Security-rich Environment

The popularity of the Internet, combined with the power of network computing, is driving companies to focus on security and privacy. SSG security specialists can help you understand information technology and review your e-business security vulnerabilities. Our specialists work with you to plan, design, construct and operate a security-rich environment for your online application and transaction. We assess your current security systems -- strengths and vulnerabilities -- then develop custom architecture to protect both you and your customers.

A total security plan includes many elements of the following categories:
 
Security and Privacy Assessments & Planning

  • Analyze your current security controls and propose recommendations for improvement
  • Help you better understand security and privacy requirements in the context of your current and future business plans

 
Security and Privacy Architecture & Design

  • Address your security requirements by providing policies, standards and management architecture principles to guide organizational security decisions
  • Help you implement your policies and standards by defining formal security processes and designing specific secure solutions

 
Security and Privacy Implementation

  • Assist you in selecting security products and services that best fit your business needs
  • Provide services that help you implement your chosen technology solutions with the management processes that ensure they fit your current and strategic business needs

 
Security and Privacy Management

  • Help enterprises by continually monitoring perimeter security defenses against threats from external attackers
  • Provide resources for outsourcing security aspects of your IT operation

Assessments & Planning

Our assessment and planning services range from developing an overview of your organizational issues to assessing specific components, such as network applications, systems and the Internet. Since security involves all parts of your business, we also go beyond the electronic and network concerns and include physical site security. The bottom line is that after our assessments, you'll know the relative strengths and weaknesses in your environment.

Application Security Assessment


Are you planning to launch new applications that will allow your customers on the Internet to access their private information stored on your production systems? Are you confident that they have been designed and implemented properly to contain the necessary security functions to protect your customer's information and your business? Will the technology and processes of your infrastructure be stressed to the point where they will not be sufficient to protect your production systems and information when these new applications are rolled out?

With SSG's Application Security Assessment, you will get the added confidence of a comprehensive, independent review. SSG's security consultants will conduct an in-depth, end-to-end review of your business application: the application's architecture, design and function; its development and maintenance processes; its operational processes and technology components including the platform it runs on, the networking services used, and any data base or operating platforms services used.

SSG security consultants will conduct interviews with key managers and staff members responsible for the development, maintenance, deployment, and operations related to the application. Processes and technology will be reviewed to ensure that key application security dependencies are met. And, new security relevant code in the application and supporting infrastructure services will be reviewed for common errors that can compromise the integrity of your production environment when the application is deployed.

Range of Services


  • Meetings with members of the application development teams to understand the overall application architecture, design and its related development processes
  • Reviews of the application's business security requirements, architecture specifications, functional specifications and test plans
  • Analysis of selected application code for common security vulnerabilities related to implementation
  • Analysis of the operating system platform, DB, network, and legacy system security services used by the application for new security vulnerabilities
  • Validation of any security dependencies that the application has on components and processes in your existing infrastructure
  • Reviews of the application and associated processes with respect to your organization's security policies and standards
  • A detailed final report describing the strengths and weaknesses found, conclusions and recommended actions, and a summary recommendation about the "production readiness" of the application

Information Asset Profile


Do you have an overall view of your organization's information assets in terms of the protection they require for your business to succeed? Can you:

  • Identify your organization's critical assets?
  • Identify their owners and custodians?
  • Determine who depends on these assets and how they are used across your organization?
  • Classify the security requirements for protecting these assets consistent with your business needs?
  • Relate these security requirements to your organization's key business issues?

With SSG's Information Asset Profile, you will receive an inventory of your critical information assets that summarizes their security requirements in relationship to your key business issues. This includes ownership of information, classification of information and prioritization of requirements. The deliverable can serve as a communication vehicle between the business functions and the information systems organization because it will explain the requirements for confidentiality, integrity and availability of your critical business information. It can be the starting point for an information architecture and can help establish the business need for maintaining and improving information security controls.

SSG security consultants will conduct interviews with key business and IT managers in your organization to understand what your critical business assets are and the nature and severity of any security risks and exposures to those assets. The risks examined are:

  • Confidentiality - the impact to the business if critical information gets into the wrong hands
  • Integrity - the impact to the business if the wrong information is used to make decisions
  • Availability - the impact to the business if critical information is not available for use when needed

The final deliverable can be used as a "control book" that highlights which information requires protection, what kind of security is important for the business use of that information, who has ownership responsibility, and how and where the information is primarily used. This enables an information security program to be tailored to provide the right types of controls and mechanisms for the most critical information to the business.

Range of Services


  • A comprehensive review of your organization's information assets, their relevance to your key business issues, security threats and requirements, ownership and use
  • A final document in the form of an Information Asset Inventory including a profile for each asset (1 per page) containing its description, location, owner, users and usage, availability impacts, confidentiality impacts, and integrity impacts

External Intrusion Test


External Intrusion Test and Analysis identifies security weaknesses and strengths of the client's systems and networks as they appear from outside the client's security perimeter, usually from the Internet. The goal of External Intrusion Test and Analysis is to demonstrate the existence or absence of known vulnerabilities that could be exploited by an external attacker.


