On-Site Manager Exclusive Customer Offer

Transcription

1 On-Site Manager Exclusive Customer Offer Information Security & Compliance Subscription Programs Your Partner for a Secure Future NETWORK VULNERABILITY & THREAT MANAGEMENT PROGRAM PCI COMPLIANCE ASSESSMENT & CONSULTING PROGRAM Your Partner for a Secure Future Sword & Shield Enterprise Security, Inc.

2 PROGRAM SUMMARY Sword & Shield Enterprise Security has a long-term partnership with On-Site Manager working together to ensure On-Site Manager maintains top-notch security and continued compliance. After several years of a mutually beneficial relationship, Sword & Shield and On-Site Manager have chosen to advance their partnership to include offering your organization - a valued On- Site Manager customer - the same high quality, comprehensive, and effective information security and compliance services. These services are being bundled as packages and offered on a subscription basis. This model enables your organization to pay for the service in equal monthly installments, which provides greater budgeting flexibility, while offering lower fees compared to ordering each of the services separately. Additionally, Sword & Shield is providing an exclusive On-Site Manager customer discount. Subscribing to these programs will help your organization proactively, objectively, and consistently understand its security and compliance posture, determine how to effectively and practically remediate the gaps, and maintain a strategic approach to minimizing your organization s security and compliance risks to acceptable levels. There are two programs, one addresses network vulnerability and threat management, and the second program addresses PCI/EI3PA compliance assessments and consulting. Additionally, each program is broken into service level offerings, starting at the base level Bronze package and building up to a fully comprehensive service offering at the Platinum level. Pricing options are available based upon company size allowing you to select both your desired service level and size to match your unique company requirements. 2

3 NETWORK VULNERABILITY & THREAT MANAGEMENT PROGRAM Service Levels Service Offerings Bronze Level Silver Level Gold Level Platinum Level Annual Internal / External Network Penetration Test (NVA/PT) Quarterly Internal / External Network Vulnerability Assessment Annual Security Awareness Training Annual Social Engineering Assessment Quarterly Vulnerability Remediation Consulting Annual Web Assessment Application Assessment Managed Security Service (MSS) Pricing Options* Service Level / Company Size Small Under 100 Medium Large 501 1,000 Bronze $1,500 / month $2,000 / month $2,500 / month Silver $2,000 / month $3,000 / month $4,000 / month Gold $3,000 / month $4,500 / month $6,000 / month Platinum** $5,300/ month $6,800 / month $8,300 / month Enterprise Over 1,001 Customized Quote *Requires annual (12 month) subscription ** MSS pricing based on single location, 8x5 M-F monitoring. For multiple locations or 24x7 monitoring, please contact Sword & Shield for a customized quote. 3

4 SERVICE DESCRIPTION INTERNAL NETWORK VULNERABILITY ASSESSMENT (NVA) AND PENETRATION TEST (PT) Sword & Shield will conduct a Network Vulnerability Assessment (NVA) against your organization s internal network segments. This testing is executed from behind the protective perimeter controls of the customer network, i.e., as an authorized network device on the internal network. It is an authorized device only in the sense that the testing device is allowed to connect somewhere on the internal network. With this information, Sword & Shield will perform a vulnerability analysis to determine the true security posture of your organization s network to internal threats. The goal of penetration testing is to determine if the protective controls of a given system can be bypassed. Sword & Shield Security will attempt to penetrate the internal networks/servers through various tests, and leave non-harmful evidence of penetration or provide evidence of information. EXTERNAL NETWORK VULNERABILITY ASSESSMENT (NVA) AND PENETRATION TEST (PT) Sword & Shield will conduct an external Network Vulnerability Assessment (NVA) against your organization s network perimeter via the Internet and identify observable (exposed) vulnerabilities. With this information, Sword & Shield will perform a vulnerability analysis to determine the true security posture of your organization s network to external threats. Sword & Shield will then attempt to penetrate the external-facing networks/servers through various tests and leave non-harmful evidence of penetration. SECURITY AWARENESS TRAINING Sword and Shield will deliver live instructor-led online security awareness training to your organization s employees (end users) that covers topics including, but not limited to the following attack vectors: a) including hyperlinks and phishing campaigns b) Social engineering c) Clean and secure desk/work area policy d) The use of removable media e) Physical security, tailgating, unidentified personnel f) Malware g) Ransomware h) Viruses and other Trojans i) Phone Scams Each class will last two hours long and accommodate up to 15 students. 4

