2. • About Us
• Information Security Explained
• The Need for Information Security
• Information Security Assessment Overview
• Information Security Assessment Deliverables
• Full-Service Consulting
Presentation Topics
3. • What’s in it for them?
• What’s in it for you?
• Preliminary Assessment
• Who else do we work with?
• Where can you find us?
• What’s the bottom line?
Presentation Topics (cont.)
4. • Formed in 2008, FRSecure LLC is a full-service
information security consulting company dedicated to
information security education, awareness, application,
and improvement. FRSecure helps clients understand,
design, implement, and manage best-in-class information
security solutions; thereby, achieving optimal value for
every information security dollar spent.
• Regulatory and industry compliance is built into all of
our solutions.
• Over 50 successful assessments performed in the past 18
months
About Us
5. • EVAN FRANCEN, CISSP CISM
• President
• Over 15 years as a leading information security
professional and corporate leader in both private
and public companies
• Well versed in governmental and industry-specific
regulations, standards and guidelines including
ISO/IEC 27002 (17799:2005), HIPAA, GLBA,
PCI-DSS, FDA CFR Part 11, SOX and COBIT
• Active participant in numerous information
security trade associations including ISACA,
ISSA, and ISC2
About Us
6. At FRSecure, our job is to find risks, and we’ve been
helping businesses of all sizes and industries for more
than 15 years. Our clients include well-known names
in:
● Banking ● Insurance ●
Accounting
● Health care ● Legal ● Data
storage
● Mortgage ● Printing ● And
more.
About Us
7. Information Security Explained
Fundamentally, Information Security is:
The application of Administrative, Physical and Technical controls in an effort
to protect the Confidentiality, Integrity, and Availability of Information.
“Effective information security requires the
assessment and accounting for all risks to
information in all of its forms throughout the
enterprise. Anything less results in wasted
resources and the increased likelihood of
catastrophic loss.” – Evan Francen
Fundamentally, information security is NOT:
• An IT issue; it is a business issue
• Compliance-based; it is risk-based
8. Information Security Explained
Administrative Control Questions
• Do you have formal information security policies? If so, do your policies
adequately cover all areas of information security?
• How are your information security policies communicated to employees and
relevant 3rd
-parties?
• Do you have a defined review schedule for your information security
policies?
• Has your organization defined a formal risk assessment methodology?
• Does your organization conduct background checks on potential employees
prior to hire?
• Do you have an acceptable use policy?
• Do you have a formal information security awareness training program?
9. Information Security Explained
Physical Control Questions
• Has a risk assessment of physical security been performed?
• Should your company utilize a multi-tiered approach to physical security?
• Have you developed a physical security policy?
• How are public areas in and/or around your facility monitored?
• How is roof access at your facility secured?
• Do you log the date, time of entry, and time of departure of visitors,
contractors, and third-party personnel?
• How do you prevent unauthorized access to office spaces?
• How do you prevent unauthorized access to restricted areas?
• What access controls are implemented for office spaces?
10. Information Security Explained
Technical Control Questions
• What are the minimum encryption key strength requirements?
• Is your network adequately segmented and controlled to prevent
unauthorized access to sensitive information resources?
• What types of devices and technologies are used to control the flow of
network traffic; especially between different “security zones”?
• Has your organization deployed one or more external applications?
• Which ports and services are allowed to remain enabled on network
devices?
• How do you ensure that patches are consistently applied to all devices,
applications, and systems?
• What types of authentication mechanisms are used to establish a wireless
connection?
11. Information Security Explained
In an effort to protect:
Confidentiality
Ensuring information is disclosed to, and reviewed
exclusively by intended recipients / authorized individuals
Integrity
Ensuring the accuracy and completeness of information and
processing methods
Availability
Ensuring that information and associated assets are
accessible, whenever necessary, by authorized individuals
The opposite of C. I. A. is D. A. D. (Disclosure, Alteration and
Destruction)
12. The Need for Information Security
• It’s the Law
• Sarbanes-Oxley Act of 2002
• Gramm–Leach–Bliley Act (GLBA)
• FDA CFR Title 21
• Computer Fraud and Abuse Act
• Various state and local laws
• Protect intellectual property (IP)
• Protect Financial Data
• Protect Personally Identifiable Information
(PII)
• Protect other “Confidential” Data
• Clinical trial data
• Safety data
• Regulatory filings
94,000,000 records
8,500,000 records8,500,000 records
130,000,000 records
14. The Need for Information Security
The consequences of insufficient security
• Many times the victim is you, the individual
• Loss of competitive advantage
• Compromised customer confidence; loss of business
• Identity theft
• Embarrassing media coverage
• Equipment theft
• Service interruption
• Legal penalties
15. FRSecure performs an Enterprise Information
Security Assessment to determine:
• what type of information you need to protect,
• the risks related to how you are currently using and
protecting information;
• and how to best proceed in reducing risks.
