Information Security Consulting

image of a biometric palm reader In addition to our IT Audit services, TrustedTechPro® provides information security consulting services. These services help our clients assess, design, improve, and maintain their security posture. Our information security consulting services also help our clients comply with the increasing number of laws mandating the protection of information and information systems.

InfoSec Assessments

Risk and vulnerability assessments are both the first task and one of the repeated tasks of the security management life cycle. As an initial activity, these assessments determine the scope of security operations, identify needed improvements, and ensure the least cost/highest benefit security operations. An effective initial risk assessment generally results in a plan of action to improve or change an activity safeguarding information resources.

Assessments are non-technical exercises to identify critical information resources and determine concerns about these resources. Assessments can be scoped to evaluate a specific organizational element or activity within and organization.

InfoSec Evaluations

Evaluations are technical in nature and focus on the security posture of existing technology. Evaluations provide an easy-to-understand view of the configuration of networks, network devices, servers, and clients. Information security evaluations can also be scoped to evaluate a specific organizational element or activity. As a repeated task, information security evaluations can help gauge the performance of their security program.

Security Design

Effective information security should be planned into systems at the same time that operational requirements are being developed. TrustedTechPro maintains knowledge of new and emerging technologies, helps you select from and integrate these technologies into your operations, helps you determine the appropriate security posture of these technologies, and ensure that the target security posture is maintained in the future. If your having trouble managing your security posture effectively, these activities are likely to be the root cause.

Certification and Accreditation

Certification is an evaluation of an information system by independent persons. Accreditation is the informed decision by management to accept the risks identified in the certification process and to decide if operations of technology systems should commence or continue. General guidance regarding Certification recommends that the certifiers are organizationally independent of the team operating the targeted system. For systems that are mission critical or have a potential for significant liabilities, TrustedTechPro recommends that certifiers are also politically independent as well. Thus, TrustedTechPro will not certify systems we operate.

POA&M Coordination

Our experience in both IT Audit and Information Security has given us the right set of knowledge and skills to help you develop and manage Plans of Action and Milestones (POA&Ms). If you are implementing or upgrading your POA&M process, we can help review existing processes to identify gaps and improvement opportunities, define requirements, and drive development of an improved POA&M framework tailored to your business needs. We will identify options and present alternatives and recommendations for tool sets, products, or technology investments. We will leverage defined standards, policies, and industry best practices to determine requirements for program definition and to establish a framework including policies and procedures for the full life-cycle of POA&M management.

If you have a successful POA&M program but would like to outsource, we can communicate effectively to work collaboratively with diverse stakeholders including auditors, business units, and information technology and security staff to support remediation plans. We can assist with the generation of Waivers, Exceptions, POA&M closures, and Authorization packages. We can provide guidance and subject matter expertise to stakeholders to find classification, remediation plans of action, resource needs, and POA&M ownership.