller, Privacy of Consumer Financial Information, 12CFR Federal Trade Commission, Standards for Safeguarding Customer Information, 16CFR14 3. HIPAA, 45 CFR Parts 160 and , August 14, 2002, February 2003, and April 17, Sarbanes-Oxley, Paragraph 404 California Civil Code 6. Breach Disclosure Law (CA-1386), CA Civil Code Reasonable Security Procedures and Practices, CA Civil Code California Business Privacy Handbook, Other Legal 9. An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Handbook of Information Security, Auerbach, This step is based on the principle that one eats an elephant one bite at a time.
17 P a g e 17 o f An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Privacy and Data Security Law Journal, March Open Secrets: Can You Claim Your Trade Secrets Were Stolen If Your Security Was Sloppy, CSO Online, June 2004 Information Security Governance 12. Information Security Governance: Guidance for Boards of Directors and Executive Management, Information Systems Audit & Control Foundation, ISACA, Securing Cyberspace - Business Roundtable's Framework for the Future, Information Security Governance, National Cybersecurity Partnership, 2004 Best Effective Information Security Practices 15. Specification for an Information Security Management System, ISO-27001: Information Technology Code of Practice for Information Security Management, International Standards Organization, ISO-17799, Information Security Management Systems Specification with Guidance for Use, BS : Generally-Accepted Information Security Principles (GAISP), Version 3.0 (Draft), The Information Systems Security Association, Payment Card Industry Data Security Standard, Version 1.1 Information Security Management Guides, Standards and Practices 20. National Institute of Standards & Technology, Information Security Handbook: A Guide for Managers (Draft), SP National Institute of Standards & Technology, Guide to Intrusion Detection and Prevention (IDP) Systems, SP National Institute of Standards & Technology, Guide to Computer Security Log Management, SP National Institute of Standards & Technology, Guide to Integrating Forensic Techniques into Incident Response SP National Institute of Standards & Technology, Guide to Malware Incident Prevention and Handling, SP National Institute of Standards & Technology, Security Considerations in the Information System Development Life Cycle, SP800-64
18 P a g e 18 o f National Institute of Standards & Technology, Computer Security Incident Handling Guide, SP National Institute of Standards & Technology, Security Considerations for Voice Over IP, SP National Institute of Standards & Technology, Building an Information Technology Security Awareness and Training Program, SP National Institute of Standards & Technology, Security Guide for Interconnecting Information Technology Systems, SP Others available, as well; see NIST web site Technology Configuration Guides 31. Windows Server 2003 Security Guide, NSA, April 26, Others available, as well; see NSA web site Information Crime Surveys CSI/FBI Computer Crime and Security Survey Key Web Sites 34. CERT Coordination Center / Carnegie Mellon University: 35. National Institute of Standards and Technolgy (NIST) Computer Security Resource Center: 36. SANS Institute: 37. National Security Agency (NSA) Information Assurance Program: 38. Information Systems Security Association LA Chapter: 39. Citadel Information Group:
19 P a g e 19 o f 22 Citadel Information Group Citadel Information Group is an Information Security Management Services firm headquartered in Los Angeles, CA. Our objective is to provide clients with a full-range of information security management services, whether to act as their information security department or to augment their existing information security infrastructure. The firm was founded in 2002 by Dr. Stan Stahl and Ms. Kimberly Pease, CISSP. Dr. Stahl s information security career began in 1980 when he assisted NORAD secure a database management system to distinguish space objects from enemy nuclear missiles. Over the course of his career Dr. Stahl has provided information security support to the White House, Strategic Air Command, NASA and other government agencies. Dr Stahl serves as President of the Los Angeles Chapter of the Information Systems Security Association. Ms. Pease is a former Chief Information Officer for a mid-sized printing company. Her CIO responsibilities included managing day-to-day tactical IT operations and for aligning IT with the strategic focus of the company. Her achievements include leading the company s ISO 9002 and ISO initiatives, achieving corporate-wide technology standardization, and ensuring Y2K compliance. Ms. Pease has achieved designation as a Certified Information Systems Security Professional. She serves as Education Director of the Los Angeles Chapter of the Information Systems Security Association. Citadel Information Group designs and implements information security management programs to meet client needs for effective information security risk management. The scope of our services extends from the firewall to the Board Room. Citadel s services include information security risk and vulnerability assessments, penetration testing, policy development, business continuity & disaster recovery (BCP/DR), incident response, IT management support, 3 rd -party security management, technology hardening, ediscovery & forensics, awareness training security governance, and creating an information security aware culture. Our clients come from a wide range of industries, including financial services; healthcare; law, accounting & other professional services; manufacturing, distribution & logistics; ebusiness, media, retail, government and education. We are proud to count several not-for-profits among our clients, believing in the importance of serving this traditionally under-served community. The firm has built a strong reputation in the community based on the high quality of our services and our excellent customer service.
