MCGlobalTech Commercial Cybersecurity Capability Statement

M C G l o b a l T e c h 1 3 2 5 G S t r e e t , N W S u i t e 5 0 0 W a s h i n g t o n , D . C . 2 0 0 0 5 P h o n e : 2 0 2 . 3 5 5 . 9 4 4 8 E m a i l : i n f o @ m c g l o b a l t e c h . c o m w w w . m c g l o b a l t e c h . c o m

An organized, enterprise-wide approach to managing your security risks that allows you to prioritize your security efforts and maximize your return on security investment.

Mission Critical Global Technology Group

Enterprise Information Security

Management For Commercial Businesses

Mission Critical Global Technology Group E: [email protected] T: 202-355-9448

www.mcglobaltech.com

1

About MCGlobalTech Mission Critical Global Technology Group (MCGlobalTech) is an Information Security and IT Infrastructure Management Consulting firm founded by industry leaders who combine decades of experience in industries such as finance, health care, manufacturing, insurance, education, federal, state, and local government agencies. The Principals at MCGlobalTech have provided Information Security services to private sector industries, state, and federal government agencies for over 25 years. MCGlobalTech provides security services and solutions to solve a myriad of complex security challenges facing our clients. Through our corporate and personal work experiences and the extensive experience of our partners, MCGlobalTech delivers leading edge, cost-‐effective security solutions to meet any budgetary requirements. Our mission is to be a trusted provider of information technology services and solutions with core competencies in cybersecurity, information assurance, security engineering, risk management, and security program and project management. Our proven methodologies and scalable solutions help our clients achieve maximum return on their investment. At MCGlobalTech, we believe that strong values create long-‐term relationships with our customers, employees, partners, and the communities we serve. At the heart of everything we do, our corporate values are:

• Providing customer satisfaction • Delivering innovative solutions • Empowering staff for success • Maintaining technical excellence

MCGlobalTech consultants provide a number of innovative services and solutions to produce a comprehensive risk based protection strategy to protect our client’s data and mission critical systems. By partnering with MCGlobalTech, you can be assured of a tailored security program that fits your unique business requirements instead of a cookie cutter – canned solution. MCGlobalTech also partners with other service providers such as industry-‐ focused corporations, technology vendors and security organizations to enhance and balance our portfolio of services.

MCGLOBALTECH

Staff

Skills Success



2

Protecting Your Business With A Better Security Program

Why You Need a Security Program

News reports of major security breaches across government and commercial industries are a constant reminder of the threats facing organizations large and small. As business leaders, you must ensure your organization's assets are adequately protected against internal threats such as disgruntled employees and external threats such as hackers and malicious software. These assets include your mission critical data, the systems used to store, process, and transport information and the employees that utilize and depend on these systems. To do this in a cost-‐effective, efficient, and effective proactive manner, you need a strong enterprise information security management program. A security program provides the framework for addressing security threats and establishing, implementing, and maintaining an acceptable level of risk to your organization's assets and operations as determined by executive leadership. There is no “one size fits all” in security. The scope, scale, and complexity of your security program must be driven by your organization's unique business and security needs and security tolerance level. A security program also allows you to examine your organization holistically and

• Identify, classify, and categorize your assets that need protecting • Identify and evaluate threats to those assets • Identify and assess where those assets are vulnerable to evaluated threats • Manage the resulting risks to those assets through mitigation, transference, avoidance and

acceptance

Current State of Security Management The reality is that all organizations are doing something with respect to security. However, without a formal security program, your organization, like many others, will continue to respond to network intrusions, data breaches, system failures, and other security incidents in an ad-‐hoc and reactive manner. The organization will be positioned to respond to individual incidents, thereby not spending unnecessary time, money, and other resources to address the symptoms rather than the root cause which is usually the lack of an enterprise-‐wide approach to “identifying and managing” your security risks that allows you to prioritize your security investments and efforts.