Service Methodology

SSG skilled security professionals perform test, analysis, scan and attack procedures from the Internet against contracted client locations. All activities are conducted during client-specified times over a predetermined evaluation period.

To achieve the External Intrusion Test and Analysis goal, SSG security professionals:

  • Gather externally accessible configuration information
  • Scan client external network gateways to identify services and topology
  • Scan client Internet servers for ports and services vulnerable to attack
  • Attempt intrusion of vulnerable internal systems

SSG uses an intrusion methodology that mimics the process used by hackers to gain access to information and systems at the client's site. The methodology combines state-of-the-art-testing techniques with unique security expertise to provide the client with an independent assessment of its security posture. SSG security professionals use a set of evaluation tools - public domain, commercial and "home built" - to gather vulnerability information. Intrusion attempts are then performed using proprietary testing techniques. All known network-based attacks are employed in this process. Testing of the client's Internet connection is conducted from an external site.

SSG offers this service as a standard product only for Class C networks. Contact SSG for information on Class B network testing.

Intrusion testing requires appropriate legal releases and waivers from the client. SSG is committed to minimizing disruptions and avoiding damage to client systems. In no case will SSG perform any actions prohibited by law.


Client Deliverables

SSG will deliver an External Intrusion Test and Analysis Report that contains an executive security overview, list of vulnerabilities, recommendations for risk mitigation, and a log of intrusion data obtained. The report will be delivered in bound hard copy and in electronic form on diskette in Microsoft Word compatible format.


Client Benefits

The External Intrusion Test & Analysis allows the client to anticipate external attacks that might cause security breaches and to proactively reduce risks to its information, systems, and networks. This proactive approach will improve the security of the client's networked resources, and help avoid the significant costs and uncertainties of dealing with external attacks and security breaches. The External Intrusion Test & Analysis can provide solutions for improving or implementing business over the Internet. A client will be able to conduct e-business and e-commerce operations with increased confidence in their ability to protect valuable data, resources, and reputation.


Internal Intrusion Test


Internal Intrusion Test and Analysis identifies security weaknesses and strengths of the client's systems and networks as they appear to internal users, operating within the client's security perimeter. The goal of Internal Intrusion Test and Analysis is to demonstrate the existence or absence of known vulnerabilities that could be exploited by authorized internal users.

The Internal Intrusion Test and Analysis mimics an attack on the internal network by a disgruntled employee or an authorized visitor having standard access privileges. Internal intrusion testing is typically done on location at the client offices, but alternative arrangements can be made.


Service Methodology

SSG professionals will, with the cooperation of their client point-of-contact, masquerade as an authorized internal user of the client networks, usually as a trusted visitor or contractor. Using laptops, SSG professionals perform test, analysis, scan and attack procedures on the internal network and its hosts, especially the servers. All activities are conducted during client-specified times, over a predetermined evaluation period.

To achieve the Internal Intrusion Test and Analysis goal, SSG professionals:

  • Scan client internal servers to identify hosts, services and network configuration
  • Scan client internal servers for vulnerable ports and services
  • Monitor network traffic for user sensitive data (e.g., user passwords)
  • Attempt intrusion of internal systems

The Internal Intrusion Test service uses much of the same methodology and employs many of the same tools as the external intrusion test to evaluate the current security of corporate internal networks. Internal intrusion focuses on:

  • Server operating system and application vulnerabilities
  • Protocol and network infrastructure vulnerabilities
  • Excessive or inappropriate user privileges
  • Internal controls and procedures
  • Internal "intra-walls" separating sub-network

Special attention is paid to configuration errors or old software versions with widely known vulnerabilities.


Client Deliverables

SSG will deliver an Internal Intrusion Test and Analysis Report that contains an executive security overview, list of vulnerabilities, recommendations for risk mitigation, and a log of intrusion data obtained. The report will be delivered in bound hard copy and in electronic form on diskette in Microsoft Word compatible format.


Client Benefits

The Internal Intrusion Test & Analysis allows the client to anticipate internal attacks that might cause security breaches and to proactively reduce risks to its information, systems, and networks. This proactive approach will improve the security of the client's networked resources, and help avoid the significant costs and uncertainties of dealing with internal attacks and the security breaches. The Internal Intrusion Test & Analysis can provide solutions for improving or implementing business over the Internet. A client will be able to conduct e-business and e-commerce operations with increased confidence in their ability to protect valuable data, resources, and reputation.

Ethical Hacking


How do you find out what hackers can get into before they've tried? SSG's "ethical hackers" can simulate a real intruder's attacks but in a controlled, safe way for you. And they'll tell you what they find and how you can fix it to keep them out.

When you provide a service to users over the Internet, such as a database linked to your webserver, you expose your organization to new risks. Every service opens a new path between the Internet and your organization. These paths to your organization's network and data can be exploited by "hackers". Your organization can be embarrassed or interrupted in the best cases, and can lose customers and money in the worst.

SSG can help your organization to minimize the risk of a hacker causing damage to your network by performing a range of intrusion tests using the same techniques known to be used by the most common hackers.

