Security Management entails establishing and maintaining computer security programs that work for an organization. In practice, this means developing Policies and Procedures that correlate to an established regulatory or compliance standard.
A well-structured security program follows these regulatory compliance requirements, and it is forward-looking in order to recognize and thwart emerging threats. A superb program includes pro-active elements that provide awareness with continuous checks and allows fine-tuning of policies, procedures, and technologies. In particular, we emphasize having robust capabilities for Incident Response and Awareness and Training, as discussed below.
MRETEC can develop a comprehensive security program for your organization and assist in the evaluation of your existing security program in preparation for a security audit.
We have expertise with the following environments:
- Federal Information Security Management Act (FISMA)
- National Institute of Standards and Technology, Special Publications (NIST SP800)
- Federal Information Processing Standards (FIPS)
- Cloud Computing (FedRAMP)
- Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
Payment Card Industry (PCI)
- PCI Data Security Standard (PCI-DSS)
- ISO 27001/27002
Additionally, we can provide development in the areas of:
Business Continuity Planning (BCP)
- Based on NIST SP800-34 or FFIEC requirements
- Business Impact Analysis and Disaster Recovery Plan
Incident Response (IR)
In today’s environment, Incident Response is a vital capability for your organization. Current hacking techniques and zero-day exploits can quickly defeat traditional defensive mechanisms, such as anti-virus or intrusion detection. Crucially, industry statistics show that the typical breach is not recognized within an organization for over six months.
We approach Incident Response with a mind-set of “An incident will happen.”; and “Is an organization ready to counteract an incident or breach?” In practice, the best approach is to have the technology, teams, and procedures in place today. We can provide your organization with IR capabilities to include:
- IR Policy
- IR Procedures
- Definition of an Incident, Severity Ranking, Awareness/Monitoring, Team Structure, Escalation Procedures, Containment, Eradication, and Reporting
- Awareness Techniques
Security Awareness & Training (AT)
A strong Security Awareness & Training program is another crucial capability for your organization. Your organization’s end users are prime targets for the bad guys, via phishing attacks and other Social Engineering techniques. An abundance of personal information on the Internet provides means for hackers to easily craft a spear-phishing attack.
End-users who are aware of these methods can significantly minimize breaches, and also effectively provide your organization with additional monitoring/reporting points. We can provide Security Awareness & Training for your organization to include:
- Awareness & Training Policy
- Awareness courses
- Social Engineering methods