20 P a g e 20 o f 22 Here s what some of our satisfied clients have to say about us: Thanks for helping us pass our challenging and extensive Payment Card Industry information security audit. Your information security management services perfectly augmented our own. This let us get through the audit efficiently and cost-effectively. Mark Goldin, Chief Information Officer & EVP Operations, Green Dot Corporation. Having used you as RBZ's information security team, I know that when we refer a client to you, you'll make us look good. You have an amazing ability to discover information security weaknesses where others aren't even looking. Tom Schulte, Managing Partner, RBZ, LLP. Citadel Information Group represents high integrity, an exceptional skill set, and a dedication to my organization. Citadel has repeatedly stepped up to meet the challenges we have presented them with, and even when difficult, they have risen to the occasion. David Lam, Director of IT, Stephen S. Wise Temple. Citadel has helped ECF strengthen our IT network and secure our clients' confidential information. The result is not just better security but also a greater ability to effectively meet our mission to serve people with developmental disabilities, less money spent on IT, and a better night's sleep for me. Scott Bowling, Psy D., President & CEO, Exceptional Children's Foundation Thanks so much for everything. I TRULY enjoyed working with all of you. You threw me a lifesaver and pulled me in when I was surrounded by sharks. I ll never forget that. Donna Nakawaki, CFO, Rem Eyewear
A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information Group Copyright 2008. Citadel Information Group, Inc. All rights
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age Southern California Association for Financial Professionals February 14, 2014 Stan Stahl, Ph.D.
Breaching Bad: New Cyber Security Risks & Regulations Affecting Suppliers At All Tiers Securing the Infrastructure April 2015 Stan Stahl, Ph.D. President Citadel Information Group Phone: 323.428.0441 Stan@Citadel-Information.com
Meeting the Information Security Management Challenge in the Cyber-Age November 2015 David Lam, CISSP, CPP Vice-President Citadel Information Group Copyright 2015. Citadel Information Group. All Rights
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Meeting the Information Security Management Challenge in the Cyber-Age April 29. 2015 Stan Stahl, Ph.D. President Citadel Information Group Phone: 323.428.0441 Stan@Citadel-Information.com www.citadel-information.com
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
CYBER SECURITY MANAGEMENT: THE NEW C-SUITE RESPONSIBILITY 8 Critical Factors for Managing Productivity and Performance in 2013 April 19, 2013 Stan Stahl, Ph.D. President Citadel Information Group Phone:
(Company Name) SECURITY AWARENESS PROGRAM INFORMATION, PHYSICAL AND PERSONAL SECURITY Company Policies Security Awareness Program Purposes Integrate Define Feedback Activities Elicit Implement Employees
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager firstname.lastname@example.org March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services email@example.com April 23, 2012 Overview Technology
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
7 th Annual Information Security Summit The Executive Forum Information Security Management Overview June 4, 2015 Copyright 2015. Citadel Information Group. All Rights Reserved. 2 Establishing Leadership.
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
Providing Information Peace of Mind to Business and the Notfor-Profit Community CYBER SECURITY CHALLENGES AND SOLUTIONS AN EXECUTIVE BRIEFING Long Beach CalCPA Discussion Group December 21, 2011 Stan Stahl,
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
Applying LT Auditor+ to Address Regulatory Compliance Issues An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 firstname.lastname@example.org In today s business environments,
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The
WRITTEN TESTIMONY BEFORE THE SENATE COMMITTEE ON COMMERCE, SCIENCE, & TRANSPORTATION HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, 2014 2:30 PM TESTIMONY
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
This story appeared on Information Management Journal at http://www.entrepreneur.com/tradejournals/article/print/189486076.html Nov-Dec, 2008 How to create a security culture in your organization: a recent
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com Goals Security is a business
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating to all users of UNH IT resources, and improve the availability
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
Educa&onal Event Spring 2015 Cyber Security - Implications for Records Managers Art Ehuan Risk to Corporate Information The protection of mission dependent intellectual property, or proprietary data critical
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
Effective IT Risk Management for Small Businesses A Small Business Gets Some Lessons in IT Risk Management Although large and publicly traded companies often get the most attention, small, private, entrepreneurial
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance