Their story:

As a service provider to larger companies, they were getting increased security requirements from their customers. Finally, one particular bank required that they perform a SAS70 audit in order to keep their business.

This bank mistakenly assumed that a SAS70 audit is the same as a security assessment or is a security rubber stamp. We educated both our client and the bank on the difference between a security assessment and a SAS70. Ultimately the bank agreed and allowed us to perform a true information security assessment for the service provider.

What they needed:

They wanted to be secure, but ultimately they wanted to be compliant with their customer's requirements. They had a decent sized IT staff internally, but no information security personnel, so they needed someone with the knowledge to get their security program where it needed to be.

What we did:

We started with an information security assessment based on ISO27002. This allowed us to know where they stood, and also satisfied their bank customer.

Our assessment was focused on 5 areas, Administrative Risk, Physical Security, External IT Vulnerabilities, Internal IT Vulnerabilities, and Application Security.

Once the assessment was done, we worked with them to prioritize the findings. They wanted us to drive the remediation effort, as well as do most of the remediation in conjunction with their IT department.

What's great about this company is that they wanted to be secure, and were willing to go through the organizational changes required to get there. Ultimately, for most companies good information security means a change to the culture of the organization. This is part of the reason why most companies struggle.

What they had to say:

"It seemed like we were being audited by customers constantly, and the questions were becoming tougher to answer. After completing an FRSecure Information Security Assessment we knew exactly where we had gaps in our systems as well as in our policies. Then, FRSecure helped us architect a sound, strategic Information Security program that eliminated those gaps, and made us as secure as possible."