I n f o r m a t i o n S e c u r i t y



Similar documents
Department of Management Services. Request for Information

INFORMATION SYSTEMS. Revised: August 2013

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ISO 27002:2013 Version Change Summary

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

ISO Controls and Objectives

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev Seite 1 von d Seite 1 von 11

Security and Privacy Controls for Federal Information Systems and Organizations

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ISO27001 Controls and Objectives

Information Shield Solution Matrix for CIP Security Standards

INFORMATION TECHNOLOGY SECURITY STANDARDS

How To Manage Security On A Networked Computer System

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SANS Top 20 Critical Controls for Effective Cyber Defense

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

SECURITY. Risk & Compliance Services

Attachment A. Identification of Risks/Cybersecurity Governance

A Comparison of Oil and Gas Segment Cyber Security Standards

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Supplier Security Assessment Questionnaire

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Logging In: Auditing Cybersecurity in an Unsecure World

SCAC Annual Conference. Cybersecurity Demystified

University of Pittsburgh Security Assessment Questionnaire (v1.5)

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Third-Party Access and Management Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

ISO COMPLIANCE WITH OBSERVEIT

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

ISO/IEC 27001:2013 Thema Ă„nderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum

(Instructor-led; 3 Days)

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

OCIE CYBERSECURITY INITIATIVE

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Security Management. Keeping the IT Security Administrator Busy

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Information security management systems Specification with guidance for use

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Central Agency for Information Technology

Altius IT Policy Collection Compliance and Standards Matrix

The ICS Approach to Security-Focused IT Solutions

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

NERC CIP VERSION 5 COMPLIANCE

Preemptive security solutions for healthcare

Newcastle University Information Security Procedures Version 3

Current IBAT Endorsed Services

Intel Enhanced Data Security Assessment Form

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

March

Big Data, Big Risk, Big Rewards. Hussein Syed

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

How To Achieve Pca Compliance With Redhat Enterprise Linux

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Draft Information Technology Policy

TRIPWIRE NERC SOLUTION SUITE

Information Security Management. Audit Check List

Compliance and Industry Regulations

Defending Against Data Beaches: Internal Controls for Cybersecurity

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Professional Services Overview

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Risk Management Guide for Information Technology Systems. NIST SP Overview

STATE OF NEW JERSEY Security Controls Assessment Checklist

NEC Managed Security Services

Recent Researches in Electrical Engineering

The Education Fellowship Finance Centralisation IT Security Strategy

ISACA rudens konference

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

INCIDENT RESPONSE CHECKLIST

PII Compliance Guidelines

Payment Card Industry Data Security Standard

Information Security Policy version 2.0

Ecom Infotech. Page 1 of 6

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Microsoft s Compliance Framework for Online Services

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

This is a free 15 page sample. Access the full version online.

Information Resources Security Guidelines

THE BLUENOSE SECURITY FRAMEWORK

Transcription:

We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments. Our experience with State and Local Government, Financial, Healthcare, and Energy sector clients gives us a significant edge in helping our customers conserve resources on cyber security and related regulatory compliance initiatives. I n f o r m a t i o n S e c u r i t y Consulting*Training*Management At any point in the Security Lifecycle, BorderHawk can be there as needed strategic planning, policy analysis or development, controls design, solutions implementation, or even as technical project managers. ISO 17799-27001-27002 HIPAA NERC CIP NISPOM NIST PCI IRS Form 1075 FPLS CYBERSECURITY ANALYTICS & ALERTING * INFORMATION SECURITY TRAINING * CONSULTING ON INFORMATION ASSURANCE ISSUES * CYBER INCIDENT RESPONSE * STANDARDS BASED INFORMATION RISK ASSESSMENTS * CYBER SECURITY TESTING * INFORMATION SYSTEMS FORENSICS Need More Information? Call: 404 567 6124 Email : info@borderhawk.com Our Security Teams are comprised of only the most senior Information Security professionals in the United States; these are hands on professionals that have been there. Accordingly, our teams have decades of experience conducting complex security engagements in a variety of public and private sector environments.

