Security Strategy and Solutions:
Every effective security program needs a plan. SES enterprise security consultants will analyze your current state of security and organizational posture and work with your representatives to draw out security plans that align with your business objectives. These plans will help you to:
- Identify gaps and oppurtunities within your own security program.
- Identify a clear set of objectives and milestones.
- Establish clear IT governanace frameworks.
- Develops policies and procedures which are aligned to your business objectives.
- Providing training and awarness programs to communicate plans, policies and procedures to your staff.
Well written policies and procedures that have top-down management support are the cornerstone of any good information security program. SES enterprise security analysts help you develop policies and procedures which support business objectives for all areas of security as well as risk management plans and security programs. Industry frameworks and guidelines such as National Institute of Science and Technology (NIST), International Standards Organization (ISO) 17799 and Control Objectives for Information and related Technology (COBIT) are used as basis for all security policy development.
We help you evaluate your security program and recommend a plan for developing, documenting and updating security policies and procedures. We also help you develop enterprise policies and information security charters that can provide the basis for establishing strong information security practices within your organization.
Enterprise security team members also assist you in developing business continuity, disaster recovery, and emergency response plans. A business impact analysis is conducted as part of the planning process. We also provide tabletop or full testing of completed plans as well as training on administration and maintenance of the plans. We leverage our hands-on experience with industry standard business continuity planning software applications as well as templates for customizing recovery plans.
Evaluation & Assessment Services:
Enterprise Security Team professionals conducts security assessments and compliance implementations. Security assessments are conducted using Preparation Guides which outlines the assessment process, documentation that needs to be gathered and suggested contacts. Your existing policies, procedures and other security controls are assessed for compliance with security best practices or other regulatory standards such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry's Data Security Standard (PCIDSS).
We use various methodologies including the Software Engineering Intitute's (SEI) Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), NIST SP 800-30 Risk Management Guide for Information Technology Systems, as well as those developed by the Centers for Medicare and Medicaid Services(CMS).
A variety of network tools are used to access your technical security status and vulnerabilities.
Application Security Services:
Application Security is the Process of developing, maintaing and purchasing software applications that an organization can trust to be secure. But while application security is easy to define, it is often difficult to achieve, since it ties in to almost every aspect of an organization's information technology infrastructure. There is no magical roadmap to achieve application security, but there are many compelling reasons for developing a good application security program in any organization.
One of the most compelling reasons for adopting a good application security program is compliance. Within the past decade, legislation have been passed at both the Federal and State level which requires some level of application security or similar compensating controls. The Federal government has passed HIPAA, GLBA and SOX. California has passed the Database Breach Notification Act (SB 1386) and 31 additional states have passed similar legislation. And Canada and Europe also have passed similar legislation that affects organaizations that do business in those jurisdictions. One thing all of these pieces of legislation have in common is protections on the confidential data held and used by different organizations and that means application security. Additionally, all of these pieces of legislation have both criminal and civil penalties which can be applied when organization fail in their due diligence.
In addition to legislation passed by governments, industries are also beginning to self-regulate themselves. In 2000, Visa International initiated its Cardholder Information Security Program (CISP). MasterCard followed suit with its Site Data Protection (SDP) program in 2002. Other credit card companies also began development of their own data security guidelines. In December 2004, Visa and MasterCard aligned their data security programs together as the PCI DSS.In September 2006, Discover, American Express and JCB joined ranks with Visa and MasterCard to form the PCI Security Standards Council (PCI SSC).The PCI DSS includes application security and has stiff penalties for failure to comply with the standard, including losing the ability to accept credit cards as payment!Just this year, in September, the PCI SCC released version 1.1 of the DSS which included mandated application security controls consisting of either code review or application layer firewalls beginning in July 2008.
However the most compelling reasons for application security are the economic ones. It is estimated that the cost of a data breach costs about $1.5 million/occurrence compared to about $2,400/occurrence for a virus attack. In addition, the simple announcement of a data breach for a publicly traded company will cause a drop in stock prices by as much as 2.1% - and may be more severe, once details of the data breach become known. Finally, research by The Gartner Group indicates that 85% of those individuals affected by a data breach are likely to take their business elsewhere.
Such compelling reasons make it easy to see why application security is an important issue. Application security does not just happen.It is the result of organizations deciding that they will produce, purchase, and deploy secure applications.There is no magic bullet or roadmap for achieving this goal. However, in order to sustain application security in any organization there must be as a minimum:
- Organizational management which champions application security.
- A written information security policy developed from national standards requiring application security within the organization.
A development methodology with adequate security checkpoints and activities such as:
- Security awareness programs for developers, project managers and testers.
- Application assessments.
- Capturing security requirements.
- Defined security activities, artifacts, and guidelines.
- Vulnerability remediation procedures.
- Defining and monitoring metrics.
- Publishing operational security guidelines.
- A secure release and configuration management process.
Enterprise security team members can assist customers with their application security programs by:
- Application security awareness training focused for upper management, development staff, project management staff, and/or testing staff.
- Application assessments including static and dynamic testing of source code as well as complied applications.
- Capturing security requirements for application development or software purchase.
- DDevelopment of application security guidelines, policies, procedures, and plans.
Security Remediation Services:
Enterprise Security Team professionals have developed both online and classroom security awareness training materials. In addition, we can provide resources for ongoing security awareness such as posters, newsletters, etc.
Our team is poised to help you develop an ongoing security awareness training program including automating tracking of your employee's training status for compliance. We can also assist with specialized security training to targeted audiences. We have provided specialized training to our customers in:
- Computer Incident Response Team (CIRT) organization, reporting, and responsibilities
IT Infrastructure Library (ITIL) service-oriented practices including:
- Help Desk reporting and responsibilities
- Change Management reporting and responsibilities
- Business Continuity Planning seminars
In addition to training and awareness programs, our team is also ready to provide assistance with:
- Formalizing informal policies and procedures you may be practicing, but have never fully documented.
- Researching, documenting, and assisting in the selection and implementation of information security controls.