Range of Services


  • Review of your overall network design to determine how it effectively isolates unreliable outside networks from gaining access to your internal, trusted networks and systems
  • Test designed to exercise all components within the scope of the project in an attempt to gain unauthorized access to your internal network from three perspectives: a low level solitary hacker, a small team of competent hackers, and an expert team of highly motivated hackers
  • A report describing the strengths and weaknesses found in the various intrusion test scenarios with recommendations for immediate and long term improvements

Audit and Reconfiguration


Firewall Audit and Reconfiguration examines the organization's existing firewall and its configuration to ascertain whether the firewall is effectively enforcing the client's information security policy.


Service Methodology

SSG is a leader in firewall product implementation. This service leverages SSG's years of experience and expertise in firewall implementation to provide a quality firewall evaluation.

SSG's personnel will perform an exhaustive evaluation of existing client firewalls. This evaluation will include:

  • Current architecture of Internet connection
  • Firewall operating system version and patch levels
  • Firewall configuration and controls on Internet traffic
  • Internet services passing through the firewall
  • Internet services blocked by the firewall
  • Access control list configuration (if present)
  • Remote connection support
  • Administrative procedures

The service is performed onsite at the client location.


Client Deliverables

An informal report will present the evaluation results and impact on existing information security policies. The report will recommend changes in the client's firewall architecture, configuration, and operating procedures that will improve the security of the firewall and its operation. The security professionals will advise and assist the client's firewall administrator in implementing these changes.

SSG will deliver a brief written report summarizing the firewall evaluation and recommendations. The report will be delivered in bound hard copy and in electronic form on diskette in Microsoft Word or compatible format.


Client Benefits

The Firewall Audit and Reconfiguration service allows the client to use the expertise of an experienced security professional to ensure that its firewall is configured correctly to enforce the organization's information security policy. This will ensure that the client's firewall and associated systems are balancing security with business objectives, while providing the Internet services required while operating at optimal efficiency. The Firewall Audit and Reconfiguration allows the client to use the Internet in the conduct of its business operations with increased confidence in its ability to protect its valuable data, resources, and reputation.

Security Health Check


Do you have an overall view of how effectively your security plan is working? Are the right IT security controls in place to protect the information that is critical to the your business? Controls must cover all aspects of your business, including mechanisms used by hardware and software systems, networks, databases, human resource systems. SSG's Security Health Check review will identify both strengths and weaknesses in your organization's IT security controls. When you are aware of the business exposures resulting from inadequate security controls, you can begin to implement improved controls and also establish the processes that are required to ensure that the controls are effective.

SSG security consultants will conduct interviews with key managers and staff members in your organization to understand what security controls are in place in the following ten management areas: policy, organization, personnel, physical controls, asset classification and control, system access control, network and computer management, business continuity, application development and maintenance, and compliance.

This controls assessment, at any given location, is designed to take approximately two weeks to assess more than seventy-five management controls within the above ten areas. The breadth of the assessment can be corporate-wide, site by site, or for individual business units within your organization. Whatever scope you select, the results will provide you with business oriented recommendations for meeting your organization's security objectives with a repeatable assessment methodology.

Range of Services


  • A review of your organization's IT security controls across the ten management areas:
    • Policy
    • Organization
    • Personnel
    • Physical controls
    • Asset classification and control
    • System access control
    • Network and computer management
    • Business continuity
    • Application development and maintenance
    • Compliance
  • An analysis of the information gathered against a standards-based model of "best practices" for commercial environments
  • A final report of the strengths and weaknesses found, along with recommendations for actions that could improve your security program and reduce risks to an acceptable level

Internet Security Assessment


How do you find out what hackers can get into before they've tried? SSG's "ethical hackers" can simulate a real intruder's attacks but in a controlled, safe way for you. And they'll tell you what they find and how you can fix it to keep them out. This assessment is comprehensive, covering not only the intruder view of the system but also examines the configuration and management of the systems, factors that could lead to new exposures in the future. This assessment will be custom designed to cover whatever system platforms, network connections, software and databases comprise your IT facilities.

When you provide a service to users over the Internet, such as a database linked to your webserver, you expose your organization to new risks. Every service opens a new path between the Internet and your organization. These paths to your organization's network and data can be exploited by "hackers". Your organization can be embarrassed or interrupted in the best cases, and can lose customers and money in the worst.

SSG can help your organization to minimize the risk of a hacker causing damage to your network. This service gives you a comprehensive review of your Internet solution, on both a technical level and a management level. The technology review, consisting of multiple "intrusion tests" and configuration analysis, gives you a thorough understanding of the strengths and weaknesses of your Internet solution. The management review consists of interviews with administrators and management, and of reviews of security documentation. This provides you with insight into how your organization is prepared to handle the security of the solution over time.

