Our Driver for Information Security is

Assessment Services

Information security assessment Comprised of three phases, an Information Security Assessment is an objective measurement of your information security program against a standard. Most FRSecure assessments are based on the ISO standard and include: Phase 1 - Administrative and Physical Security Controls, Phase 2 - Network Security Assessment, and Phase 3 - External Penetration Testing

Small business information security assessments For businesses with fewer than 50 employees and a simple network architecture. The objectives of this assessment are to: Assess how your company collects, receives, processes, stores, or otherwise uses sensitive information Identify significant risks inherent to your company's approach to information security and the structure provided in policies Propose cost-effective solutions to address the unacceptable risks

Compliance assessments Similar to an Information Security Assessment listed above, but with a different driver (compliance) and potentially a different standard. Commonly, compliance assessments are based on HIPAA or GLBA.

Network security assessments Sometimes referred to as IT security assessments, network security assessments include: Identification of risks associated with network infrastructure design, implementation, and management Internal vulnerability scanning External vulnerability scanning and penetration testing Recommendations for risk remediation

Wireless networking assessments Does your organization use wireless networking? If so, security of that system should be a primary concern. Assessing the security of a wireless network is a process that consists of a series of questions and checks against what is generally considered to be wireless networking security best practices. The process includes three phases: Questionnaire, Physical Inspection, and; Technical Testing

SAS70/SSAE16 readiness assessments Often organizations that will be performing a SAS70 or SSAE16 choose to perform a pre-assessment to resolve as many issues as possible before the SAS70/SSAE16 is performed. If your organization is considering this process, we can help you: Understand what a SAS70 is and what it is not Understand the SAS70/SSAE16 process Discover issues that may reflect poorly in your audit Help you resolve issues prior to your audit

Program Development & Management Services

Outsourced CISO If you've heard of companies outsourcing their CIO or CFO role, then you know the concept. As businesses grow, the need for someone to perform the CISO role becomes more critical. We have built many Information Security programs from the ground up and know how to drive programs at a high level. Put our experience to work for you. C-level responsibility and accountability Regular reporting to company leadership High level authority to drive information security strategy

Identification and creation of core governance policies and strategies Are customers asking you for core policies? Or do you have a specific concern (thumb drives for example) that you would like addressed? We write hundreds of policies every year for our clients. We write policies that fit your business and your needs, so that you can comply with them. Examples Information Security Policy Personally owned equipment Acceptable Use Backup Social Networking Data Classification Passwords Removable Media Training and Awareness     SIEM Vendor Risk Management And more

External vulnerability scans with vulnerability reports and trend analysis A partial list of activities in a typical FRSecure external vulnerability test: Identification of vulnerabilities associated with externally/publicly available information resources under the custodial care, Verification of vulnerabilities associated with externally/publicly available information resources under the custodial care, Recommendations for risk remediation

Internal vulnerability scans with vulnerability reports and trend analysis A partial list of activities in a typical internal vulnerability assessment: Identification of technical vulnerabilities associated with all internal network hosts, Verification of all technical vulnerabilities associated with all internal network hosts, Ranking of all technical vulnerabilities associated with all internal network hosts, Recommendations for risk remediation

External penetration testing A partial list of activities in a typical FRSecure penetration test: Identification of vulnerabilities associated with externally/publicly available information resources under the custodial care Verification of vulnerabilities associated with externally/publicly available information resources under the custodial care Reconnaissance/Discovery Internet Searches Google Hacking Social Media Search and Discovery Whois/Nslookup/Ipwhois Recommendations for risk remediation

IDS configuration, tuning and monitoring Intrusion Detection System (IDS) configuration, tuning and monitoring If you don't currently have an IDS, we can help you identify your needs, evaluate and choose a solution, and get it configured correctly.

Establishment and chartering of IS steering committee Are you having difficulty driving information security initiatives within your organization? Establishing an effective IS steering committee can eliminate those hurdles.

Development and delivery of IS training and awareness programs People are your single biggest risk to information. You can minimize (not eliminate) the risk people pose by having a robust Training and Awareness program. We know how to create and deliver Training & Awareness programs that fit your organization. Here are some of the available Training & Awareness services: Creation of training material and PowerPoint presentations Creation of LMS material and quizzes Creation of the IS training strategy IS training policies We'll even come to you to deliver IS training to your people!