Information Security Assessment
Overview
16. The FRSecure Information Security Assessment:
• Comprehensive – We review and assess all of your current physical,
administrative, and technical protections.
• Standardized – Our assessment is based on and mapped to the ISO 27002
(17799:2005) international standard
• Compliant – Comprehensive enough to satisfy all major industry and regulatory
requirements including GLBA, HIPAA, SOX, and various state laws
• Functional – The results from our assessment are easily understood and our
recommendations are functionally sound
Information Security Assessment
Overview
17. How do we assess their current environment?
We walk through as many as 3000 aspects of your information security program with you during
our assessment. Our questions are tailored around the specific information that you need and
want to protect. We focus our questions in these main areas:
• Security Policy Management
• Corporate Security Management
• Organizational Asset Management
• Human Resource Security Management
• Physical Security Management
• Environmental Security Management
• Compliance Management
• Communications Management
• Operations Management
• Information Access Control Management
• Information Systems Security Management
• Information Security Incident Management
• Business Continuity Management
Information Security Assessment
Overview
18. What do you get from an FRSecure Information
Security Assessment?
– Executive Summary
• Overview of most significant risks
• High level mitigation plans
– Technical Specification
• Detailed documentation of all findings, including risks, risk ratings, and
mitigation strategies
– Action Plan*
• Detailed risk mitigation plan
*We don’t just tell you what’s wrong and leave you to figure out how to fix it.
Information Security Assessment
Deliverables
19.
How do we help you implement the action plan?
We determine the areas where we can make simple, low cost changes that
will improve security significantly. We then plan and coordinate the
larger changes needed to fully implement the security plan.
We act as your Information Security department, if needed. We create
policies and procedures, as well as help with training and corporate
acceptance.
Once the Action Plan is complete, typically 6-12 months, we will do a second
Assessment to show that your environment is now adequately secure.
Implementing the Action Plan
20. A full accounting of FRSecure’s Services:
• Information Security Assessment
• Information Security Program Development
• Information Security Management
• Penetration Testing
• Business Continuity Planning
• Incident Response
• Training & Awareness
• Legal Expert Witness and Testimony
Full-Service Consulting
21. Information Security Assessment
An independent and objective assessment of your current information
security program.
We have a keen understanding of practical information security in business,
not just theory and academics. FRSecure personnel average more than 10
years of direct information security experience. The reasons for
conducting an information security assessment range from just wanting to
know where you stand, to satisfying compliance requirements. FRSecure
information security assessments are specifically customized to meet (or
exceed) your objectives and provide you with valuable, actionable
information. Most of our information security assessments are based on
the ISO 27002 international standard
Full-Service Consulting
22. Information Security Program Development
Cost-effective and customized information security program
development that reduces risk and improves efficiency.
In order to maximize your information security investments, you need to take
a formal, risk-based approach. FRSecure has developed cost-effective
information security programs for companies of all shapes and sizes,
public and private, in a variety of industries. Over the years we have
gained a tremendous amount of experience, and this experience has led to
principles that guide each one of our information security development
projects. Most organizations know that they need to something in regards
to information security, but don’t have the expertise to implement a
program themselves.
Full-Service Consulting
23. Information Security Management
Leverage years of expertise without the tremendous expense that can
accompany it.
An information security professional on par with those employed by
FRSecure can be costly and unaffordable for many companies. After
factoring in salary, benefits, bonuses, and office space, an experienced
information security professional can cost as much as $180,000 annually.
FRSecure saves our clients money by using our proven approach to
information security management.
Full-Service Consulting
24. Penetration Testing
An active evaluation or assessment of your information security controls.
