Complete List of Services

At FRSecure, our services are designed around the building blocks necessary for an effective information security program. Every well-run information security program has fundamental, strategic elements at its core, and it is those elements that we implement and then build upon.

Contact us for more details or to request a quote.

Assessment Services

• Information security assessment Comprised of three phases, an Information Security Assessment is an objective measurement of your information security program against a standard.
  
  Most FRSecure assessments are based on the ISO standard and include:
  
  • Phase 1 - Administrative and Physical Security Controls,
  • Phase 2 - Network Security Assessment, and
  • Phase 3 - External Penetration Testing
• Small business information security assessments For businesses with fewer than 50 employees and a simple network architecture.
  
  The objectives of this assessment are to:
  • Assess how your company collects, receives, processes, stores, or otherwise uses sensitive information
  • Identify significant risks inherent to your company's approach to information security and the structure provided in policies
  • Propose cost-effective solutions to address the unacceptable risks
• Compliance assessments Similar to an Information Security Assessment listed above, but with a different driver (compliance) and potentially a different standard.
  
  Commonly, compliance assessments are based on HIPAA or GLBA.
• Network security assessments Sometimes referred to as IT security assessments, network security assessments include:
  • Identification of risks associated with network infrastructure design, implementation, and management
  • Internal vulnerability scanning
  • External vulnerability scanning and penetration testing
  • Recommendations for risk remediation
• Wireless networking assessments Does your organization use wireless networking? If so, security of that system should be a primary concern.
  
  Assessing the security of a wireless network is a process that consists of a series of questions and checks against what is generally considered to be wireless networking security best practices.
  
  The process includes three phases:
  
  • Questionnaire,
  • Physical Inspection, and;
  • Technical Testing
• SAS70/SSAE16 readiness assessments Often organizations that will be performing a SAS70 or SSAE16 choose to perform a pre-assessment to resolve as many issues as possible before the SAS70/SSAE16 is performed.
  
  If your organization is considering this process, we can help you:
  
  • Understand what a SAS70 is and what it is not
  • Understand the SAS70/SSAE16 process
  • Discover issues that may reflect poorly in your audit
  • Help you resolve issues prior to your audit

Program Development & Management Services

• Outsourced CISO If you've heard of companies outsourcing their CIO or CFO role, then you know the concept. As businesses grow, the need for someone to perform the CISO role becomes more critical.
  
  We have built many Information Security programs from the ground up and know how to drive programs at a high level. Put our experience to work for you.
  • C-level responsibility and accountability
  • Regular reporting to company leadership
  • High level authority to drive information security strategy
• Identification and creation of core governance policies and strategies Are customers asking you for core policies? Or do you have a specific concern (thumb drives for example) that you would like addressed?
  
  We write hundreds of policies every year for our clients. We write policies that fit your business and your needs, so that you can comply with them.
  
  Examples

  Information Security Policy	Personally owned equipment
  Acceptable Use	Backup
  Social Networking	Data Classification
  Passwords	Removable Media
  Training and Awareness	SIEM
  Vendor Risk Management	And more

• External vulnerability scans with vulnerability reports and trend analysis A partial list of activities in a typical FRSecure external vulnerability test:
  • Identification of vulnerabilities associated with externally/publicly available information resources under the custodial care,
  • Verification of vulnerabilities associated with externally/publicly available information resources under the custodial care,
  • Recommendations for risk remediation
• Internal vulnerability scans with vulnerability reports and trend analysis A partial list of activities in a typical internal vulnerability assessment:
  • Identification of technical vulnerabilities associated with all internal network hosts,
  • Verification of all technical vulnerabilities associated with all internal network hosts,
  • Ranking of all technical vulnerabilities associated with all internal network hosts,
  • Recommendations for risk remediation
• External penetration testing A partial list of activities in a typical FRSecure penetration test:
  • Identification of vulnerabilities associated with externally/publicly available information resources under the custodial care
  • Verification of vulnerabilities associated with externally/publicly available information resources under the custodial care
  • Reconnaissance/Discovery
    • Internet Searches
    • Google Hacking
    • Social Media Search and Discovery
    • Whois/Nslookup/Ipwhois
  • Recommendations for risk remediation
• Intrusion Detection System (IDS) configuration, tuning and monitoring Intrusion Detection System (IDS) configuration, tuning and monitoring
  
  If you don't currently have an IDS, we can help you identify your needs, evaluate and choose a solution, and get it configured correctly.
• Establishment and chartering of IS steering committee Are you having difficulty driving information security initiatives within your organization? Establishing an effective IS steering committee can eliminate those hurdles.
• Development and delivery of IS training and awareness programs People are your single biggest risk to information. You can minimize (not eliminate) the risk people pose by having a robust Training and Awareness program.
  
