Security Posture Assessment

Cyber Readiness Assessment, Enterprise Risk Assessment, Commercial Compliance Support and Security Authorization Support

Validate Cyber Readiness

To enable risk-based decision making, an organization needs to understand the value of its assets and be able to effectively assess the security posture at both a micro and macro level. Assessment results must be framed within an organizationally relevant context to ensure the impact of findings can be accurately measured. For example, asset value or criticality could be derived from business impact analysis data developed as part of an overall Continuity of Operations Planning (COOP) program. Vulnerability scan data should be validated to eliminate false positives, and then coupled with configuration audit results and application security assessment results. The combined results should then be modeled against the security architecture to more accurately quantify the risk based upon asset criticality ratings and actual network accessibility and other environmental considerations.

At SecureForce we believe context is key and that raw assessment results present little value on their own without analysis of their probable impact and validation of their applicability to the environment. Our assessment approach is implemented through the use of key technologies to accelerate the process and make it more accurate through automation of assessment result collection and correlation, coupled with consistent and repeatable workflows driven by electronic surveys for manual control testing and assessment of non-technical controls.

 

Cyber Readiness Assessment

From host-based to network-based assessments, from external to internal vantage points, and from applications and databases to all flavors of operating systems, SecureForce security engineers have significant experience performing security assessments across all components of an enterprise. Many of the assessments we perform include:

  • Configuration auditing
  • Database security assessment
  • Network vulnerability assessment
  • Penetration testing
  • Software code audit
  • Social engineering
  • Web application security assessment
  • Wireless network security assessment
  • Voice communications assessment (including analog and VoIP)

The success and effectiveness of our Cyber Readiness Assessment offering is achieved through rigorous internal training and testing along with establishment and automation of consistent and repeatable processes based upon industry standard methodologies, including those listed below:

  • National Security Agency Information Security Assessment Methodology (IAM)
  • National Security Agency Information Security Evaluation Methodology (IEM)
  • NIST SP 800-30, Risk Management Guide for Information Technology Systems
  • NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  • NIST SP 800-39, Managing Information Security Risk
  • NIST SP 800-53A Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
  • NIST SP 800-115, Technical Guide to. Information Security Testing
  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Open Web Application Security Project (OWASP) Testing Guide
  • Penetration Testing Execution Standard (PTES)

 

FISMA Security Authorization Support

With experience stemming from years of active duty military service as Information System Security Managers (ISSMs), many of our engineers have been supporting Security Authorization efforts (formerly Certification and Accreditation) for well over a decade. SecureForce has supported all aspects of the Security Authorization process including performing certification testing and risk assessments, complete package development, as well as package validation and submission across an agency. From System Security Plans to DIACAP Implementation Plans and from Security Assessment Reports to DIACAP Scorecards, we have developed complete sets of artifacts for the NIST and DoD Security Authorization processes. We have also developed supporting documentation for both classified and unclassified connection approval processes, Interconnection Security Agreements (ISAs) with other agencies, as well as artifacts supporting FISMA reporting and Capital Planning Investment Control (CPIC) requirements.

 

We have supported the transition of our DoD clients from the Defense IT Security Certification and Accreditation Process (DITSCAP) to the Defense Information Assurance Certification and Accreditation Process (DIACAP), including the development of a four day DIACAP training class. We have supported our Federal Civilian clients from the days of performing system-specific self-assessment checklists using NIST SP 800-26 to the current Security Authorization and enterprise risk management processes built upon the NIST RMF. As a result, we are confident that SecureForce can support our client’s Security Authorization needs regardless of when we are brought into the process.

 

Commercial Compliance Support

At SecureForce, we are of the mindset that compliance should be the byproduct of a mature and effective security program built upon enterprise risk management and proactive continuous monitoring. Our goal is to assist the organization with framing its own risk tolerance, identifying and implementing a balanced and appropriate control framework that reduces residual risk to a level within the organizational risk tolerance, and supporting the preparation for external audits. As part of our support, we typically perform pre-assessments prior to an external audit to identify gaps and determine appropriate remediation activities to ensure the organization is adequately prepared. We have supported the development of security programs to meet regulatory compliance requirements, including:

  • SSAE 16
  • Sarbanes-Oxley (SOX)
  • Gramm-Leach-Bliley Act (GLBA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Financial Institutions Examination Council (FFIEC)
  • International Organization for Standardization (ISO) 27002
  • Health Information Technology for Economic and Clinical Health Act (HITECH Act)

SecureForce has also supported several commercial vendors looking to sell products and services to the U.S. Federal Government. As an example, prior to the creation of the Federal Risk and Authorization Management Program (FedRAMP), SecureForce performed a gap analysis of a cloud-based offering from a Software-as-a-Service (SaaS) vendor and supported the design and implementation of an enhanced security architecture that would meet FISMA compliance. We implemented a security program built upon PCI DSS and National Institute of Standards and Technology (NIST) Risk Management Framework requirements. With our extensive Government experience, we facilitated discussion between the commercial vendor and the government to ensure requirements and constraints were clearly understood and any controls in which there would be shared responsibility by both parties were identified and agreed upon up-front. We performed extensive testing to validate the implementation of security controls and developed a Security Authorization package for the vendor to provide to the government in order to demonstrate full compliance.

 

 

Get in touch