Inception Securities is a security consulting firm that began in 2002 providing database performance tuning and security services. It now employs 22 full-time staff, including 4 who would focus on a new state government contract. The firm holds relevant security certifications and has won 4 major contracts in the last 4 years. The document discusses the background and specialties of Inception Securities staff that would be assigned to the project, including their project manager, network administrator, database security expert, risk manager, and procurement/compliance officer. It provides an overview of Inception's approach to security across different domains including network administration, data administration, risk management, procurement, and compliance.

2. Inception Securities
History
• Began in 2002 providing database
performance tuning and security for database
applications
• By 2006, routinely provided complete security
service(assessments, penetration tests, policy
creation, and regulatory compliance
assistance)

3. Clients in the Past
Our clients include organizations of different
sizes. Most are state and federal government
agencies that must demonstrate compliance
with specific security-related regulations.

4. Current
• New “In-State” Headquarters
• 22 full-time employees; including 4 who will
focus on providing services and products for
this new opportunity, should we be awarded
the contract

5. Resources
• Of the five people, all hold Certified
Information Systems Security Professional
(CISSP) certifications, Certified Information
Security Manager (CISM), Global Information
Assurance Certification (GIAC), Security
Essentials Certification (GSEC), and other GIAC
certifications

6. The Cast
• Project Manager – Dale White
• Network Administrator – Julie Newton
• Database Security – Stephen Davis
• Risk Management – Will Lopez
• Procurement/Compliance – Tara Ramchi

7. Accomplishments
• Won four major contracts in the last four years
for vulnerability assessments and penetration
tests.

8. Network Administration
Julie Newton

9. User Domain
• Bi-monthly training on security (what to look
out for, what is allowed, password security,
etc.)
• Employees will be working with trainers
certified through Inception Securities
• Background checks for employees
• Access badges assigned to each employee

10. Workstation Domain
• Nightly virus scans performed by Symantec
• Nightly malware scans performed by Malware
Bytes
• Monthly checks for updates and patches
• All laptops will be encrypted by Symantec
• Physical security by disabling USB ports

11. LAN Domain
• Proxy settings to filter content based on
departmental needs
• Account based access
• Once a day port scanning performed by
Nessus to identify unauthorized open ports
• Departments sub-netted to separate them for
easier security control

12. LAN-WAN Domain
• Constant monitoring of the packet flow by
Omni-Peek to maintain optimal network
functionality
• Once a day port scanning performed by Nmap
to identify unauthorized open ports
• Access control list (ACL) limiting the access per
department

13. WAN Domain
• Black and white lists for the DMZ. The Black
list details sites that are blocked and the
White list details the sites that are approved
• ACL detailing what individual people are
allowed to access based on job code

14. Remote Domain
• Organizational units in Active Directory
providing access to only those who need to
use it
• Virtual Private Network (VPN) client to ensure
data security
• Password requirements will be implemented

15. Application Domain
• Updates to be applied by the Application team
as they are approved and released
• Patches to be applied by the System
Administrator as they are approved and
released
• Physical security to the server room. Security
code and badge

16. Data Base Administration
Stephen Davis

17. Physical Security
• Data Integrity is the single most important
part of the network.
• All data will be under physical security (i.e
Lock and Key) with only specific personal
having access.
• Notices on the Network closets will have
disclaimers about unauthorized access.

18. Active Directory
• All employees will have a unique username and password. (90 Day
Expiration on passwords)
• Password uniqueness will require at least seven characters, one
uppercase, one number and cannot be your last seven previous
passwords
• Employees will have access to only job specific tasks.
• Access to shared folders will need to be approved by the employees
manager.
• Provide generic accounts with tight Group Policy

19. Workstations
• All workstations will be a part of a domain and will need to added
manually with administrative privileges.
• All downloads will be conducted by the Help Desk.
• All patches will be conducted by the Desktop System Administrator.
• All administrative rights to local machines will need permission
from the CIO.
• Laptops will have a full disc encryption and will need someone to
register the user for first time use.

20. Servers
• All servers will be Virtualized and have a Raid
5 setup for redundancy
• Data Center will be in a central location of the
building in a fire rated room.
• Security cameras will be installed to monitor
movement

21. Software
• All software will be tested in a controlled
environment and approved before put in the
live environment.
• All software installations will be installed from
a shared network and not the internet.

22. User Training
• All new employees will need to review the
user agreement policy and sign before actually
starting work.
• Mandatory annual IT security training (social
networking, phishing emails, etc.)
• Proper user training could strengthen data
integrity.

23. Risk Management
Will Lopez

24. Identify Threats
• What is considered a threat?
1. External hacking threats
2. Personnel
3. Out dated policies

25. How often is this threat occurring
• Depending on how often the threat occurs will
determine the action to be taken.
• How the security was bypassed and what new
process can be used to stop the threat from
happening.
• By reviewing the past years information to
help determine the trend and which possible
action can be taken next.