Range of Services


  • Review of your overall network design to determine how it effectively isolates unreliable outside networks from gaining access to your internal, trusted networks and systems
  • Review of the security design of your selected platforms (routers, firewalls, web servers, application servers, etc.) to determine if any functions provided by them could cause undesirable security exposures
  • Test designed to exercise all components within the scope of the project in an attempt to gain unauthorized access to your internal network from three perspectives:
    • A low level solitary hacker
    • A small team of competent hackers
    • And an expert team of highly motivated hackers
  • Comprehensive review of the security management controls for the included components covering:
    • Policy
    • Organization
    • Personnel
    • Asset classification and control
    • Physical security
    • Access control
    • Network and computer management
    • Business continuity
    • System development and maintenance
    • Compliance
  • Report describing the strengths and weaknesses found in all of the above activities with recommendations for short and long term improvements

Network Security Assessment


With all the news devoted to threats and incidents perpetrated by remote hackers abusing the Internet, the security of your internal trusted networks may not have been given all the attention it deserves. Properly implemented network security controls, both management processes and technology, are needed to thwart intentional attacks, to minimize unintentional mistakes from trusted insiders and to prevent exposure of your valuable information assets unnecessarily.

SSG's Network Security Assessment focuses on the security controls implemented for your internal, trusted networks. The assessment will be custom designed to cover whatever system platforms, routers, bridges, switches, or other network components provide the security within your organization.

The technology review component consists of "intrusion tests" and configuration analysis to give you a thorough understanding of the strengths and weaknesses of your internal network components. The management review component consists of interviews with administrators and management and reviews of documented security policies, standards and processes. This provides you with insight into how your organization is prepared to handle the security of your trusted networks over time against potential threats from insiders or outsiders who get through your external security controls.

Range of Services


  • Review of your overall network design to determine how it effectively isolates untested outside networks from gaining access to your internal, trusted networks and systems
  • Review of your internal network design to determine how it effectively isolates insiders based on their business function and need to access your organization's valuable information assets
  • Review of the security design of your selected internal network security components (routers, remote access servers, bridges, etc.) to determine if any functions provided by them could cause undesirable security exposures
  • Test designed to exercise the security components within the scope of the project in an attempt to gain unauthorized access to portions of your internal trusted network from the perspectives of a trusted insider or an outsider who has penetrated your external defenses
  • Comprehensive review of the security management controls for the included components covering:
    • Policy
    • Organization
    • Personnel
    • Asset classification and control
    • Physical security
    • Access control
    • Network and computer management
    • Business continuity
    • System development and maintenance
    • Compliance
  • Report describing the strengths and weaknesses found in all of the above activities with recommendations for short- and long-term improvements

Security Process Assessment


Do you have confidence that your security processes are as efficient and effective as you would like? Are the right IT security processes in place to protect the information that is critical to the your business? Management processes and technology, working together, must cover all aspects of your business, including mechanisms used by hardware and software systems, networks, databases, human resource systems. SSG's Security Process Assessment will identify both strengths and weaknesses in your organization's IT security processes. When you are aware of the business exposures resulting from ineffective and inefficient security processes, you can begin to implement the changes that will provide the level of protection your business needs.

Compared to SSG's Security Health Check offering, this activity goes into sufficient depth to verify that each control selected has the right processes in place to implement the control. The review will be conducted against an agreed, predefined information security standard or code of practice using interviews with appropriate staff within the organization. SSG's security consultants will also verify the accuracy of the answers given by reviewing the actual processes and related documentation. This is done by inspecting examples of process deliverables or outputs provided by the individuals who are responsible for executing the processes being reviewed.

This controls assessment, at any given location, is designed to take four to six weeks depending on the number of processes selected from among more than seventy-five management controls contained in SSG's methodology. The breadth of the assessment can be corporate-wide, site by site, or for individual business units within your organization. Whatever scope you select, the results will provide you with business oriented recommendations for meeting your organization's security objectives with a repeatable assessment methodology.

Range of Services


  • Review of your organization's IT security processes and related documentation selected from the following ten management areas:
    • Policy
    • Organization
    • Personnel
    • Asset classification and control
    • Physical security
    • Access control
    • Network and computer management
    • Business continuity
    • System development and maintenance
    • Compliance
  • Analysis of the information from interviews with key managers and process owners against SSG's standards-based model
  • Final report of the strengths and weaknesses found with business-oriented recommendations for process changes that could improve the efficiency and effectiveness of your organization's security program

Privacy Strategy and Implementation


The proper handling of personal information is a rapidly increasing and important concern of individuals and governments. While conducting business with customers, suppliers and other entities, you may be having an impact on their privacy by the way that you handle personal information as part of your business transaction process.

SSG's Privacy Strategy and Implementation service will help you become aware of the privacy implications for your business as well as plan and execute responsible practices that meet or exceed emerging worldwide standards for managing personal information. We actively team with the people in your company who are responsible for handling customer and employee personal information. SSG privacy consultants will help you develop a combination of activities that will promote a high level of awareness and responsibility in making decisions concerning the initial and subsequent uses of sensitive data.

The anticipated time frame for carrying out the activities in this offering is approximately 2-3 months.

