Inception Securities is a security consulting firm that began in 2002 providing database performance tuning and security services. It now employs 22 full-time staff, including 4 who would focus on a new state government contract. The firm holds relevant security certifications and has won 4 major contracts in the last 4 years. The document discusses the background and specialties of Inception Securities staff that would be assigned to the project, including their project manager, network administrator, database security expert, risk manager, and procurement/compliance officer. It provides an overview of Inception's approach to security across different domains including network administration, data administration, risk management, procurement, and compliance.
2. Inception Securities
History
• Began in 2002 providing database
performance tuning and security for database
applications
• By 2006, routinely provided complete security
service(assessments, penetration tests, policy
creation, and regulatory compliance
assistance)
3. Clients in the Past
Our clients include organizations of different
sizes. Most are state and federal government
agencies that must demonstrate compliance
with specific security-related regulations.
4. Current
• New “In-State” Headquarters
• 22 full-time employees; including 4 who will
focus on providing services and products for
this new opportunity, should we be awarded
the contract
5. Resources
• Of the five people, all hold Certified
Information Systems Security Professional
(CISSP) certifications, Certified Information
Security Manager (CISM), Global Information
Assurance Certification (GIAC), Security
Essentials Certification (GSEC), and other GIAC
certifications
6. The Cast
• Project Manager – Dale White
• Network Administrator – Julie Newton
• Database Security – Stephen Davis
• Risk Management – Will Lopez
• Procurement/Compliance – Tara Ramchi
7. Accomplishments
• Won four major contracts in the last four years
for vulnerability assessments and penetration
tests.
9. User Domain
• Bi-monthly training on security (what to look
out for, what is allowed, password security,
etc.)
• Employees will be working with trainers
certified through Inception Securities
• Background checks for employees
• Access badges assigned to each employee
10. Workstation Domain
• Nightly virus scans performed by Symantec
• Nightly malware scans performed by Malware
Bytes
• Monthly checks for updates and patches
• All laptops will be encrypted by Symantec
• Physical security by disabling USB ports
11. LAN Domain
• Proxy settings to filter content based on
departmental needs
• Account based access
• Once a day port scanning performed by
Nessus to identify unauthorized open ports
• Departments sub-netted to separate them for
easier security control
12. LAN-WAN Domain
• Constant monitoring of the packet flow by
Omni-Peek to maintain optimal network
functionality
• Once a day port scanning performed by Nmap
to identify unauthorized open ports
• Access control list (ACL) limiting the access per
department
13. WAN Domain
• Black and white lists for the DMZ. The Black
list details sites that are blocked and the
White list details the sites that are approved
• ACL detailing what individual people are
allowed to access based on job code
14. Remote Domain
• Organizational units in Active Directory
providing access to only those who need to
use it
• Virtual Private Network (VPN) client to ensure
data security
• Password requirements will be implemented
15. Application Domain
• Updates to be applied by the Application team
as they are approved and released
• Patches to be applied by the System
Administrator as they are approved and
released
• Physical security to the server room. Security
code and badge
17. Physical Security
• Data Integrity is the single most important
part of the network.
• All data will be under physical security (i.e
Lock and Key) with only specific personal
having access.
• Notices on the Network closets will have
disclaimers about unauthorized access.
18. Active Directory
• All employees will have a unique username and password. (90 Day
Expiration on passwords)
• Password uniqueness will require at least seven characters, one
uppercase, one number and cannot be your last seven previous
passwords
• Employees will have access to only job specific tasks.
• Access to shared folders will need to be approved by the employees
manager.
• Provide generic accounts with tight Group Policy
19. Workstations
• All workstations will be a part of a domain and will need to added
manually with administrative privileges.
• All downloads will be conducted by the Help Desk.
• All patches will be conducted by the Desktop System Administrator.
• All administrative rights to local machines will need permission
from the CIO.
• Laptops will have a full disc encryption and will need someone to
register the user for first time use.
20. Servers
• All servers will be Virtualized and have a Raid
5 setup for redundancy
• Data Center will be in a central location of the
building in a fire rated room.
• Security cameras will be installed to monitor
movement
21. Software
• All software will be tested in a controlled
environment and approved before put in the
live environment.
• All software installations will be installed from
a shared network and not the internet.
22. User Training
• All new employees will need to review the
user agreement policy and sign before actually
starting work.
• Mandatory annual IT security training (social
networking, phishing emails, etc.)
• Proper user training could strengthen data
integrity.
24. Identify Threats
• What is considered a threat?
1. External hacking threats
2. Personnel
3. Out dated policies
25. How often is this threat occurring
• Depending on how often the threat occurs will
determine the action to be taken.
• How the security was bypassed and what new
process can be used to stop the threat from
happening.
• By reviewing the past years information to
help determine the trend and which possible
action can be taken next.
26.
27. What to do with your assets
Cold site – Will be used to handle issues such as
unforeseen network hiccups, but planed
1. Network updates
2. Hardware failure
Warm Sites – For sections of the company that
might go down.
Hot Sites- For events far beyond human control.
28. What are your assets
Departmental heads from each department are
considered important to the business continuity
Managers that help assist with the incident
Core documents and materials to maintain
business continuity.