5 SOCIAL ENGINEERING ASSESSMENT Sword & Shield s social engineering assessment includes the testing methods described below. Phishing Sword & Shield Security will conduct based phishing activities targeted at your organization s employees. The analyst will work with you to create a targeted phishing message that appears to come from a trusted source. The message will be sent to employees, asking them to click a link or open an attachment. When recipients click on the link or open the attachment, they will receive a notification that they have been duped and a warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware. In addition, Sword & Shield will monitor and report the assessment metrics. Baiting Sword & Shield will design a baiting exercise to test awareness of security risks associated with the use of various types of storage media. This technique employs physical media and relies on the curiosity or greed of the victim. The media is left in a public space and an employee might find it and subsequently insert the drive into a computer to satisfy their curiosity, or it could be that a Good Samaritan might find it and turn it in to the appropriate department. If the bait portable media is inserted into a victim s machine, there are various ways by which the consultant can be notified. Tailgating Sword & Shield will attempt to bypass physical security controlled access while onsite at Customer locations. Consultants will attempt to enter buildings and wander down the hallways, unescorted, looking for open offices and/or unsecured workstations. Pre-texting Sword & Shield will first identify a list of potential targets to contact. Once the targets are identified, Sword & Shield consultants will execute phone based social engineering. The technique is used to impersonate an individual who could have perceived authority or right-to-know in the mind of the target. After establishing a trust relationship with the targeted individual, consultants might ask a series of questions designed to gather key individual identifiers (like usernames, passwords, access codes) under the guise of needing to confirm the individual's identity, account, or access/authorization level. VULNERABILITY REMEDIATION CONSULTING Sword & Shield will provide vulnerability remediation consulting services to help your organization meet security best practices and EI3PA/PCI requirements. This task will include, but is not limited to, the following action items: Assist in the development of a plan / roadmap to security and compliance (Remediation Plan). 5

6 Evaluate suspected breaches and recommend corrective action (including incidents involving outside organizations) Evaluate and provide appropriate guidance regarding security systems and their corresponding equipment and software. Recommend and implement changes in security policies and practices in accordance with changes in security best practices and compliance standards. Provide recommended solutions to security problems and implement as appropriate in the most cost-effective manner. Assist in collaborating and maintain a system for ensuring that security and privacy policies are met. WEB APPLICATION ASSESSMENT Sword & Shield will conduct a security assessment of the target application(s). The objective of a security assessment is to examine the subsystems, components, and security mechanisms composing the system s infrastructure and identify weaknesses. MANAGED SECURITY SERVICE (MSS) Sword & Shield s managed security provides a hands-on, real time and active approach to defending customers networks from emerging threats, widespread malware, spyware and crimeware. Sword & Shield provides both proactive and reactive monitoring in a highly scalable platform that meets the requirements you expect in a comprehensive monitoring solution. Real time monitoring of all network activity by Sword & Shield s dedicated staff provides staff augmentation by taking the burden off the existing IT staff. Additionally, real time monitoring provides better situational awareness through our constant monitoring architecture. Our managed security solution will enable the IT manager to quickly know how the environment meets or fails to meet compliance standards such as HIPAA or PCI/EIP3A through the detailed reporting capabilities embedded in the solution. At the heart of this solution is the support team, which designs, implements and monitors the service for you. Sword & Shield has partnered with Alienvault, developers of a single console software application that provides a comprehensive solution for all the key areas. Managed Security Solutions team members include Alienvault Certified Security Engineers (ACSE) who are experts in the enterprise security field. This MSSP monitoring service requires the installation of a Security Information and Event Monitoring (SIEM) hardware device. To minimize the footprint in your environment, you have the option of installing a virtual SIEM in a VMware infrastructure at your facility. Alerting will be setup per the specifications agreed upon between your company and Sword & Shield. Customized reports will be delivered from the data captured in the console as often as needed (monthly. weekly, etc.). 6