Evaluate Assess Manage Iden5fy



3

The Case For a Holistic Approach According to HP’s 2015 Cyber Threat Report, almost half of companies that suffered cyber attacks in 2014 were the results of unpatched software or systems. This may cause an affected company to launch an aggressive patching initiative. While applying security patches and fixes to vulnerable applications and servers is definitely needed, having unpatched systems in your network is merely a symptom of a systemic problem that could include lack of proper security oversight, policies, procedures, risk management, security architecture, employee training etc., all of which if properly implemented could have contributed to preventing the breach and resulting cost of dealing with it. Unless all of those elements are addressed, your organization will continue to ricochet from one security incident to the next. Security vendors and service providers are more than willing to sell you point solutions to deal with any subset of technical security challenges, but as business managers across industries and sectors face increasing threats and decreasing budgets, you can ill-‐afford to continue down that path. Factors That Affect Your Security Program

In addition to business needs and drivers, additional factors that significantly impact your organization’s approach to security and privacy are laws, regulations, and industry standards. These include Sarbanes-‐Oxley Act (SOX), Gramm-‐Leach-‐Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), and others, depending on your specific industry. An Enterprise Security Program takes into account your organization’s compliance requirements and protects against the risks of penalties and fines due to non-‐compliance. Security Program Standards and Best Practices

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provides recommendations for information security program management (ISO/IEC 27002). Other common security frameworks include National Institute of Science and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the HiTRUST Common Security Framework (CSF). Regardless of which framework you employ, it must be tailored to fit your organization’s business model, operations, and technology environment. Components of an Enterprise Information Security Management Program Regardless of industry sector or organization size, there are five components that are the foundation of any security program:

• Designated Security Leadership Security within an organization is everyone’s responsibility. However, your organization must designate a security officer or manager to lead, implement, and manage the security program. This is a requirement



4

for most security regulations and standards, with some requiring that this role be at the executive management level. Your security leader should have the authority and support to champion the cause of security as a business driver and enabler from the boardroom to the operations floor.

• Security Policy Framework Your security policy documents includes your organization’s leadership goals for managing security risk and protecting the organization assets. Your policy framework also includes standards, procedures, and guidelines that govern the implementation of the security program across all business units and functions. The policy framework should be reviewed and updated periodically to ensure it keeps pace with the ever-‐changing regulatory compliance requirements, business operations, and technology landscape.

• Risk Management Framework Your security program must continuously assess threats and vulnerabilities in order to identify, measure, and prioritize risks to the organization’s assets that must be managed. Periodic enterprise risk assessments must be performed to include security penetration testing of security procedures and controls and employee security awareness and practices.

• Security Architecture and Operations An enterprise security architecture enables your organization to implement necessary technology infrastructure that maximizes return on security investments (ROI) and minimizes risk. A layered approach to applying security controls allows you to protect your data, applications, systems and networks. Security event monitoring and response allows your organization to efficiently detect and mitigate security incidents that lead to data breaches, system downtime and network intrusions.

• Security Awareness and Training Program A security awareness program and role-‐based security training are essential to educating your employees about their roles and responsibilities in helping to maintain a strong security posture. Users are often considered the “weakest link” in an organization’s security controls, however, users that are trained and equipped with the tools needed to perform their duties securely are your first line of defense against security threats.



5

MCGlobalTech Enterprise Information Security Management Service

The MCGlobalTech Enterprise Information Security Management (EISM) service helps protect organizations against security threats, regulatory non-‐compliance, and financial losses through the effective implementation and/or enhancement of the five components of an effective security program as outlined above. Our EISM methodology leverages common security frameworks including ISO, NIST, COBIT, and COSO to measure the maturity of your current security management program. This includes a comprehensive assessment of your security policies, security organization structure, asset management, personnel security, physical and environmental security, security operations, security architecture, and technology, business continuity preparedness, and security compliance.

Security)Program)Components)

Security)Awareness)and)Training)Program)(Educa9ng)Your)Employees)))

Security)Architecture)and)Opera9ons)(Data,)Applica9ons,)Systems)and)Networks)))

Risk)Management)Framework)(Iden9fy,)measure)and)priori9ze)risks)))

Security)Officer)or)Manager)A)designated)security)officer)or)manager)))

Security)Leader)

Security)Policy)Framework)(Standards,)Procedures)and)Guidelines)))

•  A)security)awareness)program)and)roleLbased)

security)training)are)

essen9al)to)educa9ng)your)

employees)!

