|
At SecureIT, we help clients overcome the challenges of information security and its associated laws and regulations. We derive real value from implementing more efficient processes and innovative solutions. Provided below are a few examples of the ways we have helped our clients succeed.
Government Experience
Commercial Experience
Treasury: Cybersecurity Program Support
SecureIT created an IT Security Program which spanned organization, policy, standards, training, oversight, and reporting in support of sensitive and classified systems. We performed system security lifecycle management services to include security planning, contingency planning, change management and continuous monitoring. Security control testing and vulnerability assessments were performed and Plans of Action and Milestones (POA&M) were prepared in support of a certification and accreditation (C&A) initiative for over 30 systems. SecureIT developed and delivered security training courses on responsibilities, processes, standards, and tools for senior executives, system owners and security professionals via an e-learning system. SecureIT supported Department-level security initiatives and participated in Department-wide security working groups to devise strategies for implementing policy and developing effective procedures. SecureIT provided advisory and technical support to existing security program staff to support program governance, execution and oversight.
Result: Improved FISMA score from 40% to 96% within two years. Significantly reduced the number and severity of audit findings. Reduced the time and effort to respond to security situational assessment and data calls. Greatly improved communication across the organization which led to the incorporation of security into all phases of the system lifecycle. An overall increase in CIO confidence in the security program, with better informed system owners and authorizing officials.
Justice: Internal Controls / OMB A-123 Oversight
SecureIT’s supports the Department of Justice (DOJ) in its efforts to manage Department-wide compliance with OMB A-123. Each year, the strategy is developed and communicated to components. Key controls are selected and evaluated at the entity, component and program levels. Lessons learned from the previous year are incorporated to continually improve and optimize the process. DOJ IT Security Standards (ITSS), NIST 800-53 and FISCAM are used for the basis of control testing performed to identify any weaknesses and areas where additional assessment may be required. Additionally, SecureIT works with the DOJ Cyber Security Assessment Management (CSAM) design team and provides suggestions to improve the tools ability to provide the necessary functionality needed to track A-123 control testing.
Result: Improved communication and coordination with Department and Component organizations leading to improved control testing and a leveraging of control testing efforts to reduce redundancy across Financial, A-123 and Security control testing.
Health: Cybersecurity Assessment & Remediation
SecureIT was obtained to assist this federal agency to identify and assist in remediation of systems and application vulnerabilities as part of the annual FISMA and FISCAM audit. SecureIT evaluated controls in several areas, including but not limited to: (1) Mainframe Security Assessments. (2) Disaster Recovery, Continuity of Operations, and Contingency Planning. (3) Security Plan Preparation and (4) Security for Telecommunications and Client/Server Systems. SecureIT personnel evaluated the access controls over many platforms, including LAN, WAN, telecommunications and perimeter defense. These reviews included testing for known vulnerabilities using automated tools, as well as manual reviews of configuration reports.
Result: A more complete and accurate assessment of weaknesses and risks along with recommendations for improving security posture and compliance. Our client gained confidence that critical data and processes were identified and would be recoverable within the specified timeframes in the event of a disaster.
Defense: Data Center Security
SecureIT was obtained to identify weaknesses in systems, applications and processes as part of an assessment of Defense Department data centers. SecureIT performed systems analysis, documentation reviews, systems testing, and development of mitigation and risk management recommendations. SecureIT evaluated controls in several areas, including but not limited to: (1) Unix/Windows Security Assessments. (2) Access control, Change Control, Security Planning, Segregation of Duties, and Service Continuity. (3) Department of Defense Instruction (DoDI) 8500.2.
Result: Confidence through evidence that security controls were properly evaluated, tested and operating as intended. Actionable information was provided to address any weaknesses found along with associated risk communicated in terms of impact to business and mission to aid system owners and DAAs in risk-based decision making.
International Affairs: Vulnerability Assessment
SecureIT performed penetration testing at a large federal agency to support overall risk management and security performance measurement requirements. We conducted the testing with limited knowledge of the agency’s network, and used both automated scanning tools and manual penetration methods to detect weaknesses. The results of the testing were documented in a security report and briefed to senior agency personnel. Recommendations were provided to mitigate risks and to improve internal processes.
Result: Increased awareness of security and privacy vulnerabilities, and a prioritized remediation plan to address noted weaknesses.
Homeland Security: Cybersecurity and FISMA
SecureIT provided technical support for the creation of a security testing lab to provide network, application and database vulnerability scanning and associated capabilities. SecureIT personnel performed testing and prepared reports to support the Advanced Technology Division customers. The Office of the Inspector General obtained support from SecureIT to assist in the conduct of annual FISMA reviews of all DHS components. SecureIT provided subject matter expertise (SME) support to the DHS audit teams in all areas of FISMA. SecureIT assisted in audit planning, determination items to be requested and reviewed and coordinated all communication with DHS CIO/CISO personnel. SecureIT conducted interviews making every effort to ensure all performance was recognized and that personnel fully understood the information being sought for review.
Results: SecureIT received commendations from the OIG as well as Component CIOs and CISOs for the manner in which the FISMA review was conducted.
Financial Services: Application Security Assessments
A large financial institution sought our assistance with performing information security assessments of all key financial applications across the company. Although conducting these assessments had originally been tasked to the organization's Information Security Department, an internal audit several years before had revealed that the department had not performed the assessments, nor had it fixed the problem in the intervening time. This client therefore called on SecureIT to design a process for performing more than 100 application security assessments across the organization. This was an especially daunting task because each of these applications had different owners, infrastructures, and security models. Through disciplined project management, effective communication with application owners, and an efficient strategy, we designed and executed this process even more quickly than planned.