Range of Services


  • Construction of an Information Asset Profile which identifies confidentiality, integrity and availability requirements of the key information assets within the company and flags those which have privacy implications
  • Preparation of a Privacy Data Profile which further explores targeted privacy data assets and compares them specifically against privacy requirements
  • Preparation of an Information Privacy Decision report that examines the likely company-wide impact to processes and systems from specific privacy solution recommendations. SSG's analysis tools may be used to expedite this process
  • Assistance with the creation or revision of your company's information privacy policies patterned after effective information privacy principles. This includes policies posted on Internet Web sites
  • Analysis of existing privacy processes within the company with recommendations to promote adherence to new company policies and practices

Scanning


Phone Line Scanning identifies undocumented or uncontrolled modems connecting client computers directly to the external telephone network. These phone lines and modems are important because they may represent security holes in the organization's security perimeter.

Large organizations employ hundreds of dial-up lines for voice communication with customers, clients, suppliers and employees. As corporations computerize more of their activities, external phone lines and modems are used with increasing frequency to link internal computers with external computing resources. These external phone links, while useful, often represent an undocumented back door into the corporate information network.


Service Methodology

SSG scans all of the client's external phone lines by automatically dialing every known client phone number and checking for modem responses. When a modem is detected, the consultant attempts to establish a connection, identify the type of system present, and then gather information relating to exploitation of the detected system. In instances where a serious deficiency in security or unrestricted network access is detected, the consultant will inform the client contact immediately.

Please note this service can only be offered where permitted by law.


Client Deliverables

SSG will deliver an Analysis Report that contains an executive security overview, identification of undocumented dial-up entry points, and an assessment of the vulnerabilities of each entry point identified. The report will be delivered in bound hard copy and in electronic form on diskette in Microsoft Word compatible format.


Client Benefits

A Phone Line Scan helps the client identify and eliminate inappropriate computer or modem entry points to its internal systems and networks. The resulting tighter control over phone-line based entry points will increase the client's control over its information systems perimeter, and may even help reduce telephone service costs. A Phone Line Scan will help the client improve its information perimeter controls, thus reducing risk and allowing it to conduct its business operations with increased confidence in the ability to protect valuable data, resources, and reputation.

Site Security Assessment


For maximum protection, your information security controls rely on physical security controls that may or may not be within your organization's management control. SSG's Site Security Assessment provides you with an in-depth review of the site security controls and processes used at your site or throughout your enterprise. This review will be conducted against your corporation's security standards, established SSG procedures and guidelines and a standards-based "best practices" baseline. Social engineering infiltration testing can also be included. The goal is to help you achieve a secure working environment for employees and other persons working at or visiting your facilities and to help you establish processes to ensure the protection of intellectual assets and protection of all site facilities.

In order to ensure a consistent assessment which can be used repeatedly to measure changes over time, the consultants will use as their model both SSG's own internal site security standards and a standards-based "best practices" model. The review is designed to take approximately two weeks for a typical location and will determine if:

  • Procedures have been implemented to ensure a secure business environment for all employees and other persons working in your facilities,
  • Emergency plans covering anticipated emergencies and catastrophes have been established, and plans adequately address the protection of people and assets,
  • Procedures have been implemented to report and analyze security incidents, bring them to closure, and prevent reoccurrence,
  • Effective management processes exist to protect proprietary information and assets from unauthorized disclosure, modification or misappropriation, and
  • Processes are in place to provide management with a validation that the security controls within the scope of this engagement are operating effectively.

Range of Services


  • Review of your organization's IT site security processes and related documentation in the following areas:
    • Physical security
    • Emergency planning
    • Incident management
    • Contract management
    • Information protection
  • Analysis of the information from interviews with key managers and process owners against your corporation's standards, SSG's own internal standards and a standards-based model of "best practices"
  • Final report detailing observations and recommendations made during the review, and a management presentation outlining identified strengths and weaknesses relating to site security processes and procedural compliance

System Security Assessment


As your IT infrastructure has changed and grown to meet the needs of your organization, chances are the responsibilities for security management of each system platform have been distributed to personnel who may not be full time security professionals. In addition, your organization is probably dependent on a variety of sophisticated, add-on "middleware" components such as comprehensive office solutions from LotusTM or Microsoft®, data base servers, file and print servers, and application servers. These components typically require security management actions that are independent of the operating system platforms on which they operate.

SSG's System Security Assessment can help you identify vulnerabilities on your key, internal operating system platforms, such as UNIX®, Windows/NTTM, etc.) and most core "middleware" components (such as Microsoft ExchangeTM, Lotus Notes®, DB2, CICS, MQ Series, Sybase, DCE, Netware, CORBA, TivoliTM, etc. Both technology and management controls are reviewed.

The technology review assesses each component's mechanisms for identification and authentication, access control, confidentiality, integrity, non-repudiation, audit and alert in the context of your organization's documented policies, standards and processes. The management review consists of interviews with administrators and management and reviews of documented security policies, standards and processes related to the components included in the scope of the review.

This provides you with insight into how your organization is prepared to handle the security responsibilities of your infrastructure over time against potential threats from insiders or outsiders who get through your external security controls.

