INFORMATION S ECURI T Y

Transcription

1 INFORMATION S ECURI T Y T U R N KEY IN FORM ATION SECU RITY SO L U TION S A G L O B A L R I S K M A N A G E M E N T C O M P A N Y

2 PRESENCE PROWESS PARTNERSHIP PERFORMANCE Effective IT security requires competence in several areas: vulnerability testing, security policies and architecture, technology planning and training, and regulatory security compliance. By the first quarter of 2005, enterprises that don't enforce security policies during network login will experience 200 percent more network downtime than those that do. (Source Gartner) The Steele Foundation is a leader in providing turnkey information security solutions. Through our consulting services and integrated delivery systems, we help our clients minimize the threats to their information systems and communication networks. In today s economy, information is your organization s greatest asset. It must be protected from unauthorized access, denial of service, breach of confidentiality, loss of data integrity, etc. Your organization must be prepared to protect, detect and respond to today s cyber attacks. So where should you begin? A more comprehensive risk assessment takes a snapshot of your organization s vulnerabilities from a physical security, IT security, document security and personnel security perspective. Steele uses proprietary techniques, based on industry standards (ISO-17799), as well as the most reliable, up-to-date automated security assessment tools, to generate security profiles of essential information systems. VULNERABILITY TESTING The Steele Foundation's Vulnerability Testing Service starts with an in-depth technical review of your most critical and sensitive information systems. This service has been designed to help identify network perimeter vulnerabilities that may be used to gain access to networks and systems that process, store, or transmit information. This service includes planning, testing, and analysis centered around transport, protocol, application, and remote access areas. The Vulnerability Testing Service is a precursor to a Penetration Test, which measures a company s real-world vulnerabilities and responsiveness to security attacks. Penetration Testing uses the information gathered during the vulnerability scan to attempt to exploit subsets of the vulnerabilities found and to demonstrate how unauthorized access could be achieved. After analyzing the Vulnerability and Penetration Test results, Steele recommends prioritized, cost-effective corrective measures and security safeguards. This recommendation report serves as the blueprint to help prioritize budget, resources, product selection, and implementation plans. The analysis also establishes a baseline against which security solutions are measured. There are a number of technical assessments that can be provided. Some of these are: Network (LAN) Assessments Host / Operating System Assessments External Penetration Analysis Firewall and Router Assessments Wireless Network (802.11b) Assessments Workstation Assessments War Dialing Modem Assessments Application Assessments training ISO-BASED SECURITY RISK ASSESSMENT The ISO-based Security Assessment provides a more comprehensive view of the client s overall security. This evaluation covers all aspects of security using questionnaires, interviews, physical security walk-thru, documentation review, network architecture topology reviews, external port scans, vulnerability scans and penetration testing. After Steele security experts carefully analyze this information, a written report is created, and a second meeting is held to discuss the report, any client security concerns, and to finalize the comprehensive security plan. INFORMATION SECURITY POLICY Planning and Development The Security Policy Planning & Development service provides businesses with a standard Best Practices Security Policy template. The service identifies, recommends, and implements appropriate security policy and policy-specified safeguards to help protect your information assets. Additionally, a security professional will tailor a standard security policy to meet specific business needs. If the organization currently has an information security policy, this service will include a review of the existing policy and will make recommendations to bring the current policy up to an industry Best Practices level. The process begins with an interview between the security consultant and your organization. Following the interview, the client will be provided with a draft written policy. This draft security policy covers three major areas: Logical, Managerial and Physical.

3 T E CHNO L OGY P LANNING The Technology Planning Services assist clients in selecting the proper security solution from a broad range of product offerings. Steele security consultants provide on-site consulting services to help a client select and design a robust security solution. Steele offers Technology Planning Services for the following security safeguards: Firewall Design Two-Factor Authentication Intrusion Detection System PKI / LDAP / X.500 Virus Protection Physical Security Content / URL Filtering Biometrics Encryption RADIUS / TACACS Servers INF ORMATIO N SE CURI TY TRAINING PROG RAMS Steele offers security training for every audience, from your front-line employees to the IT department and upper management. Our security training services focus on the following areas: Awareness Training The Information security policy is the cornerstone of any enterprise security solution, but if end users don t know about the policy, or are not up to speed on its components, then the policy serves no purpose. Your Information security policy is the blueprint for acceptable system use and your people need awareness training to understand this and their role in your security policy. This training program focuses on: Comprehensive explanations of system use The reasons why you must protect your information assets The types of threats, including social engineering The penalties for non-compliance IT Security Training As you know, your IT staff are the linchpin for ensuring that your network runs smoothly, and now more than ever, your IT people need a thorough understanding of how IT security works. That s why Steele s IT Security Training Service offers a variety of Information Technology-oriented training options. Steele educates, informs, reinforces and guides your IT personnel in planning, designing, and implementing best security practices. Our approach to training includes real-world instructions and tools to help prevent the misuse of hardware, software, and processes that could result in compromised security. forensic SECURE AR CHITECTURE DE S I GN The Steele design team can help your organization design a secure network infrastructure. Through the use of firewalls, intrusion detection systems, strong authentication mechanisms, VPNs, etc., your organization can achieve a higher level of security, but the proper placement, configuration and interoperability of the various devices and appliances is essential. Other key areas to consider are content/url filtering, high-availability or redundant solutions, VLANS, centralized logging servers, secure subnet segmentation, router controls, dial-up access, etc. Steele has a team of professionals with proven experience in each of these areas. All of our personnel have the credentials and product certifications on each of the technologies that they deploy. In addition to design, configuration and implementation, our security professionals can train your staff in all areas of secure architecture design. C O MPUTER INCI D E NT R E S P O N S E TEAM (CIRT) The Steele Computer Incident Response Team (CIRT) has the experience and knowledge to respond to today s network intrusions and adverse computer events. Steele provides expert guidance in the area of detection, containment, internal reporting, external disclosure, and investigation. Computer crime investigation and computer forensics are esoteric fields, and few individuals or corporations have the depth of experience as The Steele Foundation's Computer Incident Response Team. E N T E R P R I S E R I S K M A N A G E M E N T S O L U T I O N S