Security Information and Event Management (SIEM) Security Information and Event Management (SIEM) is a combination of information management and event management. SIEM provides real-time analysis of security alerts generated by network hardware and applications.

Development of incident management programs Have you had a breach? If so, there are specific things you should be doing right now to confine the issue and protect yourself from litigation. There are many laws that you need to be aware of in the event a breach occurs. Let us help.

Standardize technology builds and configuration for servers, network       devices and workstations How often do you replace workstations and servers? When you do, how do you ensure that they are configured correctly?

Implement and manage change control Do you allow changes directly to your production environment? Do you have separate test and production environments, but allow the same developers who tested the changes to promote them to production? Do you have a review process? These are the types of questions addressed by Change Control.

Establish a vendor risk management program Do you share sensitive information with vendors? If so, you not only need to manage your own risks, but you also need to be concerned about how your vendors treat confidential information. We can manage this entire process for you.

Creation of BC/DR plan Business Continuity and Disaster Recovery Planning Whether you need BC/DR planning, or you already have one that needs testing, we can help. The wrong time to find out your existing plan is ineffective is when you need it. Don't assume BC/DR plans only address natural disasters. Often the disasters we respond to are either self inflicted or the result of breach incidents.

Review/Test of BC/DR plan Business Continuity and Disaster Recovery Planning Whether you need BC/DR planning, or you already have one that needs testing, we can help. The wrong time to find out your existing plan is ineffective is when you need it. Don't assume BC/DR plans only address natural disasters. Often the disasters we respond to are either self inflicted or the result of breach incidents.

Formalize user rights management Do your users have appropriate privileges to directories, files, applications, etc? How do you authorize new users? How do you change privileges when users change roles or leave the company?

Formalize employee on/off boarding processes When you hire a new employee, how do you ensure that they know about your core policies? When you let someone go, or they leave on their own, how do you know they're not taking sensitive information with them?

Compliance management Whether you need to comply with HIPAA, GLBA, Red Flags Rules, the FDA, HITECH, or any other regulatory body, we can help. We take a risk based approach to information security. That means that regardless of the regulatory body, if we've addressed risks strategically compliance becomes a non-issue. Rather than having compliance requirements drive your program, let us help you implement a strategic, risk based program, which will keep you ahead of the compliance curve.

Audit of Do you have old user accounts still in your system? Do some users have access to directories or information that they shouldn't? Has your firewall been configured correctly?           User accounts           Permissions           Passwords           Firewall configuration           System configuration

Advisory support

• Access to security team We want to be your information security resource, so we're here when you need us. We don't bill for phone calls or emails because we want you to call us when you have questions.
• Executive level updates We can, and regularly do, deliver program updates to executive teams or Boards of Directors. Having executive level buy-in to your information security program is critical to the success of the program.
• Interface with regulators or customers regarding information security Do you have customers and/or regulators that are asking about your information security program? We can help. We know how to represent your company and your IS program in those conversations. We know how to push back appropriately, and we know how to interpret what they are really asking, and why.
  
  Don't simply assume you have to do everything a customer or regulator asks. Often there are other solutions that fit better for your program, yet still satisfy the requirements.
  
  Over and over again, we see companies waste money on information security simply because they take a reactionary approach rather than a strategic approach. Usually this happens because a regulator or customer gives them a list of requirements.
• Information security guidance We have built many information security programs from the ground up and we know what a strategic program looks like. Rather than learning through trial an error (and the unnecessary expense that goes with it), let us help you build your program the right way the first time.
• Where applicable, guidance on compliance with PCI, HIPAA, GLBA and Customer requirements Whether you need to comply with HIPAA, GLBA, Red Flags Rules, the FDA, HITECH, or any other regulatory body, we can help. We take a risk based approach to information security. That means that regardless of the regulatory body, if we've addressed risks strategically compliance becomes a non-issue.
  
  Rather than having compliance requirements drive your program, let us help you implement a strategic, risk based program, which will keep you ahead of the compliance curve.

No matter what your budget is, we can put together a plan that will fit your organization.

Whether you prefer to have smaller payments that are easier to budget, or you prefer one-time project costs, our programs are flexible enough to meet your needs.