ISO 27002:2005 Based Security Assessment:

An information technology ISO 27002:2005 security assessment is a systematic, measurable technical assessment of how an organizations security policy and procedures are employed at a specific point in time.  Our security consultants work with the full knowledge of the organization at times with considerable inside information, in order to understand the resources to be assessed.

An assessment of an information infrastructure involves testing for various vulnerabilities, looking at the overall design of the information systems and overall resistance to social engineering tactics.  This assessment consists of security checklists and questionnaires covering networks/LANs, firewalls, internet access, data access, virus management, etc.

As part of the assessment, policies, procedures and enterprises are reviewed for compliance with current best practices, standards and regulations.  Network and system infrastructures are evaluated, vulnerabilities are identified, and existing safeguards are validated using the ISO 27002:2005 framework.  The results of this assessment will allow the organization to identify concerns and select an appropriate level of response associated with its Internet-related services.  

* Comprehensive review of security management controls
* Network and system access control review
* Escalation of privileges
* Change control
* Recommendations and remediation


Regulatory Compliance Audits:

Organizations are required by law to comply with a growing number of government and industry-specific regulations designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. Companies that do not fully comply and stay up-to-date with security regulations face serious consequences including heavy fines and legal action. m3ip can help organizations quickly comply with information security regulations by providing practical, simple and economical solutions to:

* Public Companies - Sarbanes-Oxley (SOX) requires effective controls and processes for validating the integrity of annual financial reports.
* Financial Institutions - GLBA & NCUA requires IT controls to maintain the confidentiality and privacy of consumer financial information.
* Healthcare - HIPAA regulates the security and privacy of health data, including patient records and all individually identifiable health information.
* Online Merchants - The Payment Card Industry, including MasterCard SDP and Visa CISP mandate the protection of customer information residing with merchants, safe from hackers, viruses and other potential security risks.
* California Commerce - CA 1798.82 mandates that organizations doing business in California report any cyber security breaches that may have comprised customer information.
* Massachusetts Data Protection Regulation – MA 201 CMR 17 calls for the protection of personally identifiable information (PII)


ISO 27002:2005 Risk Management Program:

This program is based on open standards generally recognized and being built off of today’s current best security practices. m3ip will provide 1-year of pro-active security techniques and analyze that will meet all of today’s current regulatory compliance demands. We will assist you in building and maintaining a change control and patch management plan for your organization as well as assisting you with policy review and revisions.

We will help identify what you need to do immediately to comply and will assist you to set goals for long term compliance. We implement a complete plan for long term security to help you evolve as regulations change. We also assist our clients in tracking changes in the plan and assess its long-term effectiveness. This service is based on the current security best practice methodologies and modeled after:

* Confidentiality
* Integrity
* Availability

This offering provides the following benefits to your organization:
* On-going review of your computer and network infrastructure.
* Comprehensive review of security management controls.
* Strategy for achieving compliance on a monthly basis.
* Quarterly evaluation of current best practices.
* Consistent review of logs and auditing practices.
* Build, produce and review, working security policies and procedures.
* Quarterly Internal/External Vulnerability Testing and Reporting.


Risk Analysis and Assessments:

This offering provides a comprehensive risk assessment of the Information Technology area that identifies concerns with Data, Application and Operating System. In addition, Technology, Facilities and Personnel are measured and tested to rank business exposure and control risks. The analysis is an information security risk assessment that identifies and evaluates the risks that may threaten the security, confidentiality or integrity of personnel information systems as stated in any privacy and information systems security program or policy.

Security breaches continue to make headlines. In nearly all cases, these breaches could have been prevented if proper risk management activities were implemented per industry laws and regulations. Whether it's the Payment Card Industry Data Security Standard (PCI), Gramm Leach Bliley (GLBA), Health Insurance Portability and Accountability Act (HIPAA) or local state laws and regulations, compliance with privacy rules and regulations is required or the organization risks costly lawsuits and negative publicity that result in financial losses.

By building continual risk assessment and compliance into your operations, you can effectively mitigate the risk of data theft, reduce financial loss due to non-compliance, and lower the compliance costs. Organizations need to relay on a comprehensive risk assessment to ensure that all IT areas are reviewed and/or audited commensurate with their risk.

This analysis includes:
* An inventory of all business processes and functions.
* Identifying, classifying and linking all paper, technologies and facilities to identified business processes and functions.
* Assess risk for business functions and processes.
* Customer Information risk assessment results.
* Develop a program for periodic review of privacy controls.


Yearly Risk Management Review:

A solid best security business practice requires that all Internet-facing and Internal IP addresses be scanned and tested for vulnerabilities and risk. m3ip will provide an annual offering that tests your Internet-facing and internal network segments in accordance with the ISO 27002:2005 framework and current best security business practices. This offering produces reports based on the results of the testing and describes the type of vulnerability or area of concern. m3ip will detail a diagnosis of the associated issues and provide guidance to remediate or corrected measures. The report will assign a rating for the risk and vulnerabilities identified in the review process. 