You have taken the time and spent the money in an effort to protect your
information assets, but how secure are you? How effective are your
controls? The only true way to be sure that your controls are effectively
protecting your information assets is to test them. Expert engineers who
understand current, real-world threats conduct our penetration testing
services. Before we start any penetration test, we take the time to
understand your goals and objectives and then customize an approach to
maximize your value.
Full-Service Consulting
25. Business Continuity Planning
Planning that keeps your business in business if bad things happen.
The wrong time to find out that your business continuity plan is ineffective is
when you have to use it. Good business continuity planning keeps your
business up and running through interruptions of any kind; power failures,
IT system crashes, natural disasters, supply chain problems and more.
FRSecure business continuity planning has helped our clients avoid
disaster when disaster strikes.
Full-Service Consulting
26. Incident Response
Professional assistance in helping you respond appropriately to an
information security incident.
Any good information security professional will tell you that it is impossible
to stop all threats to your information security assets. Realized threats
must be detected promptly and responded to systematically. A poor
incident response can be more costly than the incident alone. FRSecure
has responded to hundreds of incidents, which has led to minimized
financial impact, improved processes, and thorough investigations leading
to civil and/or criminal prosecutions.
Full-Service Consulting
27. Training & Awareness
Effective training and awareness programs proven to improve employee
compliance with your requirements.
Another fact; people present the most significant risks to your company’s
information assets. Poor information security practices are a common
cause of breaches. One of the best investments you can make in regards
to information security is in the area of employee training and awareness.
FRSecure has developed and delivered over a thousand hours of
information security training for our clients.
Full-Service Consulting
28. Legal Expert Witness and Testimony
Making a case is difficult enough, but making a case without the right
expertise is nearly impossible.
We are not lawyers, but we help lawyers understand information security
related matters and decipher the facts involved in their cases. We help
lawyers win cases for their clients.
Full-Service Consulting
29. • Have you done a SAS70 or are you being asked to perform one?
• Are you in a regulated industry?
• Has a valued client ever asked you to answer an information security
questionnaire?
• Do you have a formal information security program?
• Do you have problems getting executives or employees to buy into your
information security ideas, changes, or programs?
• Do you have regular training for employees regarding securing information?
• Do you already know that there are holes, but you don’t know what to do about
them?
• What percentage of your time is spent on information security? What should it
be?
• What information security challenges do you currently face?
• How would you announce a sensitive information breach to the public?
• How confident are you that your data protection is what it should be?
Good Questions to Ask
30. Experts that act as their Information Security Department or
CSO (Chief Security Officer)
Signoff on regulatory compliance issues
Signoff on client required security audits
Ability to add additional sales channels
Competitor differentiation
Knowledge that they’re doing everything they can to protect
their business.
What’s in it for them?
31. Revenue Sharing
• 10% of all realized revenue will be paid as a commission for all revenue
generated within 1 year of the original SOW.
• This commission will be paid as 1099 income for any business you refer
us.
Sub Contracting
We can also be included in a project as a sub contractor. In this case, we will
quote you our cost, and you can mark up as appropriate.
What’s in it for you?
32. We offer a free Preliminary Assessment to any prospective
client. A Preliminary Assessment includes a short
questionnaire and a 30 minute phone conference with one of
our experts.
The goal of this Preliminary Assessment is to find out if there is
information that needs to be protected, as well as establishing
credibility within their organization.
Preliminary Assessment
33. In order to help our clients address specific needs that are
outside of FRSecure’s core business, we have established
partnerships with respected organization that we are pleased
to work with and refer to.
Who else do we work with?
With more to come!
34. FRSecure is actively participating online through our Web site,
blog, and social media sites.
• Web: http://www.frsecure.com
• Blog: http://www.breachblog.com
• Facebook: http://www.facebook.com/frsecure
• Twitter: http://www.twitter.com/frsecure
• LinkedIn: http://www.linkedin.com/company/frsecure-llc
Coming soon – Redesigned blog and podcasts
Where can you find us?
35. FRSecure is the best solution for you to assess your
information security needs, address those needs and
partner with you for the future.
Questions?
Contact Us – info@frsecure.com or
http://www.frsecure.com
It’s not just protecting your information.
It’s protecting your business.
What is the bottom line?