4 compliance REGULATORY COMPLIANCE SOLUTIONS The consequences of less-than-perfect IT security are more serious than ever before. The havoc wreaked worldwide by the Nimda, SQL Slammer and MSBlast worms, as well as a constant stream of viruses, confirm the need to build better defenses against cyberattacks. Legislative and regulatory initiatives including the U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (also known as Sarbanes-Oxley), the U.S. Graham-Leach-Bliley Financial Services Modernization Act, the Healthcare Information Portability and Accountability Act and the European Data Privacy Directive demand better execution in the areas of security and privacy process definition and reporting. They also raise the legal and financial stakes for enterprises that fail to meet their standards. The Steele Foundation s Information Security consulting services has been helping organizations protect their valuable information assets in all industries for many years. Supporting our clients efforts to achieve Sarbanes-Oxley, GLB, HIPAA, FISM, and EUDPD compliance, is a natural extension of our services. Sarbanes-Oxley The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley) makes a public company's senior management and advisors individually accountable for the accuracy of its financial performance reporting (Sarbanes-Oxley does not affect private companies). From an IT security perspective, companies must demonstrate the integrity of the systems and applications used to generate financial reports. An aspect of demonstrating integrity is the presence of user, system and application resource-access controls, as well as processes to monitor and correct lapses in these controls. Gramm-Leach-Bliley (GLB) The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) requires that financial institutions ensure the security and confidentiality of customer personal information against "reasonably foreseeable" internal or external threats. From an IT security perspective, companies must implement a process that assesses and monitors the threat environment, as well as tools and policies to counter threats. Healthcare Insurance Portability and Accountability Act (HIPAA) The U.S. Healthcare Information Portability and Accountability Act (HIPAA) specifies that healthcare and insurance organizations must have procedures to prevent, detect, contain and correct security violations, as well as procedures to regularly review records of information system activity. Federal Information Security Management Act (FISM) The Federal Information Security Management Act (FISM) requires federal agencies to develop, document and implement agency wide programs to secure data and information systems that support agency operations and assets, including those managed by other agencies or contractors. European Union Data Protection Directive The European Union Data Protection Directive specifies that "personal data" must have "appropriate security." The United Kingdom's Information Commissioner will accept BS accreditation as evidence of "appropriate security." Without accreditation, an organization likely would have to show broad compliance with ISO/IEC recommendations. IT Security Capabilities for Regulatory Compliance Many regulations don't specify what companies must do to achieve compliance. Therefore, companies can't buy a product that directly provides an organization with the ability to demonstrate compliance. The Steele Foundation can perform a base set of IT security administration and operations assessments to build a cost-effective security report ( gap analysis ) tailored to your company s unique environment. Steele consultants assess the current security exposure as well as design and implement security policies, processes, procedures and countermeasures, to mitigate the looming threats. For more information about The Steele Foundation s Information Security consulting practice, please contact our corporate headquarters at (415) or via our website:

5 I N F O R M A T I O N S E C U R I T Y The Steele Foundation has developed its own proprietary Information Security Lifecycle methodology in support of its Professional Security Services. Steele s Information Security brings a unique set of skills and experience to ensure that its clients receive the most comprehensive, cost-effective information security services available. As an end-to-end information security solutions provider, we offer clients a full breadth of products and services including: Information Security Consulting and Technology Planning Information Security Assessments and Audits Information Security Policy Review and Development Information Security Training and Awareness Programs Secure Architecture Design Security Products Implementation and Integration Computer Incident Response Team (CIRT) w/24 Hour Rapid Response Capabilities Investigative and Forensic Services Regulatory Compliance Solutions The Steele Foundation is developing proactive measures and positive ideas to lead corporations into a safer and more secure tomorrow. Please call for more information or visit our web site:

6