Our information security services are based on a risk-based methodology for protecting the confidentiality, integrity, and availability of information. In addition, we strongly recommend that our clients pursue a holistic approach to information security. To support this approach, we tailor solutions to our clients' specific needs, or facilitate transformation of their information security function and capabilities.

• CISO Advisory: Assist with implementation of security program and guide/manage critical projects. Ensure success of internal initiatives, and regularly monitor/report to senior management.
• Application Security & Controls Assessment: Perform detailed technical security reviews of web applications and internal ERP systems. Ensure that configuration settings are appropriate, duties are segregated, and applications are hardened against compromise.
• Security Strategy & Governance: Define an enterprise approach for assessing, prioritizing, managing, and monitoring security risks. Achieve senior executive and Board awareness and buy-in. Establish a business-driven governance process for the information security program. Help define security risk tolerance posture for the organization and an approach for making cost-benefit decisions with respect to accepting security risk. Define the desired end-state for security and identifying gaps from the current state. Establish short and long-term plans for achieving the end-state.
• Security Policy and Procedure Development: Draft a suite of security policies, procedures, and standards that are customized to the specific needs and risk posture of the organization. Clarify roles and responsibilities for key security control requirements. Identify mechanisms to demonstrate compliance and measure/report violations.
• Security Architecture: Define a strategic framework for unifying and reusable security services across the enterprise Plan, design, and deploy security-enabling tools, technologies, and services across all system layers (e.g., network, host, middleware, application, data) and across all security processes (e.g., identity management, threat management, vulnerability management). Describe how security controls integrate into the IT technical architecture.
• Security Program Implementation: Identify the people, process, and technologies required for effective security management. Implement action plans to develop or enhance security services and processes. Assist in the deployment of security-enabling tools and technologies. Define metrics and tools to measure and report progress
• Network Security Engineering: Design and implement a secure network architecture. Optimize and fine-tune firewall filtering rules. Customize and fine-tune intrusion detection and prevention signatures
• Secure Application Architecture & Design: Identify segregation of duties requirements and design model security roles. Assess or define a development framework for designing, building, and testing secure applications. Implement and configure web application scanners. Inspect code to identify security vulnerabilities. Perform security testing of applications.
• Business Continuity and Contingency Planning: Perform business impact assessment to identify disruption impacts and allowable outage times. Assess system redundancy, high-availability, and other preventive and avoidance controls. Assess or develop backup and recovery strategies, including offsite facilities. Assess or develop step-by-step contingency or recovery plans. Assess or perform training and testing of recovery plans to validate effectiveness.
• Penetration Testing & Vulnerability Assessment: Scan systems with a combination of open source, commercial, and proprietary tools to identify security vulnerabilities of external-facing systems, internal networks, or both. Perform limited procedures to confirm the existence of vulnerabilities and reduce false positives. Actively exploit vulnerabilities to compromise systems and attempt to expand the attack through privilege escalation and launching attacks on other systems. Target attacks at the network and/or application layers, as well as other external access points including modems and wireless LANs. Prioritize identified vulnerabilities and specific remediation instructions.
• Security Baseline Configuration Management & Compliance: Define security baselines based on published guidelines and our visibility into what actually works in industry for systems and devices at all architectural layers, including host operating systems, databases, firewalls and other network devices, web servers, web application servers, directories, etc. Customize baselines based on unique risk profile, risk tolerance, and compensating controls. Assist with deployment and configuration of automated tools to detect and measure non-compliance and configuration drift. Assess compliance with industry standard baselines or organization-specific guidelines. Manage exceptions to ensure that all noncompliant configurations are effectively remediated or assessed and documented as authorized deviations.
• Database Security Monitoring: Configure or assess database security and access control to protect sensitive data. Assist with deployment and configuration of automated tools to detect and measure non-compliant databases and configuration drift. Deploy and operate enterprise solutions for database security monitoring and auditing
• Computer Forensics & Incident Response: Help organizations prepare for an incident by defining response procedures and clarifying roles and responsibilities. Investigate security breaches and other incidents to determine the extent of damage. Review system activity logs to reconstruct events and identify the root cause and source of the attack. Preserve admissible electronic evidence of the incident. Removing the root cause security vulnerability or misconfiguration that contributed to the incident.