7 PCI/EI3PA COMPLIANCE PROGRAM Service Levels Service Levels are based upon the PCI Merchant Level. For the PCI/EI3PA compliance assessment and consulting subscription, the following services are offered: PCI/EI3PA assessment and Report on Compliance (ROC) fulfilment PCI Self-Assessment Questionnaire (SAQ) consulting and / or fulfilment Pricing Options PCI Merchant Level / Company Size Small Under 100 Medium Large 501 1,000 Enterprise Over 1,001 Level 1 or 2 $2,000 / month $2,500 / month $3,000 / month Customized Quote Level 3 or 4 $500 / month $1,000 / month $2,000 / month Requires annual (12 month) subscription Price does not include the related services described below. RELATED SERVICES FOR PCI COMPLIANCE Sword & Shield will provide a customized quote for these services as necessary: External Network Vulnerability Assessment / Penetration Testing Internal Network Vulnerability Assessment / Penetration Testing Web Application Security Assessment External Approved Scanning Vendor (ASV) scanning Managed Security Services o Logging o Internal Scanning o Monitoring o File integrity monitoring ADDITIONAL RELATED SERVICES AVAILABLE PCI Security Policy package PCI Awareness Training package PCI Secure Coding training package 7

8 SERVICE DESCRIPTION As a PCI Qualified Security Assessor (QSA), Sword & Shield has been assisting merchants with PCI compliance since the early days of the PCI Council s Data Security Standard (DSS) requirements. We can help you plan, analyze, track and monitor your PCI compliance program, which reduces your costs, saves you time and limits your frustration. Our Qualified Security Assessors (QSA) will assist you in determining the appropriate level of these requirements and guide you through the assessment process until compliance is achieved. PCI ASSESSMENT AND REPORT ON COMPLIANCE A Sword & Shield Qualified Security Assessor (QSA) will perform a detailed assessment based upon PCI DSS requirements, creating a Report on Compliance (ROC) and Attestation of Compliance (AOC) at the completion of the audit. The ROC and AOC can be provided to the acquiring banks and other stakeholders once completed. EI3PA REPORT ON COMPLIANCE A Sword & Shield Qualified Security Assessor (QSA) will review the results from the previously completed PCI assessment based upon PCI DSS requirements in your environment and create a Report on Compliance (ROC) based on that data. This ROC and an Attestation of Compliance (AOC) will be provided to you when complete. You may then provide the ROC and/or AOC to acquiring banks or other stakeholders. PCI CONSULTING / SAQ FULFILLMENT SUPPORT Sword & Shield will provide general PCI-related consulting to your organization. At the beginning of the consulting engagement, Sword & Shield will designate a PCI QSA as the lead on the project. The QSA is the single point of accountability for this project to answer questions, attend meetings and conference calls, and other similar activities. The QSA will establish contact with your organization s point of contact, and will perform tasks including but not limited to: Provide advice and consulting related to undergoing a PCI self-assessment. Assist your organization in reaching business decisions with respect to PCI and helping to determine the PCI scope that you must comply with based on these business decisions. Provide practical advice on controls and remediation guidance that may help your organization achieve PCI compliance in a more cost-effective and secure manner. Assist your organization with the process of completing an SAQ. 8

9 INTRODUCING SWORD & SHIELD Security Is Our Core Business Protecting critical data since 1997, Sword & Shield Enterprise Security, Inc. is the premier holistic information security provider. With solutions designed to meet the needs of a dynamic security and compliance landscape, we deliver evaluation, remediation, and ongoing monitoring and management to ensure you maintain the most comprehensive security posture possible. Headquartered in Knoxville, TN, our consultants are available to assist clients in all aspects of the security and compliance lifecycle, from information security testing to compliance assessments in PCI, HIPAA and more. Sword & Shield Enterprise Security was founded in 1997 with a single focus to provide outstanding services to our clients partnering with them to protect their critical data. At Sword & Shield security is our core business, concentrating on information security, compliance, and managed services. This enables us to deliver the services and solutions that provide maximum protection for business sensitive information. Sword & Shield consultants strive to align our service offerings with your business objectives. We will never try to sell you a service just because we offer that service, and we will always try to encourage you to purchase the solution that is in direct support of your primary business goals. Sword & Shield consultants work toward and achieve industry certifications appropriate to the work they perform (CISSP, CISA, QSA, etc.), providing you with assurance that they know what they are doing. As your business evolves, needs arise that are out of your comfort zone or core competency. Instead of spending money on a quick-fix that may not resolve the underlying issues, enlist the help of a top information security consulting firm. Sword & Shield has the experience and the expertise to tackle any security or compliance situation, either long or short-term. Contact Information Sword & Shield Enterprise Security, Inc Centerpoint Blvd, Suite 150 Knoxville, TN Main Line: Toll-free: secureme@swordshield.com 9