30. What is procurement?
• “Procurement” is the overarching function that
describes the activities and processes to acquire
goods and services.
• Procurement involves the activities involved in
establishing fundamental requirements, sourcing
activities such as market research and vendor
evaluation and negotiation of contracts.
• Procurement differs from purchasing. The term
“Purchasing” refers to the process of ordering and
receiving goods and services. It is a subset of the
wider procurement process.
31. Procurement Process
• Involves 5 Steps
1. Define Business Need
Capture business requirements.
Obtain full stakeholder buy into any resulting plans and
timelines.
2. Develop Procurement Strategy
Agree procurement approach and timescale.
Evaluate current environment and decide on the
procurement process.
3. Supplier Evaluation & Selection
To select the right suppliers and value proposition to be
taken forward to final negotiation.
32. Procurement Process (Cont.)
4. Negotiation and Award of Contract
Complete negotiations and select best supplier.
Award contract.
5. Induction & Integration
To ensure that the suppliers is fully prepared to
deliver all aspects of the contracts.
To ensure that all parties are familiar with agreed
P2P policies and procedures.
To initiate the relevant performance measures and
reporting.
34. Compliancy
• Legislation and regulations are always changing. Keeping on
top of new developments can be a challenge.
• Our project team:
– Conducts mock regulatory inspections.
– Performs compliance reviews.
– Runs risk mapping projects
– Updates policies and procedures.
– Advises on the compliance issues surrounding new
products and new businesses.
– Conducts training sessions on important compliance
topics.
– Researches and reports on a variety of regulatory issues
across many jurisdictions.
35. Compliancy (Cont.)
– Accelerates licensing and compliance.
– Results in significant savings for your organization.
– Enables your organization to focus on business critical
tasks.
– Smoothes out volatility in resource demands.
– Protects your organization from penalties/fines associated
with compliance mistakes.
– We have an in depth understanding of the security
industry and thorough knowledge of the regulations that
impact your business.
– Our services are aligned with state and local regulations to
ensure complete compliance for your organization.
36. Importance of Compliancy
• What is compliancy?
– Compliance refers to the company obeying all of the legal
laws and regulations in regards to how they manage the
business, their staff, and their treatment towards their
consumers. The concept of compliance is to make sure that
corporations act responsibly.
• Benefits
– Avoidance of Criminal Charges and Penalties
– Building Positive Reputation
– Higher Productivity in the Company
37. Compliance Policy
• All State of Florida agencies must be compliant with this
security policy document
• Compliance with Legal Requirements (11.1)
– All State of Florida agencies must be compliant with any
State or Federal regulatory requirements which supersede
this policy document.
• Applicable Legislation (11.1.1)
– All State of Florida agencies must be compliant with any
legislation enacted by the State of Florida in regards to the
management of information resources on behalf of the
State.
38. Compliance Policy (Cont.)
• Data Protection and Privacy (11.1.2)
– All State of Florida agency data custodians must ensure that all
“Personal Information” data assets, as defined by applicable State
and/or Federal law and regulations, are protected from unauthorized
use, modification or disclosure.
• Data Breach and Disclosure (11.1.3)
– Any State of Florida agency that discovers a breach of the information
security controls set forth in this document which results in disclosure
of unencrypted “personal information” about persons to unauthorized
third parties shall provide notice of the disclosure in accordance with
TCA 47-18-2107(3)(A).
43. Closing
• It would be advantageous of the State
Government and the Department of Finance
and Administration to make sure that the
information on the databases are safe and
above other State Governments’ level of
security. By using the analysis of the NIST
framework and of COBIT, all layers of security
shall be perlustrated to ensure the client’s
satisfaction of the services provided by
Inception Securities.
44. Closing (cont.)
• Proven specialists in penetration testing,
vulnerability assessments, risk
management/mitigation analysis, network
systems and software hardening, and
compliance/regulation analysis
• We will ensure that the State Government and
the Department of Finance and
Administration does not suffer any unforeseen
penalty due to noncompliance.
Notes de l'éditeur
Currently do not offer services that review source code to assess security, and do not employ development security specialists.
Step 1: Define business need
Identify Business Requirement
Knowledge capture
Stakeholder consultation
Risk assessment
Scope and communication
Step 2: Develop procurement strategy
Team kick off
Market research
Define success
Agree strategy
Step 3: Supplier evaluation and selection
Develop prequal strategy
Score, filter, & notify
Develop & launch tender
Assess & filter
Step 4: Negotiation and Award of Contract
Prepare negotiation strategy
P2P design
Conduct negotiations
Finalize contract
Award
Step 5: Induction and integration
Launch supplier
Post procurement review
Continuous integration
Benefits
Avoidance of criminal charges and penalties
Example- HIPAA
(a) General penalty
(1) In general
Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
* * *
42USC1320d-6 Wrongful disclosure of individually identifiable health information
(a) Offense
A person who knowingly and in violation of this part-
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
(b) Penalties
A person described in subsection (a) shall-
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, Imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
Building positive reputation
The success of your business pretty much depends on its public image. Compliance will ensure that a company can uphold a positive image and build consumer trust. This also helps build consumer loyalty, since customers are more likely going to return to a service or product from a company they identify as trustworthy.