BORDERHAWK CORPORATE OVERVIEW Georgia Corporation as of 2008 (Sole Proprietor, 2003-2007) http://www.borderhawk.com Steve Akridge, Owner Phone: 678-521-6151 Former: Chief Information Security Officer (CISO), State of Georgia; Technical Director, Defense Security Service, U.S. Dept of Defense; Chief Cryptologic Tech, Naval Security Group Command JD, MS, CISSP, CISM, CGEIT Mailing Address: 3330 Cobb Pkwy NW STE 17 PMB363 Acworth, GA 30101 Operational Office in Cartersville, GA BorderHawk Values: We believe your organization s information, workforce, and supporting infrastructure are critical components to your success. Consequently, we believe that truly tested professionals with demonstrated integrity, courage, and commitment are the key to achieving your organization s goals. We are tested experts offering best-in-class solutions to resolve security and safety issues. BorderHawk Mission Statement: To provide our clients with experienced advice and professional services involving information protection, workplace safety, employee awareness, and infrastructure management. We deliver innovative solutions that empower our clients in meeting regulatory requirements, while maintaining a competitive business infrastructure.

BORDERHAWK SERVICES C Y B E R S E C U R I T Y A N A L Y T I C S & A L E R T I N G BorderHawk Cybersecurity Analytics & Alerting provides an ongoing awareness of information security, information technology vulnerabilities, and potential threats to support organizational risk management decisions. By monitoring certain critical computer systems within your environment and analyzing information collected via the Internet regarding your organization, the BorderHawk Team is often able to isolate potential threat indicators and extrapolate such knowledge into a proactive indication and warning processes. We use a variety of cutting edge tools to collect information, and then we employ a team of experts to analyze that data in order to reach solid conclusions about threats to your organization. Detect/Prevent Unauthorized Access and Insider Abuse Meet Regulatory Requirements Forensic Analysis and Correlation Ensure Regulatory Compliance Track Suspicious Behavior IT Troubleshooting And Network Operation Our Cyber Threat Reports deliver both strategic and tactical perspectives regarding your organization s information security. Client Driven Reported As Needed Focus of analysis can be changed in near real-time Issue can be refined for macro or micro analysis Breaking News Daily Situation Report Weekly Status Report Quarterly Trends Analysis Knowledge delivered by such products: provides historical, current, and predictive views of business related events in order to guide leadership decisions and actions involves computer-based techniques to gather business related information from within your environment and publicly available sources for analysis in order produce actionable security responses

I N F O R M A T I O N S E C U R I T Y T R A I N I N G Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis. Learning is a continuum it starts with awareness, builds to training, and evolves into education. (NIST Special Publication 800-16 Revision 1) BorderHawk has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients: 1) Generic (ISO1799/27001) Information Security Awareness and Training modules or 2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc. In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training. Most organizations have either adopted or are moving toward a remote or off-site business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The student simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score, an email is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the student.

C O N S U L T I N G O N I N F O R M A T I O N A S S U R A N C E I S S U E S Security Policy Access Control Organization of Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Info Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance C Y B E R I N C I D E N T R E S P O N S E BorderHawk is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed. In response to risks identified by a breach, we work with you to: Limit immediate incident impact to customers and partners Determine who initiated the incident and your options going forward Recover from the incident and return to operations Review existing policies and protocols for adequacy Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage Review adequacy of other systems security Develop long-term mitigation plans Provide necessary training

S T A N D A R D S B A S E D I N F O R M A T I O N R I S K A S S E S S M E N T S Information Risk Assessments set the stage for establishing the Information Technology Big Picture. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Financial Services - Federal Financial Institutions Examination Council (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation s (NERC) Critical Infrastructure Protection (CIP), or the Payment Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology. Preparation Doc Request Overview Scoping People Processes Technology Discovery Analysis Results Ratings Trends Draft Report Final Report Recommendations Reporting The cost of a BorderHawk Information Risk Assessment is directly related to the client s needs and information security program. PURPOSE/TYPE PROCESS DESCRIPTION Information Risk Assessment consisting of 11 Information Security Management Controls and 132 sub-components Activity Hours Total OPTION 1 INFORMATION RISK PROGRAM DEVELOPMENT Discovery (offsite & onsite) 60 Analysis 80 220 Reporting 40 Planning 40

