Critical Infrastructure Risk Management Services (CI-RMS)
[dropcap]O[/dropcap]ver the last several years, a significant number of compliance requirements have emerged, making it a top priority in many organizations. Organizations however, often find that the challenges of implementing the new requirements are difficult and costly. Effective information security management is more than just putting out fires. Organizations must identify how they use information to meet their strategic business goals and then determine the best ways to protect those assets throughout the information security lifecycle.
Many business leaders escalate information security from an IT responsibility to a business requirement. While the priority is higher, IT budgets haven’t grown proportionately. Meanwhile, the number of vulnerabilities increases, threats are more sophisticated, and greater regulatory oversight is a fact of life.
Since its inception as SummitWatch Consulting in 1999, the leaders at Condition Zebra have worked with security vendors, analysts and the U.S. and foreign governments on topics regarding the unique issues faced when dealing with securing complex infrastructures.
CONZebra is a trusted information security advisor to organizations across a wide spectrum of industries. Tight budgets can force some organizations to implement a disjointed security strategy that doesn’t include all the criteria of an effective information security program. CONZebra’s strategic services help fill those gaps.
Our Critical Infrastructure Risk Management Services (CI-RMS) help enterprises meet increasingly complicated regulatory requirements, while reducing the most common threats associated with exploits–despite being GRC compliant. Comprehensive CONZebra Health Checks evaluate network security to assess current risks and vulnerabilities, so companies maintain strong, enforceable security policies. With our Incident Response and Forensics services, enterprises can secure immediate crisis response and proactively prepare for a security emergency, while our series of Program Development Workshops strengthen the foundation of an organization’s information security brain trust.
How Condition Zebra defines “Critical Infrastructure”
Condition Zebra defines “Critical Infrastructure” as the core systems and assets (both physical and virtual), which are essential to the basic survival of an organization, nation, or region, whose respective capacities for damage or destruction would pose a debilitating impact on operational security, economic security, risk to public or private health and safety, or any combination of those outcomes. Condition Zebra defines key resources as those resources that are vital to perform minimal operations of the operations of economy or government, including individual targets whose destruction would not endanger vital systems but could create a local disaster or profoundly damage the nation’s morale or confidence.
Critical Infrastructure Key Sectors
There are many ways to categorize the key sectors of a critical infrastructure, and from a national perspective, much depends on the nation’s evolution in culture, organization, economics and technology. From a “least common denominator” perspective, however, the following sectors are how Condition Zebra evaluates a minimum Critical Infrastructure:
- Government (non-defense)
- Food & Agriculture
- Emergency Services
Infrastructure Security Assessment is only the first part . . .
CONZebra is committed to easing the pain of meeting compliance requirements, and simply assessing how your environment is working (or not), is only the first part of an effective solution for risk management. CONZebra ’s experienced consultants build methodologies and direct approaches to assist each customer in meeting individual compliance requirements. Whether it’s performing the audit itself, developing security policies and procedures, or managing ongoing compliance initiatives, CONZebra ‘s Critical Infrastructure Risk Management Services provide assistance designed to help you meet both business and regulatory compliance objectives.[pullquote align="right"] Although there are risks involved when keeping pace with today’s increasing demand for faster communications tools and more open access to information systems, there are also worthwhile benefits, including automation, reduced system management overhead, and greater access to resources. [/pullquote].
CONZebra consultants identify weaknesses and inconsistencies in an organization’s GRC policies and frameworks, and helps develop actionable recommendations to mitigate the risks the operating environment faces from external attackers, insider threats, automated worms, and network management errors.
One unique challenge facing many of our clients today, however–particularly throughout Asia–is in understanding which security infrastructure measurements are needed (to meet GRC requirements), and which are not. CONZebra understands the consequences of introducing new technologies that may pose additional risk to an environment, and we work with each of our clients in a unique, non-boilerplate fashion to identify what (and what not) to do.
CONZebra Critical Infrastructure Risk Management Services options include:
Secure Operational Baseline Infrastructure Assessment (SOBIA)
Many of the risks to an infrastructure (external attackers, insider threats, automated worms, and network management errors, etc.), can be reduced or even prevented through effective planning, configuring and implementing policies, technology and operational guidelines. Condition Zebra is committed to assisting each client with their respective needs pertaining to GRC and security operational policy requirements.
CONZebra’s global team of consultants design each policy methodology to address specific, actionable steps an organization must take to ensure compliance (while not impacting performance or creating long-term dependence on outsourcing), which results in establishing or improving security integrity.
A typical Secure Operational Baseline Infrastructure Assessment (SOBIA) includes an on-site visit and physical walk-through, security architecture review, server and system configuration review, current security controls assessment and testing, GRC gap analysis and policy outline development. These processes and actions are scaled to match the size and range of influence of each client–whether a local, single-site facility, or a multinational enterprise.
What SOBIA Includes:
- Physical Access Review
- Secure Infrastructure architecture review, based on selected framework (COBIT / ISO / other)
- Administrative Policy Review
- GRC-specific Policy Gap Analysis / Policy Outline Development
Secure Operational Financial Infrastructure Assessment (SOFIA)
Many of the infrastructure risks in a financial institution posed by account fraud, improper bank transactions or inappropriate payment card transfers can be eradicate through configuration program and implementation of effective policies.
