|
Information Security Assessment and Planning
Information Security is no longer an option, it is an absolute requirement. For some businesses and industries, Information Security standards and metrics are even mandated by the Federal Government. Regulations like Sarbanes-Oxley and HIPAA have added new and increasingly complex dimensions to compliance for public and private companies alike. Conducting periodic independent security assessments has become a business best practice and should remain at the top of your priority list.
Plus Consulting leverages world-class methodologies to deliver Information Security solutions that give you peace of mind.
Organizations usually don't think or realize that they have an information security problem until after a breach occurs and it is already too late. The only way to stay one step ahead of the bad guys, whoever they are, is to identify the current state of security in your organization by performing an industry standard risk analysis. Plus Consulting recommends use of the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVEŽ) methodology developed by the Carnegie Mellon Software Engineering Institute.
Using a phased approach, the OCTAVE Method examines organizational and technology issues to assemble a comprehensive picture of the information security needs of your organization. Plus Consulting has extensive experience performing these evaluations and we have had great success using this method to develop complete security protection strategies for our clients.
Using the following process we will evaluate your current state environment; identify vulnerabilities and risks associated with your business critical applications, and make recommendations on implementing a protection strategy to mitigate these risks and vulnerabilities.
- Create Threat Profiles
- During this initial step of the organizational evaluation, we will work with your key staff members to identify important information assets, their threats and their unique security requirements.
Deliverable: Threat Profile Worksheets for Identified Assets
- Identify Infrastructure Vulnerabilities
- Key operational components of the information technology infrastructure are identified based on the information gathered during the creation of threat profiles and then examined for weaknesses (technology vulnerabilities) that can lead to unauthorized action.
Deliverable:
Asset Profile Workbooks
- Evaluate Selected Components
- The selected infrastructure components for each critical asset are evaluated for technological vulnerabilities. The analysis team will run the evaluation tools, analyze the results, and build summaries for each critical asset.
Deliverable:
Breakdown of Technology Vulnerabilities in the Asset Profile Workbook
- Conduct Risk Analysis
- The analysis team reviews all of the information gathered to date and builds the risk profiles for each critical asset. The risk profiles are extensions of the threat profiles, adding a qualitative measure of the impact to the organization for each of the possible threat outcomes.
Deliverable:
Risk Trees and Qualitative Measures are Recorded into the Asset Profile Workbook
- Develop Protection Strategy
- The information generated by the organizational and infrastructure evaluations is analyzed to identify risks to the organization and to evaluate the risks based on their impact to the organization’s mission. In addition, a protection strategy for the organization and mitigation plans addressing the highest priority risks is developed.
Deliverable: Complete Protection Strategies and Mitigation Plans for each identified asset
Return to Infrastructure / Information Security
Please visit our Resource Center for Product Information, and Demonstrations. Read Case Studies for examples of our experience.
Contact us for more information on protecting your information assets. |