Security Policy Option 1 Inquiries Information Security Policy Evaluation Review of Information Security Policy Implementation Organization of Security Management commitment to Information Security Information Security Co-ordination Allocation of Information Security Responsibilities Authorization Process for Information Processing Facilities Confidentiality Agreements Contact with Authorities Contact with Special Interest Groups Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security When Dealing with Customers Addressing Security in Third Party Agreements Asset Management Inventory of Assets Ownership of Assets Acceptable Use of Assets Classification Guidelines Information Labeling & Handling Human Resources Security Roles & Responsibilities Screening Terms & Conditions of Employment Management Responsibilities Information Security Awareness, Education, & Training Disciplinary Process Termination Responsibilities Return of Assets Removal of Access Rights Physical & Environmental Security Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Protecting Against External & Environmental Threats Working in Secure Areas Public Access, Delivery, & Loading Areas Equipment Protection Supporting Utilities Cabling Security Equipment Maintenance Security of Equipment Off-Premise Secure Disposal or Re-use of Equipment Removal of Property Communications & Operations Management Documented Operating Procedures Change Management Segregation of Duties Separation of Development, Test, & Operational Facilities Third Party Service Delivery Management Monitoring & Review of Third Party Services Managing Changes to Third Party Services Capacity Management System Acceptance Controls against Malicious Code Controls against Mobile Code Information Back-up Network Controls Security of Network Services Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Information Exchange Policies & Procedures Exchange Agreements Physical Media in Transit Electronic Messaging Business Information Systems Electronic commerce On-line Transactions Publicly Available Information Audit logging Monitoring System Use Protection of Log Information Administrator & Operator Logs Fault Logging Clock Synchronization Access Control Access Control Policy User Registration Privilege Management User Password Management Review of User Access Rights Password Use Unattended User Equipment Clear Desk & Clear Screen Policy Policy on Use of Network Services User Authentication for External Connections Equipment Identification in Networks Remote Diagnostic & Configuration Port Protection Segregation in Networks Network Connection Control Network Routing Controls Secure Log-on Procedures User Identification & Authentication Password Management System Use of System Utilities Session Time Out Limitation of Time Connection Information Access Restrictions- Sensitive System Isolation Mobile Computing & communications Teleworking Info Systems Acquisition, Development & Maintenance Security Requirements Analysis & Specification Input Data Validation Control of Internal Processing Message Integrity Output Data Validation Policy on the Use of Cryptographic Controls Key Management Control of Operational Software Protection of System Test Data Access Control to Program Source Code Change Control Procedures Technical Review of Applications after Operating System Changes Restrictions on Changes to Software Packages Information Leakage Outsourced Software Development Control of Technical Vulnerabilities Information Security Incident Management Reporting Information Security Events Reporting Security Weaknesses Information Security Incident Management Responsibilities & Procedures Learning From Information Security Incidents Collection of Evidence

Business Continuity Management Including Information Security in the Business Continuity Management Process Business Continuity & Risk Assessment Developing & Implementing Continuity Plans Including Information Security Business Continuity Planning Framework Testing, Maintaining & Re-assessing Business Continuity Plans Compliance Identification of Applicable Legislation Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing Facilities Regulation of Cryptographic Controls Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools Information Risk Gap Analysis consisting of 11 Information Security Management Controls and 42 sub-components Activity Hours Total OPTION 2 INFORMATION RISK GAP ANALYSIS Discovery (offsite & onsite) 24 64 Analysis 24 Reporting 16 Option 2 Inquiries Information Security Policy Evaluation Allocation of Information Security Responsibilities Confidentiality Agreements Independent Review of Information Security Identification of Risks Related to External Parties Addressing Security in Third Party Agreements Inventory of Assets Acceptable Use of Assets Terms & Conditions of Employment Information Security Awareness, Education, & Training Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms, & Facilities Secure Disposal or Re-use of Equipment Change Management System Acceptance Access Control Policy Password Use Clear Desk & Clear Screen Policy Segregation in Networks Network Routing Controls User Identification & Authentication Mobile Computing & communications Teleworking Outsourced Software Development Reporting Information Security Events Information Security Incident Management Responsibilities & Procedures Collection of Evidence Business Continuity & Risk Assessment Intellectual Property Rights Protection of Organizational Records Data Protection & Privacy of Personal Information Prevention of Misuse of Information Processing