  We know how to create and deliver Training & Awareness programs that fit your organization.
  
  Here are some of the available Training & Awareness services:
  • Creation of training material and PowerPoint presentations
  • Creation of LMS material and quizzes
  • Creation of the IS training strategy
  • IS training policies
  • We'll even come to you to deliver IS training to your people!
• Security Information and Event Management (SIEM) Security Information and Event Management (SIEM) is a combination of information management and event management. SIEM provides real-time analysis of security alerts generated by network hardware and applications.
• Development of incident management programs Have you had a breach? If so, there are specific things you should be doing right now to confine the issue and protect yourself from litigation.
  
  There are many laws that you need to be aware of in the event a breach occurs. Let us help.
• Standardize technology builds and configuration for servers, network devices and workstations How often do you replace workstations and servers? When you do, how do you ensure that they are configured correctly?
• Implement and manage change control Do you allow changes directly to your production environment? Do you have separate test and production environments, but allow the same developers who tested the changes to promote them to production? Do you have a review process?
  
  These are the types of questions addressed by Change Control.
• Establish a vendor risk management program Do you share sensitive information with vendors?
  
  If so, you not only need to manage your own risks, but you also need to be concerned about how your vendors treat confidential information.
  
  We can manage this entire process for you.
• Creation of BC/DR plan Business Continuity and Disaster Recovery Planning
  
  Whether you need BC/DR planning, or you already have one that needs testing, we can help. The wrong time to find out your existing plan is ineffective is when you need it. Don't assume BC/DR plans only address natural disasters. Often the disasters we respond to are either self inflicted or the result of breach incidents.
  
  
• Review/Test of BC/DR plan Business Continuity and Disaster Recovery Planning
  
  Whether you need BC/DR planning, or you already have one that needs testing, we can help. The wrong time to find out your existing plan is ineffective is when you need it. Don't assume BC/DR plans only address natural disasters. Often the disasters we respond to are either self inflicted or the result of breach incidents.
  
  
• Formalize user rights management
  • Do your users have appropriate privileges to directories, files, applications, etc?
  • How do you authorize new users?
  • How do you change privileges when users change roles or leave the company?
• Formalize employee on/off boarding processes When you hire a new employee, how do you ensure that they know about your core policies?
  
  When you let someone go, or they leave on their own, how do you know they're not taking sensitive information with them?
• Compliance management Whether you need to comply with HIPAA, GLBA, Red Flags Rules, the FDA, HITECH, or any other regulatory body, we can help. We take a risk based approach to information security. That means that regardless of the regulatory body, if we've addressed risks strategically compliance becomes a non-issue.
  
  Rather than having compliance requirements drive your program, let us help you implement a strategic, risk based program, which will keep you ahead of the compliance curve.
• Audits of:
  • Do you have old user accounts still in your system?
  • Do some users have access to directories or information that they shouldn't?
  • Has your firewall been configured correctly?
  
  
  • User accounts
  • Permissions
  • Passwords
  • Firewall configuration
  • System configuration

Advisory support

Included with all of our plans

• Access to security team We want to be your information security resource, so we're here when you need us. We don't bill for phone calls or emails because we want you to call us when you have questions.
• Executive level updates We can, and regularly do, deliver program updates to executive teams or Boards of Directors. Having executive level buy-in to your information security program is critical to the success of the program.
• Interface with regulators or customers regarding information security Do you have customers and/or regulators that are asking about your information security program? We can help. We know how to represent your company and your IS program in those conversations. We know how to push back appropriately, and we know how to interpret what they are really asking, and why.
  
  Don't simply assume you have to do everything a customer or regulator asks. Often there are other solutions that fit better for your program, yet still satisfy the requirements.
  
  Over and over again, we see companies waste money on information security simply because they take a reactionary approach rather than a strategic approach. Usually this happens because a regulator or customer gives them a list of requirements.
• Information security guidance We have built many information security programs from the ground up and we know what a strategic program looks like. Rather than learning through trial an error (and the unnecessary expense that goes with it), let us help you build your program the right way the first time.
• Where applicable, guidance on compliance with PCI, HIPAA, GLBA and Customer requirements Whether you need to comply with HIPAA, GLBA, Red Flags Rules, the FDA, HITECH, or any other regulatory body, we can help. We take a risk based approach to information security. That means that regardless of the regulatory body, if we've addressed risks strategically compliance becomes a non-issue.
  
  Rather than having compliance requirements drive your program, let us help you implement a strategic, risk based program, which will keep you ahead of the compliance curve.

Contact us for more details or to request a quote.