Result: By the conclusion of the engagement, resistance from certain application owners had given way to acceptance and even active support of the process. We performed the required security reviews within a compressed timeframe, and also developed a sustainable, documented process that the client could use going forward. Best of all, because we designed the process so that it could be brought back in-house by the Information Security Department, the total cost of ownership was significantly reduced.
Brokerage: IT Risk Management Program Office
A major online brokerage approached SecureIT to help it comply with the Sarbanes-Oxley Act. In the prior year, the brokerage's compliance efforts had been disjointed and expensive, with little oversight from the program management office, and were a source of frustration to personnel across the organization. To maximize the value of our services, we leveraged our experiences and knowledge gained working with other Fortune 500 customers. Working quickly and methodically, we organized a compliance initiative for the organization, a plan that not only resulted in SOX compliance certification, but also delivered much more. We succeeded in standing up an IT Risk Management Program Office for the client, streamlined their compliance initiatives, and ultimately reduced the overall cost of compliance.
Result: Key factors in our success were the use of structured project management methodologies, effective project oversight, and our unique ability to rapidly understand the organization and identify areas where processes and functions could be made more efficient. At the end of the project, the client was not only compliant with Sarbanes-Oxley and other regulations, but also benefited from a more efficient and cost-effective organization.
Application Service Provider: Comprehensive Technical Security Assessment
A major application service provider was hosting computing environments for numerous Fortune 500 customers. Due to the sensitive nature of the systems involved, the firm needed to demonstrate to third parties that its environment was secure and well controlled. What's more, it needed to demonstrate that it could meet requirements for security that were even more strict and detailed than those involved in a typical SAS 70 audit. So that its ASP customers could rely on the company's services without having to do audits themselves, the organization needed a high-quality, deep-dive assessment of its security controls. They engaged SecureIT to perform a comprehensive, highly technical security assessment of its computing environment. Our assessment included all the customary procedures, such as interviews with key personnel, documentation review, and external scanning of network, host, and application-level vulnerabilities. In addition, we performed a thorough review of the security configurations in every component of the computing environment, including routers, firewalls, intrusion detection systems, host operating systems, web servers, web application servers, a directory server, and the application itself. We based our review on control objectives that we extracted from codified best practices published by CIS, NIST, CERT/CC, vendors, ISO, ISACA, and related organizations.
Result: Through our security assessment, we identified numerous security deficiencies and control gaps that the client then addressed to improve the security and integrity of its environment. To provide a useful context for the deficiencies that we identified, our report included appropriate background information and descriptions of compensating controls. For added credibility and the assurance for third-party audiences, we listed each of the hundreds of technical control objects that we reviewed and cross-referenced them to commonly-used best practice standards.
Government Contractor: FISMA HIGH Solution
A company that provides outsourced services to the Federal Government received a new contract that specified a FIPS PUB 199 HIGH security impact level, and corresponding NIST SP 800-53 HIGH baseline security requirements. Previously, the company had used its internal infrastructure to support its clients’ requirements; however, increasing the level of security on its infrastructure to meet a HIGH security impact level was not desired, practical or cost-effective. SecureIT provided assistance in interpreting both national and agency-specific security requirements, and assisting in the development of a strategy to meet the requirements of the contract. A solution was developed that leveraged the appropriate company infrastructure, incorporated existing operational and technical controls, and integrated the use of an enclave designed to cost efficiently meet the stringent requirements of NIST SP 800-53 HIGH requirements was implemented. SecureIT performed the security design which involved technology solutions such as two factor authentication, access control, auditing, event and information management, encryption, security configuration baseline management, and patch and vulnerability management. SecureIT also assisted in the development of the System Security Plan, Contingency Plan and Incident Response Plan.
Result: The system design incorporated processes and technologies which the company could easily adopt into its ongoing operations and maintenance. The selected security tools and best practices were implemented to meet the project scale, budget and security requirements of the company and its client.
Financial Services: Internal Audit Co-Sourcing
A large financial institution's internal audit department needed to perform audits of the firm's highly complex technologies and systems. However, their staff did not have the necessary technical skills and expertise, and traditional co-sourcing arrangements with accounting firms could only provide entry-level auditors or generalists who also lacked the necessary technical expertise. The client selected SecureIT as its co-sourcing partner for IT audits. In addition to providing the extra manpower needed to finish projects according to the annual audit plan, our consultants brought a combination of technical skills and breadth of experience that have improved the depth and quality of the client's audits. Working as part of their internal audit project team, we took on their most technologically challenging audits — notably those in the security area. Through this arrangement, our consultants worked with the client's internal auditors to complete a highly effective audit. The organizational knowledge of the client's audit staff, combined with our technical competence and external perspective, produced an ideal team.
Result: By partnering with SecureIT, the internal audit department was able to complete audits of technical areas and identify significant control gaps to a degree that they never had before. Because the quality and technical depth of audits has increased, the internal audit department has also strengthened its credibility and earned the professional respect of key IT personnel. An added benefit of our partnership has been the mentoring and training of internal audit staff by our consultants. Through regular interaction, internal auditors have enhanced their knowledge and expertise, and now handle a broader variety of technical matters.
|