Controls against Malicious Code Information Back-up Security of Network Services Disposal of Media Physical Media in Transit Electronic commerce Facilities Compliance with Security Policies & Standards Technical Compliance Checking Information Systems Audit Controls Protection of Information Systems Audit Tools OPTION 3 INFORMATION RISK DOCUMENT REVIEW Analysis of client completed BorderHawk Information Risk Questionnaire and requested supplemental documents provided by client Not to exceed 24 hour expended time Option 3 Inquiries The BorderHawk Information Risk Questionnaire develops a high-level overview of an organization s information security posture. Specifically, this document requests an overview of the client s business function, a preliminary list of documents describing information technology and security operations, and a brief questionnaire about security within the organization. The review process requires documentation be provided in a digital or paper format, including: Information Security Policy: This document states your organization s policy and management direction as it relates to information security Information Security Procedures, Guidelines, & Standards: Information protection related procedures, guidelines, and standards supporting the information security policy Security Incident Reporting and Procedures: Procedures and forms associated with the organization s incident response plan o System Configuration Diagrams: Technical policies, procedures and other baseline documents used by your information technology group for installation and configuration of information systems Change Management: Change control policy, procedures, and other documents used to initiate and/or validate changes to information systems and/or their environment Most Recent Information Technology Audit or Review of Controls (SAS70 or Equivalent): Assessments by external consulting organizations and associated documentation Software Coding Standards (if applicable): Software development and testing

procedures Network Architecture: Network architecture diagram detailing all inbound and outbound network connections (Internet, VPN, remote access, third-party vendors, etc.). C Y B E R S E C U R I T Y T E S T I N G BorderHawk Cyber Security Testing is a hands on effort in which Test Operators attempt to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets. External Network Assessment Targets: Internet facing systems and devices Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities; Password cracking usually in the scope Restrictions: Attack(s) usually limited to non-business hours Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses Internal Network Assessment Targets: Internal network devices, not limited to domain controllers, infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices Optional: Configuration review of the firewall and internal Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site Will not include mainframe systems

May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Wireless Assessment Targets: Organization -Campus -Specific Building -or Facility Attack Parameters: May occur during business hours for unobtrusive scans Rogue wireless device detection; penetration testing, password cracking usually in the scope Restrictions: Wireless security risk assessment usually limited to 802.11 technologies Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses Social Engineering Attempt to bypass security controls in order to gain access to sensitive areas or information Targets: Individual - Organization Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and email/phishing Restrictions: Attack may be performed any time Time to Complete: Dependent on target size and client needs Application Pen Test Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope Will not include a code review Time to Complete: Dependent on target size and client needs I N F O R M A T I O N S Y S T E M S F O R E N S I C S

In association with our forensic partners, BorderHawk can be available to assist with all facets of computer evidence extraction, preservation, analysis, and presentation. Depending on the situation, we are prepared to assist with: Digital evidence acquisition, search, filter, and consolidation from virtually any type of media from mobile hand held devices through fixed plant servers and cloud repositories. Depositions, expert witness testimony, helping achieve optimal balance in legal and technical strategies Special Master Duties (E-Discovery & Information System Forensics) Analyzing and exposing flaws with interpretation of electronic evidence and results gleaned from other digital forensic analysis efforts BORDERHAWK SAMPLE ENGAGEMENTS Large Financial Institution Information Risk Assessments of over sixty-five third party/vendor companies located throughout the US and Canada (business verticals include financial, insurance, health, technology, printing, courier, software, receivables, non-profits, legal, and data brokers); ISO/IEC 17799; FFIEC Oil Pipeline Company (Northwest) State Dept of Revenue, Tax Division (Northwest) State Legislative Services Division (Midwest) State Dept of Blind Services (Southeast) Information Security Program Development; Custom Training; ISO/IEC 17799/27001/27002 Code of Practice for Information Security Management, NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems and IRS Publication 1075; API-1164 State Department of Corrections (Southeast) City (Electric Utility) (Southeast) City, Employees Retirement System (Northeast) Non Profit (Law Enforcement Related) (Southeast) Cyber Security Testing; penetration testing, technical vulnerability assessment, and controls analysis; ISO/IEC 17799; NERC CIP 5 & 7

Medical Device Company (Southeast) Insurance Company (Southeast) Hospital Company (Southeast) State Dept of Labor (Northwest) Pharmaceutical Company (Southwest) State Dept of Health and Social Services (Northwest) State Dept of Human Resources (Southeast) Information Security Program Assessment; Federal Parent Locator Service, HIPAA; ISO/IEC 17799 Retail Company (Northeast) Non Profit (Technology Provider) (Southeast) Financial Service Company (Global) Information Security Incident Analysis; Incident response to potential cyber crime or other malicious activity specifically targeting client networks or sensitive data

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information