Their story:

As a banking institution, they had been focused on security compliance for many years. Historically they had always scored well on their compliance exams, so they weren't really sure what we could do for them. They had a desire, though, to know if they were really secure, or if their focus on compliance had left them with vulnerabilities they didn't know about.

What they wanted:

They wanted to know if they were really as secure as they could be. They also wanted to stay in compliance.

What we did:

• A full information security assessment focused on General Controls, External IT Security, Internal IT Security, Physical Security and GLBA compliance
• General controls audit
• External vulnerability assessment including penetration test
• Internal vulnerability assessment
• Physical security assessment

With the help of the business we then prioritized the issues we found. Most remediation was handled internally. We wrote their new Disaster Recovery plan and helped rewrite a few policies.

The outcome:

While their technical (internal and external IT) security was very good, they had large gaps in physical security and several holes in their general controls. For example, we found serious security concerns around their server room. We also found flaws in their disaster recovery plan.

The risks to this bank were enormous, even though they were compliant. Almost anyone could have stolen most of their server hardware with remarkably little effort. If that had happened, they would have had a very difficult time recovering because their DR plan had significant flaws. They would likely have survived this type of a breach, but it's impossible to know exactly what the financial and reputational repercussions would have been.

What they had to say:

"FRSecure is a valuable asset to the team and a pleasure to work with. FRSecure posseses a depth of knowledge in information security and technology overall. Definitely recommended."