Range of Services


  • Review of the configuration files for each operating system and middleware component within the scope of the project to determine how each effectively allows authorized users access based on your security policy and prevents and detects unauthorized access attempts at all times
  • Comprehensive review of the security management controls for the included components covering:
    • Policy
    • Organization
    • Personnel
    • Asset classification and control
    • Physical security
    • Access control
    • Network and computer management
    • Business continuity
    • System development and maintenance
    • Compliance
  • Report describing the strengths and weaknesses found in all of the above activities with recommendations for short and long term improvements

Architecture & Design

The development of the correct security and privacy environment is one of the most important investments a business will make. Our consultants and security architects will work with you to create the policies, standards and procedures that form the foundation for trusted e-business, as well as the security architecture and design specifications that best fit your requirements. Whether the focus is on secure solutions or on creating an enterprise-wide security approach, our services team will bring the most experienced and capable resources together to design and deliver the solution that best fits your requirements.

Security Process Development


Security policies and standards require clear, concise, well defined security processes to make them effective. SSG's experienced security specialists will help you define and document the processes which enable your security objectives to be realized. The processes will be developed based on your organization's predefined information security standards or a standards-based code of practice.

You may select the particular processes you want SSG to address or, alternatively, you may elect to have SSG first perform a comprehensive Security Process Assessment to help prioritize the areas your organization should focus on first for maximum benefit. The following are examples of security processes that can be customized for your organization as part of this offering:

  • Roles and responsibilities of security staff members
  • Classification and protection of information media
  • Employee awareness programs
  • Incident reporting and response
  • Enterprise-wide anti-virus measures
  • User and password management
  • Management self-assessment programs

In order to develop processes that meet your business objectives and can be implemented easily within your organization, SSG security consultants will first review and assess the security processes you have selected at one or more locations using an IT Process Model and a standards-based model of "best practices". The assessment will identify both the strengths and weaknesses in the processes as they are currently implemented. Using this information, SSG will define and formally document new processes that will meet your business needs for efficiency, effectiveness and adaptability by using a formal process management methodology.

Range of Services


  • Review of your organization's security policy, relevant standards and documentation for the selected processes
  • Assessment of your current processes (within the selected scope) in terms of effectiveness, efficiency and adaptability using an IT Process Model and a standards-based model of "best practices"
  • Formal process definitions using SSG's business process methodology. Each process definition will include the following information:
    • Purpose
    • Intended audience
    • Owner
    • Version number
    • Approval date
    • Revision history
    • Revision process
    • Process flow diagram
    • Supplier responsibilities
    • Customer responsibilities
    • Tasks
    • Quality controls

Internet Security Architecture


SSG's Internet Security Architecture is a project in which our security consultants analyze your organization's business and IT strategies to understand the objectives you hope to achieve via the Internet and provide security architecture principles that you can use to ensure your organization's assets are not compromised.

As your organization expands its services to take advantage of the global reach of the Internet, new security controls, both management processes and technology, will need to be deployed and securely managed. The global reach of the Internet can provide your organization with access to current customers, partners and suppliers or open new markets. However, it could also allow global access to your organization's private network. SSG's Internet Security Architecture deliverable will provide you with a comprehensive, standards-based framework for managing your organization's Internet security controls consistent with your business objectives.

Range of Services


  • Review of your organization's Internet business strategy and related security requirements
  • Review of your organization's IT strategy, current security concerns, and future security requirements as they relate to your Internet business strategy
  • Review and analysis of your organization's current security policy, standards and management processes against the needs of your organization's Internet business and IT strategies
  • Customized security architecture document which sets forth the security principles that will enable your organization to meet its security objectives as business needs change. The document will prescribe management controls related to:
    • Policy
    • Organization
    • Personnel
    • Asset classification and control
    • Physical security
    • System access controls
    • Network and computer management
    • Application development and maintenance
    • Business continuity
    • Compliance.
    In addition, the document will prescribe technology controls related to:
    • Identification and authentication
    • Access control
    • Confidentiality
    • Integrity
    • Non-repudiation
    • Security management

Security Policy Definition


Although information assets are specific to your business functions and business strategies, they may be contained within broad categories such as those that need contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc. SSG's Security Policy Definition offering investigates the requirements for information security, the associated priorities, and thereafter, create a custom security policy to clearly demonstrate management's commitment to an enterprise security program.

SSG security consultants will team with your staff to develop a detailed work plan and on a continuing basis to ensure that all work performed is designed to satisfy your organization's needs. To ensure the policy developed during this activity meet your business needs and can be realistically implemented, SSG refers to its own internal corporate security program elements (e.g. corporate instructions and standards) together with "best practices" selected from industry standards for commercial environments in the areas such as:

  • Organization
  • Personnel
  • Physical controls
  • Asset classification and control
  • Network and computer management
  • Business continuity
  • Application development
  • Compliance

Based on information gathered from interviews with your key business and IT managers, SSG consultants will develop a corporate security policy that will contain, at a minimum:

  • Definition of information security with a clear statement of management's intentions
  • Explanation of specific security requirements including:
    • Compliance with legislative and contractual requirements
    • Security education, virus prevention and detection, and business continuity planning
    • A definition of general and specific roles and responsibilities for the various aspects of your information security program
    • An explanation of the requirement and process for reporting suspected security incidents, and the process, including roles and responsibilities, for maintaining the policy document.