27. What to do with your assets
 Cold site – Will be used to handle issues such as
unforeseen network hiccups, but planed
1. Network updates
2. Hardware failure
 Warm Sites – For sections of the company that
might go down.
 Hot Sites- For events far beyond human control.

28. What are your assets
 Departmental heads from each department are
considered important to the business continuity
 Managers that help assist with the incident
 Core documents and materials to maintain
business continuity.

29. Procurement and Compliance
Tara Ramchi

30. What is procurement?
• “Procurement” is the overarching function that
describes the activities and processes to acquire
goods and services.
• Procurement involves the activities involved in
establishing fundamental requirements, sourcing
activities such as market research and vendor
evaluation and negotiation of contracts.
• Procurement differs from purchasing. The term
“Purchasing” refers to the process of ordering and
receiving goods and services. It is a subset of the
wider procurement process.

31. Procurement Process
• Involves 5 Steps
1. Define Business Need
 Capture business requirements.
 Obtain full stakeholder buy into any resulting plans and
timelines.
2. Develop Procurement Strategy
 Agree procurement approach and timescale.
 Evaluate current environment and decide on the
procurement process.
3. Supplier Evaluation & Selection
 To select the right suppliers and value proposition to be
taken forward to final negotiation.

32. Procurement Process (Cont.)
4. Negotiation and Award of Contract
 Complete negotiations and select best supplier.
 Award contract.
5. Induction & Integration
 To ensure that the suppliers is fully prepared to
deliver all aspects of the contracts.
 To ensure that all parties are familiar with agreed
P2P policies and procedures.
 To initiate the relevant performance measures and
reporting.

33. Vendors
• Tiger Direct
• Newegg
• Lenovo
• Cisco
• Symantec

34. Compliancy
• Legislation and regulations are always changing. Keeping on
top of new developments can be a challenge.
• Our project team:
– Conducts mock regulatory inspections.
– Performs compliance reviews.
– Runs risk mapping projects
– Updates policies and procedures.
– Advises on the compliance issues surrounding new
products and new businesses.
– Conducts training sessions on important compliance
topics.
– Researches and reports on a variety of regulatory issues
across many jurisdictions.

35. Compliancy (Cont.)
– Accelerates licensing and compliance.
– Results in significant savings for your organization.
– Enables your organization to focus on business critical
tasks.
– Smoothes out volatility in resource demands.
– Protects your organization from penalties/fines associated
with compliance mistakes.
– We have an in depth understanding of the security
industry and thorough knowledge of the regulations that
impact your business.
– Our services are aligned with state and local regulations to
ensure complete compliance for your organization.

36. Importance of Compliancy
• What is compliancy?
– Compliance refers to the company obeying all of the legal
laws and regulations in regards to how they manage the
business, their staff, and their treatment towards their
consumers. The concept of compliance is to make sure that
corporations act responsibly.
• Benefits
– Avoidance of Criminal Charges and Penalties
– Building Positive Reputation
– Higher Productivity in the Company

37. Compliance Policy
• All State of Florida agencies must be compliant with this
security policy document
• Compliance with Legal Requirements (11.1)
– All State of Florida agencies must be compliant with any
State or Federal regulatory requirements which supersede
this policy document.
• Applicable Legislation (11.1.1)
– All State of Florida agencies must be compliant with any
legislation enacted by the State of Florida in regards to the
management of information resources on behalf of the
State.

38. Compliance Policy (Cont.)
• Data Protection and Privacy (11.1.2)
– All State of Florida agency data custodians must ensure that all
“Personal Information” data assets, as defined by applicable State
and/or Federal law and regulations, are protected from unauthorized
use, modification or disclosure.
• Data Breach and Disclosure (11.1.3)
– Any State of Florida agency that discovers a breach of the information
security controls set forth in this document which results in disclosure
of unencrypted “personal information” about persons to unauthorized
third parties shall provide notice of the disclosure in accordance with
TCA 47-18-2107(3)(A).

39. Closing
Presented by Dale White

40. Equipment cost
• $357,794.52
– Includes
• Desktops by Lenovo
• Think Pads
• Routers and switches
• Color Laser Printers
• Anti-virus
• Servers

41. Budget
• The presented budget for the 2014 fiscal year
is $4 million dollars.

42. Cost
• Project Manager $200,000
• Risk Management $150,000
• Database Security $200,000
• Network Administrator $120,000
• Procurement/Compliance $160,000
$730,000
$4m - $730k = $3,999,270,000

43. Closing
• It would be advantageous of the State
Government and the Department of Finance
and Administration to make sure that the
information on the databases are safe and
above other State Governments’ level of
security. By using the analysis of the NIST
framework and of COBIT, all layers of security
shall be perlustrated to ensure the client’s
satisfaction of the services provided by
Inception Securities.

44. Closing (cont.)
• Proven specialists in penetration testing,
vulnerability assessments, risk
management/mitigation analysis, network
systems and software hardening, and
compliance/regulation analysis
• We will ensure that the State Government and
the Department of Finance and
Administration does not suffer any unforeseen
penalty due to noncompliance.