![[Image]](pict47.jpg)
Information Technology Services
Provided
INFORMATION
SECURITY
Management is responsible for providing protection for the organization's assets. The information asset, administered in most organizations by the Information Technology Department, is as vital and vulnerable as any other asset. Have you given sufficient attention to the protection of vital company information? The Foster Group has developed a service to support management in this vital area. Our information security services are listed below:
· Risk Assessments - A Risk Assessment is an analysis of system threats and vulnerabilities to determine potential losses, based on estimated probabilities of occurrence, from identified threats. The risk assessment covers the identification of assets (hardware, software, personnel, etc.) and identification, measurement, control, and minimization of uncertain events which could threaten these assets. Specific countermeasures are identified as the means to reduce the risk of each vulnerability. The Foster Group security analyst assigns a confidence rating of effectiveness for each countermeasure, provides a cost estimate for implementation, and identifies any limitations or unusual risks associated with the use of each proposed countermeasure.
· Security Test and Evaluation Plans - Our professionals can provide services to help ensure the adequacy of existing safeguards by preparing and evaluating security tests and evaluation plans that examine, analyze, test, and evaluate each countermeasure in place. We will establish countermeasures to safeguard the computer facility, the ADP data, equipment, and personnel. They will be utilized to monitor the system, aid in the recovery of a crashed system, and prevent the system from being compromised.
· Manuals and Procedures Development - In the areas of physical and data security, it is critical that written policies and procedures exist to help ensure that system and user personnel have a clear understanding of their responsibilities and management's security objectives. We can provide support and expertise as follows to ensure that the required manuals and procedures outlining responsibilities and security goals are developed for the appropriate personnel:
Security Manual -- Develop, review, or enhance uniform security policies and procedures to be followed by system personnel (i.e., operations, administration, & management) and users of the system. The security manual also needs to address security scope and applicability, assign responsibilities, and reflect the short- and long-range goals of the system.
Classified Processing Procedures -- Develop, review, or enhance the stringent procedures needed to control access to classified or sensitive information on computer systems, from microcomputers to mainframes. These procedures must reflect the specific environment in which the system is operating. The Foster Group has experience writing such procedures for a variety of processing environments.
· Computer Security Surveys and Audits - The Foster Group can perform a detailed analysis of the security features already in place on a system to support the overall security posture of your data center and information systems. Surveys and audits evaluate security features in the areas of software, hardware, data, operations, procedures, communications, cryptology, emanations, local area networks, office information systems, management, personnel, administration, environmental, and other areas. A checklist is used to analyze these areas. It lists over 400 questions to be answered in assessing the overall security posture of the computer system. While this process is not used to replace the risk assessment, it establishes a baseline for proceeding. Below is a list of supporting services available for the security survey and audit process:
Microcomputer Security Analysis -- Analyze the usage and control of microcomputer resources, including portable storage devices (e.g. diskettes, CD-ROMs, zip drives, tape cartridges), modems, laptops, and assess the attitude on security reflected by microcomputer users.
Network Security Analysis -- Analyze the installed network architecture to evaluate security measures in place. Identify additional alternatives available for securing networks of the chosen architecture (e.g. 10BaseT, 10Base2) and operating system (e.g. Windows NT, Novell Netware). Security considerations for networks include enumerating the vulnerabilities and identifying the means available to address these vulnerabilities provided by various network security designs.
Telecommunications Security Analysis -- Analyze the usage and control of telecommunications resources and identify security limitations in current environment. Evaluate security provisions dealing with dial-up lines, point-to-point, satellite, fiber-optics, and other common carrier communications. Establish the operational implications and determine the effectiveness of encryption techniques either already in place or recommended for implementation.