Range of Services


  • Review of your organization's business strategy and related security requirements
  • Review of your organization's IT strategy, current security concerns, and future security requirements
  • Review and analysis of your organization's current security policy and standards against the needs of your organization's business and IT strategies
  • Customized security policy document which will prescribe management's direction to guide your organization in meeting your corporation's security objectives according to its business needs

Security Process Development


Security policies and standards require clear, concise, well defined security processes to make them effective. SSG's experienced security specialists will help you define and document the processes which enable your security objectives to be realized. The processes will be developed based on your organization's predefined information security standards or a standards-based code of practice.

You may select the particular processes you want SSG to address or, alternatively, you may elect to have SSG first perform a comprehensive Security Process Assessment to help prioritize the areas your organization should focus on first for maximum benefit. The following are examples of security processes that can be customized for your organization as part of this offering:

  • Roles and responsibilities of security staff members
  • Classification and protection of information media
  • Employee awareness programs
  • Incident reporting and response
  • Enterprise-wide anti-virus measures
  • User and password management
  • Management self-assessment programs

In order to develop processes that meet your business objectives and can be implemented easily within your organization, SSG security consultants will first review and assess the security processes you have selected at one or more locations using an IT Process Model and a standards-based model of "best practices". The assessment will identify both the strengths and weaknesses in the processes as they are currently implemented. Using this information, SSG will define and formally document new processes that will meet your business needs for efficiency, effectiveness and adaptability by using a formal process management methodology.

Range of Services


  • Review of your organization's security policy, relevant standards and documentation for the selected processes
  • Assessment of your current processes (within the selected scope) in terms of effectiveness, efficiency and adaptability using an IT Process Model and a standards-based model of "best practices"
  • Formal process definitions using SSG's business process methodology. Each process definition will include the following information:
    • Purpose
    • Intended audience
    • Owner
    • Version number
    • Approval date
    • Revision history
    • Revision process
    • Process flow diagram
    • Supplier responsibilities
    • Customer responsibilities
    • Tasks and quality controls

Secure Solution Design


When you provide a service to your employees, suppliers, partners or customers over the internet, you add new security risks to your organization. Even simple services, such as internet e-mail or publishing company information on a web server, potentially open new paths between the internet and your company's critical information and systems.

As the services you provide become more critical to your business, you might be more concerned that some "hacker" will cause disruption to your production systems or that your organization could be embarrassed. If critical information, such as financial data or product safety information, is altered by an unauthorized person, your organization could possibly be held responsible for damages. By integrating security into your e-business solutions from the start, you can minimize these risks and their potential effects.

With this offering, you team will work with experienced SSG Security Consultants to design a secure e-business solution that addresses your business needs in one or more of the following areas:

  • Simple Access
  • External Publishing
  • Private Publishing
  • Production Access
  • E-commerce
  • Collaboration
  • Hosting

SSG's comprehensive methodology will help you:

  • Understand the types of threats you might face,
  • Identify the resulting security requirements that are consistent with your organization's policies and standards,
  • Document the technology and process components you will need to implement to meet these requirements, and
  • Develop plans to implement your secure e-business solution

Range of Services


  • Review of your solution objectives and a categorization of the types of internet activities you plan to implement
  • Detailed review of your existing security policies and standards with respect to the new activities you plan to implement
  • Mapping of the security functions your organization requires to protect each activity based on your existing policies and standards
  • Identification of the solution scenarios that make up each activity and the functions and components for your security requirements
  • Customized document that describes:
    • Solution objectives, its security technology and process requirements
    • Recommended policy and standards changes
    • The solution architecture including diagrams and information flows
    • The function of each security component in the solution design
    • Estimate of the tasks, schedule, skills and resources required to implement and deploy the security components of your e-business solution

Security Standards Definition


The successful implementation of a security program relies on several factors, in addition to security technology, working together: a clear demonstration of management's commitment as documented in a corporate security policy, security architecture principles that are consistent with the organization's business and IT strategies and are the basis for making business-oriented security decisions throughout the enterprise, standards that promote consistent and effective implementations that adhere to corporate policy and security architecture, and processes that enable efficient, effective and adaptable day to day operations.

SSG's Security Standards Definition offering investigates the requirements for information security, the associated priorities, and thereafter, creates custom security standards to serve as the cornerstones which direct the day to day operations of your security program.

SSG security consultants will team with your staff to develop a detailed work plan and on a continuing basis to ensure that all work performed is designed to satisfy your organization's needs. To ensure the standards developed during this activity meet your business needs and can be realistically implemented, SSG uses its own internal security standards together with "best practices" selected from industry standards for commercial environments in the areas such as organization, personnel, physical controls, asset classification and control, network and computer management, business continuity, and compliance.

Based on information gathered from interviews with your key business and IT managers, SSG consultants will use your existing security program documentation (policy, architecture, standards, guidelines, processes, etc.) as the base to customize a set of standards that will be appropriate for the business needs of your organization.