This service impacts organizations targeting PCI/DSS compliance mandates as a business driver. The resulting assessment from this engagement provides a gap analysis of how the client is postured for a PCI/DSS audit, or to become certified as “Compliant.”
Condition Zebra’s Secure Operational Financial Infrastructure Assessment Service breaks down the complex effort of financial sector-based risk management and compliance for SOX and J-SOX, and related GRC mandates and frameworks, through a seven-step process, which implements components from the COBIT Framework.
What SOFIA Includes:
- Physical Access review
- Security Network Framework Review
- Cardholder administrative and processing review
- Vulnerability Management Assessment
- Access Control Review
- Network Infrastructure Monitoring
- Web Application Assessment (optional)
These processes and actions are scaled to match the size and range of influence of each client–whether a local, single-site facility, or a multinational enterprise.
Critical Policy Configuration Analysis & Revision (CPCAR)
Condition Zebra’s CPCAR Services provides organizations with a detailed review of their current operational policies to ensure consistency and continuity throughout the enterprise, while also ensuring alignment with potentially divergent policy mandates and frameworks.
What CPCAR Includes:
- Principle Investigation of Policy & Gap Analysis (based on multiple mandates needed)
- Operational Infrastructure Review
- Stakeholder Briefings & Policy indoctrination
- GRC/Standards Cross-evaluation & Standards Correlation
- Post-delivery Analysis & Implementation
System-wide Configuration Analysis & Testing (S-CAT)
Organizations are often faced with the dilemma of how to attain a fully relational and detailed review of where risks may exist within their system configurations, and how their security overlays interact to address these risks. Evaluating configuration details within the operational sectors of a critical infrastructure ( firewalls, routers, access privileges, etc.), S-CAT services include accessing and evaluating what are often referred to as “high risk” server application implementations and configurations, such as Microsoft SQL and IIS.
This service not only tests configuration settings based on common vulnerability architectures (CVE), our clients also get the benefit of learning what the best recognized industry standards of operation are, with respect to each component within the network.
Evaluating the “state” of present security checks and session settings also reveal vulnerabilities to potential risk of highjacking attacks, and are part of the overall objective of S-CAT Services, which is to identify, reveal, isolate and mitigate vulnerabilities and the potential for loss of accessibility and productivity.
What S-CAT Includes:
- Technology & network diagram review
- Security Policy consistency Analysis (across multiple frameworks and mandates)
- Firewall access & configuration review (based on ISO 27001 standards)
- Network integrity inspection
- Web application security analysis & report
Critical Infrastructure Risk Management & Contingency Planning Services (RisCon)
The term Critical Infrastructure came into use during the mid-1990’s. The meteoric increase in cyber communications linked the infrastructures that were vital to the defense and economy of the United States—the initiator of this term and methodology, as well as its allies and business and economic partners worldwide. One of the fundamental missions of any critical infrastructure is to protect and ensure the consistent operations of the assets and essential resources protected by each respective sector.
A fundamental mission of any critical infrastructure is to protect and ensure the consistent operations of the assets and essential resources protected by each respective sector. This CONZebra service focuses on policy consistency and criteria-based evaluations, to ensure each sector of an organizational or national “Critical Infrastructure” maintains continuity and productivity while addressing and reducing risk at all levels.
CONZebra has been involved in critical infrastructure protection for more than 30 years (including participating in the establishment of the United States Department of Homeland Security), and can help government agencies as well as organizations throughout the international business sector develop pragmatic and manageable processes in assessing, authoring and implementing cross-sector critical infrastructure security policies.
What RisCon Includes:
- Physical access review
- Secure Infrastructure architecture review, based on selected framework (COBIT / ISO / other)
- Infrastructure Sector Assessment
- Customer-designated GRC/Framework-based infrastructure alignment
Bring-your-own-device Baseline Parameters (BYOD-BP)
Your network has now extended beyond your control!
Organizations large and small are working diligently to assess and manage the associated risk with device computing. Mobile access to information (both public and proprietary), through the use of laptops, cell phones, e-pads and other personal devices information is now becoming more mainstream at all levels within organizations. People cannot “un-learn” how to efficiently conduct business in an increasingly mobile world.
“Consumerization” of information is now becoming more mainstream at all levels within organizations, and using mobile devices as a principle means of communicating and transacting business is the new “normal” for most growing businesses and for consumers alike.
The dilemma on level of use and to what extent these devices access important (and sensitive data), however, is not so clearly defined by the status-quo, and is left to an ad-hoc process, often ignored altogether. Desktop Virtualization is a growing floodgate trend across all business sectors, however, fewer security issues have been reported (internally) with BYODs than with corporate devices.
Why? Possibly because people take better care of their own property.
Condition Zebra can help keep track of the secure content while helping organizations develop comprehensive usage policies. CONZebra offers one of the most comprehensive strategies for addressing this growing risk concern for organizations. Based on the COBIT framework, this Baseline service provides a common set of procedures that form a foundation on which any organization may establish a criteria for BYOD.
What BYOD-BP Includes:
- Assessing risk exposure levels to sensitive documents
- Identifying responsibility pathways
- Defining virtualization parameters for operation
- Coordinating “Acceptable Usage” policies
- Establishing “Ethical Use” guidelines
- Identifying key applications for BYOD use
Contact ConZebra now to discover how our Critical Infrastructure Solutions can help your business!