Security Strategy and Solutions:
Every effective security program needs a plan. SES can help you create one.
SES enterprise security consultants will analyze your current state of security and organizational posture and work with your representatives to draw out security plans that align with your business objectives for all areas of security as well as risk management plans and security programs. These plans will help you to:
- Identify gaps and opportunities within your own security program
- Identify a clear set of objectives and milestones
- Establish clear IT governance frameworks.
- Develop policies and procedures which are aligned to your business objectives
- Provide training and awareness programs to communicate plans, policies and procedures to your staff
Well written policies and procedures that have top-down management support are the cornerstone of any good information security program. Industry frameworks and guidelines such as National Institute of Science and Technology (NIST), International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27002:2013, and Control Objectives for Information and related Technology (COBIT) are used as basis for all security policy and procedures development.
We help you evaluate your security program and recommend a plan for developing, documenting and updating security policies and procedures. We also help you develop enterprise policies and information security charters that can provide the basis for establishing strong information security practices within your organization.
Enterprise security team members also assist you in developing business continuity, disaster recovery, and emergency response plans. A business impact analysis is conducted as part of the planning process. We also provide tabletop and/or full testing of completed plans as well as training on administration and maintenance of the plans. We leverage our hands-on experience with industry standard business continuity planning software applications as well as templates for customizing recovery plans.
Evaluation & Assessment Services:
Enterprise Security Team professionals conducts security assessments and compliance implementations. Security assessments are conducted using Preparation Guides which outlines the assessment process, documentation that needs to be gathered and suggested contacts. Your existing policies, procedures and other security controls are assessed for compliance with security best practices or other regulatory standards such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry's Data Security Standard (PCIDSS).
We use various methodologies including Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), NIST SP 800-30 Risk Management Guide for Information Technology Systems, as well as those developed by the Centers for Medicare and Medicaid Services (CMS).
A variety of network tools are used to assess your technical security status and vulnerabilities.
Application Security Services:
Would you put an application into production with vulnerabilities?
Application security does not just happen. It is the result of organizations deciding that they will produce, purchase, and deploy secure applications. There is no magic bullet or roadmap for achieving this goal. However, in order to sustain application security in any organization there must be as a minimum:
- Organizational management which champions application security.
- A written information security policy developed from national standards requiring application security within the organization.
A development methodology with adequate security checkpoints and activities such as:
- Security awareness programs for developers, project managers and testers.
- Application assessments.
- Capturing security requirements.
- Defined security activities, artifacts, and guidelines.
- Vulnerability remediation procedures.
- Defining and monitoring metrics.
- Publishing operational security guidelines.
- A secure release and configuration management process.
Enterprise security team members can assist customers with their application security programs by:
- Application security awareness training focused for upper management, development staff, project management staff, and/or testing staff.
- Application assessments including static and dynamic testing of source code as well as complied applications.
- Capturing security requirements for application development or software purchase.
- Development of application security guidelines, policies, procedures, and plans.
Security Remediation Services:
Our team is poised to help you develop an ongoing security awareness training program including automating tracking of your employee's training status for compliance. We can also assist with specialized security training to targeted audiences. We have provided specialized training to our customers in:
- Computer Incident Response Team (CIRT) organization, reporting, and responsibilities
IT Infrastructure Library (ITIL) service-oriented practices including:
- Help Desk reporting and responsibilities
- Change Management reporting and responsibilities
- Business Continuity Planning seminars
In addition to training and awareness programs, our team is also ready to provide assistance with:
- Formalizing informal policies and procedures you may be practicing but have never fully documented.
- Researching, documenting, and assisting in the selection and implementation of information security controls.
We also provide resources for ongoing security awareness such as posters, newsletters, etc.