Range of Services


  • Review of your organization's business strategy and related security requirements
  • Review of your organization's IT strategy, current security concerns, and future security requirements
  • Review and analysis of your organization's current security policy and standards against the needs of your organization's business and IT strategies
  • Customized security standards documents which will serve to guide your organization in meeting its security objectives according to business needs. Each standard will contain sufficient information, according to your organization's existing format and level of detail, so that processes can be developed to meet the standards in day to day operations

Implementation

Implementing and integrating Security and Privacy solutions can be complex and resource intensive. SSG provides implementation services to help you minimize the costs of training new resources and re-missioning valuable skills. Our skilled services practitioners help you identify the best technology solutions, build prototypes, and perform the integration and test activities required to bring solutions securely online in your business. Our consultants and integration specialists have broad experience installing and integrating products from numerous security vendors, and a proven track record of successful engagements.

Public Key Infrastructure


Public Key Infrastructure (PKI) is the term generally used to describe the mechanisms, entities, policies, and relationships that are employed to retrieve cryptographic keys and to reliably associate public cryptographic keys with their owners. SSG professionals have a very high level of familiarity with the body of knowledge encompassed by these issues, as well as the related cryptography and encryption technologies used to effectively support them. They have the expertise to provide leadership to their clients in achieving the revenue potential and cost reductions these represent.

Service Methodology

  • Survey customer requirements and environment
  • Recommended PKI architecture, policies, and procedures
  • Recommended PKI products
  • Provide PKI implementation plan

Client Deliverables

  • PKI policies and procedures
  • PKI product recommendations
  • PKI implementation plan

Client Benefits

  • PKI supports VPN key management
  • PKI supports electronic commerce applications
  • PKI supports vendor / customer EDI

Security Product Selection


With the number of new security solutions being announced on a daily basis, the "right" solution for your needs depends on a wide variety of factors that go beyond traditional product functions and features. And, the initial product cost is usually the least significant variable in the total cost of solving a complex security problem. SSG's Security Product Selection offering systematically develops the total requirements that are important to your organization and analyzes them against available industry solutions in order to recommend the technical solutions that best fit the needs of your business, for the short and long term.

The successful implementation of complex security technology such as firewalls, single sign-on solutions, centralized security management products, and cryptographic services requires a thorough understanding of your business, technology and process requirements to help ensure that your selection will meet your expectations for efficiency, effectiveness and adaptability.

SSG security consultants will gather and prioritize your requirements, survey the market for the three products that meet the highest priority needs, and analyze the strengths and weaknesses of each possible choice relative to your particular needs. The process typically takes four to eight weeks. The range of requirement areas that are analyzed include:

  • Operational functions and services
  • Security officer functions
  • Security management functions
  • Performance
  • Ease of use
  • Flexibility and extensibility
  • Standards
  • Constraints
  • Vendor support
  • Terms and conditions

For firewall selections, there are an additional set of specific requirements that are typically considered.

In preparation for the selection process, you might elect to have SSG perform a high level Security Health Check or a more detailed Security Process Assessment to ensure the new technology will solve the business problem you want to address and that the controls needed to support the new technology can be put in place.

Range of Services


  • Interviews with key managers and process owners to detail and prioritize the business, technology and process requirements related to the product area under consideration
  • Survey of the market to select the three products that best meet your highest priority requirements
  • Detailed analysis of the top choices to determine the advantages and disadvantages of each, including alternatives to fill any unmet requirements
  • Final report presenting findings, conclusions and recommendations including resource, skill, process and organizational implications required for successful deployment of the technology

Virtual Private Networks


A Virtual Private Network (VPN) is a business-critical networking system that enables an organization to securely and reliably communicate with its offices, business partners, customers, and employees (both local and remote). It uses cryptography to provide a private channel between two or more closed, private networks using an insecure public network as its carrier. A VPN offers significant cost savings over multiple dedicated private communications links. More importantly, VPN technology enables new strategic initiatives and relationships, improved communications with key customers, and business reinvention - quickly, easily, and cost effectively. SSG professionals have an in-depth knowledge of the various components of a safe, yet effective VPN. This knowledge and experience supports client efforts to design, develop, and deploy VPNs to enable the dramatic improvements that are possible.

Included in this body of knowledge and experience would be:

  • Access Control
  • Architecture
  • Auditing
  • Authentication
  • Encryption
  • Key management
  • Scalability
  • Security models
  • Standards
  • Systems management
  • Third party IT governance
  • Trust relationships
  • User experience

Management

As your organization implements new e-business solutions, SSG Security and Privacy Services will help you understand the costs and expense necessary to run and maintain your security investment. SSG provides a group of managed services to accommodate your needs. With these services, SSG partners with you to constantly assess and provide the most appropriate different levels of security on an ongoing basis.

Emergency Response Service


SSG's Emergency Response Service is designed to assist enterprises in establishing the right level of security and reliability to support e-business expansion. Whether it's protection from hackers, viruses, or internet intrusions, Emergency Response Service can provide you with sound yet cost-effective solutions to secure your business. Drawing on over 20 years of experience, the Emergency Response Service security team, combined with our ongoing, industry defining research, can help you reduce the security threats that exist today and in the future.