Independent Information Security Consultant

 

Links

ITIL	TickIT	SOX	HIPAA	CMS	GLB	FDA	NIST
Bundesamt für Sicherheit in der Informationstechnik	NERC Security	CIS	DRI	ARS	ISO/IEC TR 13335	NSA IAM	ISC2
Common Criteria	ISECOM	Unofficial Wireless Security	DISA SRR	Cobit	ISO 17799	NSA IEM	ISACA
Rainbow Series	Security News Portal	Homeland Security News	SNP Page 2	SANS	Stupid Security	NANO	ISSA

 

 

 

 

 

 

 

 

 

 

 

 

 

We provide a wide range of information security services. Our approach is to work closely with the customer to provide standard and customized solutions.

We are vendor independent and we leverage existing controls into the solution.

 

Services Provided:

 

• Security Management Programs
• Regulatory Compliance (HIPAA and others)
• FDA Information Security
• Security Information Assessments and Evaluations
• Risk Assessments
• Program Management
• Single Sign-On
• ITIL
• Intrusion Detection/Prevention Systems
• PKI (Certificate Policies and Practices)
• Auditing Systems
• Policy and Procedure Development
• Corporate Governance
• Security Training Development and Services
• Pre-Implementation Security Assessments
• International Services
• Nano Information Technology Security

 

Colin Frahm MA, CISSP, CISA, NSA (IAM/IEM)

Phone 615-390-3991

cfrahm@secureconsultant.com

 

Bringing Order to Chaos: An Example

 

The Situation: We are called by Company X because they had a major security incident and they don’t want it to happen again. Company X has anywhere from 100 to 20,000 employees, many of whom are spread out over different sites with multiple home offices. The company has not been focused on security and there are often valuable employees like PhD’s whose practices put the organization at risk and who don’t want to follow security practices. When we ask for the policies and procedures, we receive a three-page document about how “thou shall not go to porn sites”. In visiting we find desktop antivirus that is not configured properly, a non-patched system, and no security configurations. They have no user account management, open shares everywhere, and no security operations organization beyond a technical firewall person.

 

The Solution: When we leave they have a security management program. It will include a daily run book (checksheet) of security activities that includes everyone within the organization that was developed by the organization for them. They will have activities that they will need to address immediately and they will have activities that will build in more security over time as the security practices mature and are integrated into the organization. They will have a general 5-year implementation plan to improve their security technologies, information classification, secure configuration builds, and deployment programs. They will have a long-term plan to implement a layered network of securely configured gateways. They will have a plan to retire old security technologies and pro-actively test and budget new technologies. They will have an incident management system that they will use for security and technology decision making from the CTO level to the board of directors.