* Rapid7 NexPose Security Console Vulnerability & Metasploit Professional Penetration Testing
* Follow-up Exploitation of Areas of Concern
* (4) Quarterly External and (2) Bi-Yearly Internal Test(s)
* Executive Summations Provided
* Full Quarterly Reports on Findings


Security Policy Review & Development:

Our Information Security Program service offering provides our clients with a phased approach to implementing an organizational information security capability that is both business-driven and standards-based. Our methodology ensures that current industry best practices and best-of-breed solutions are used to develop a solid foundation for managing and delivering information security controls and activities within the enterprise.

* Define security standards
* Identify information assets
* Associate level of compliance
* Develop current "best business practices"
* Identify roles and responsibilities


Security Engineering:

Our consultants will develop a detailed Information Security Architecture to meet defined requirements. Based on that architecture, our Information Security Infrastructure Development team works with the client to develop information security solutions from detailed specifications using a repeatable and methodical approach. Information Security Engineering & Testing ensures that solutions have been designed and developed in a secure manner, and are implemented with detailed deployment plans in place.

* Design layers of protection
* Identify areas of weakness
* Build in redundancy

Disaster Recovery Planning & Development:

Industry experts say only six percent of businesses that suffer a catastrophic loss of data, stay in business. m3ip can assist your institution in minimizing your risk so you don't become a statistic with the following (4) project modules as part of a comprehensive DRP:

* Business Continuance Requirements - Meetings with key staff and division managers are used to discuss the initial understanding of the application recovery requirements and to further define business continuance requirements within each division or business function.
* Recovery Strategy Options - Upon gaining an understanding of the business continuance requirements, high-level application recovery scenarios are defined which will provide an estimated range of the costs associated with the recovery strategy options.
* Disaster Recovery Outline - The Disaster Recovery Outline is created to document the next steps required to develop the Disaster Recovery Step-by-Step Recovery Procedures document. This document serves the purpose as an outline to guide you with requirements for obtaining agreements and pricing from vendors, partners, and any other parties which could be involved in the event of a disaster, as well as to assist in developing the actual procedure to be performed.
* Disaster Recovery Step-by-Step Recovery Procedures - Step-by-step procedure document to outline what needs to happen in the event of a disaster.


GLBA Compliance Risk Analysis & Audit:

Comprehensive FFIEC security analysis and audit. This deliverable involved the comprehensive review of both internal and external security controls, operational procedures, and policies as compared to financial and regulatory standards and better practices.  This engagement resulted in the identification of a number of significant security vulnerabilities, tactical recommendations for the remediation of each, and a strategic roadmap for the client to reach GLBA compliance.

The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to ensure the security and confidentiality of customer records and information. The U.S. Department of Treasury distributed guidelines to address standards for developing and implementing safeguards to protect the security, confidentiality and integrity of customer information. The deadline for compliance was July 1, 2001.  Institutions must regularly test their information security procedures and controls. GLBA guidelines give the institutions some flexibility on the test frequency, based on the results of the required risk analysis and assessment.

Areas of concern and analysis were:

* Security Compliance Review Using FFIEC Scoring Methods
* Infrastructure Topology Review
* Reviews of Internal Operational Controls and Procedures
* Physical Security Assessment
* Documenting and enforcing security policies based on business objectives and management   commitment
* Implementing a security management process
* Establishing security awareness training programs
* Controlling user access to sensitive information
* Building encryption modeling
* Providing security incident response and reporting procedures
* Monitoring and enforcing security policy and technical compliance


HIPAA Compliance Risk Analysis & Assessment:

This offering involves the review of both internal and external security controls to establish an overall program to control risk. HIPAA risk management includes not only risk analysis but also manages and tracks the controls that are put in place as a result of the recommendations that evolve from the deliverable report.

The goals of the assessment were defined as:

* Inventory risks to the ePHI and medical records using industry standard risk determination matrix’s based on either qualitative or quantitative analysis methods
* Identify the threats to these records and systems
* Document vulnerabilities of the systems they are stored and manipulated by
* Determine safeguards for mitigating these risks
* Scoping the subject of the threats
* Assigning risk levels
* Enforcing safeguards with policies


HIPAA Gap Analysis:

This engagement involves the review of both internal and external security controls to establish an overall program to identify gaps in compliance. As part of the gap analysis engagement, the current state of policies, procedures and operations were reviewed for compliance with the Health Insurance Portability and Accountability Act (HIPAA) final Security Regulations.  The result of this analysis allowed management to identify areas where gaps exist between regulatory specifications and current organizational policies and practices.

The goals of the analysis were defined as:

* Gap Analyses (Current State vs. HIPAA Security Standards)
* HIPAA Security Rule Readiness Overview
* Summary Matrix of Organizational Compliance/Gaps
* Summary Roadmap of Remediation Activities to Close Compliance Gaps
* Compilation of Raw Data, Questionnaires and Interviews