•  Implement)necessary)

technology)infrastructure)

that)maximizes)ROI)and)

minimizes)risk))

•  Applying)security)controls)

to)protect)IT)environment)

•  Security)event)monitoring)

and)response))

•  Security)policy)documents)

organiza9on’s)leadership)

goals)for)managing)security)

risk)and)protec9ng)

organiza9onal)assets)

Governance)Team)

•  Your)security)program)must)

con9nuously)assess)threats)

and)vulnerabilities)

•  Periodic)enterprise)risk)

assessments)must)be)

performed)to)include)

security)penetra9on)tes9ng)

of)security)procedures)and)

controls)and)employee)

security)awareness)and)

prac9ces))!

•  Lead,)implement)and)

manage)the)security)

program))

•  Requirement)for)most)

security)regula9ons)and)

standards)

•  Authority)and)support)to)

champion)IS)ini9a9ves))!

•  Security)within)an)

organiza9on)is)everyone’s)

responsibility))



6

How MCGlobalTech Helps You Protect Your Business Through Better Security

• Security Leadership The most effective security programs are focused on supporting the overall business goals of the organization. MCGlobalTech’s Security Management Subject Matter Experts bring decades of expertise leading security programs and initiatives to advise and support your leadership team to better understand the business loss potential and make pragmatic decisions about “how to invest” in making security improvements or fixes. Our Leadership Advisory Services include:

Ø CISO/CIO Advisory Services Ø Virtual CISO Support Ø Enterprise Information Security Program Assessment Ø Security Leadership Training

• Security Governance

MCGlobalTech’s Security Governance and Compliance Subject Matter Experts protect your organization from the risk of hefty monetary fines, penalties, negative branding, loss of public confidence, etc. due to non-‐compliance with the complex maze of federal, state, and industry regulations affecting your organization. We help you create the necessary framework of policies, standards, and best practices that ensure your business and IT operations meet your regulatory requirements, industry standards, best practices, and promote not only security and privacy, but efficiency reflecting your organizational goals, mission, and commitment to security.

Our Security Governance and Compliance Services include:

Ø Enterprise Security Governance Document Development and Review Ø Enterprise Security Policies Framework Development and Review Ø Compliance Readiness Audits Ø Operational Governance and Compliance Support

• Security Risk Management MCGlobalTech’s Security Risk Management (SRM) program incorporates industry standards, such as NIST and ISO 27001, and proven best practices from our dozens of risk assessment engagements to effectively address both technical and non-‐technical business security risks. Our SRM program provides our clients with a means to enhance systems security and operational performance and facilitate informed decision-‐making. The SRM program is a metrics-‐based program that identifies, quantifies, and analyzes potential risk indicators and mitigation performance throughout the operational life cycle in an iterative approach -‐ before, during, and after. The SRM program’s principal goal is to protect the client and its ability to perform its mission, not just its IT assets. Additionally, MCGlobalTech’s SRM program coordinates the synchronization of potential impairment to operations with effective levels of security



7

controls and mitigation measures. The SRM program allows for developing risk management policies, ensuring risk policy compliance, monitoring risk mitigation effectiveness, and prioritizing and managing enterprise-‐wide security risks to include interdependencies through a consolidated risk mitigation plan that enables effective resource utilization (funding and time sensitivity). Our Security Risk Management Services include:

Ø Risk Management Strategy Development and Implementation Ø Enterprise Vulnerability and Risk Assessments Ø Technology Infrastructure Security Assessments Ø Vulnerability Management and Penetration Testing Ø Continuous Security Monitoring

• Security Architecture and Engineering MCGlobalTech’s Security Architects employ proven “defense-‐in-‐depth” strategies to achieve specific risk-‐driven security objectives across the IT enterprise through the implementation of technical security solutions. Our approach integrates security controls to the multiple business enterprise layers rather than a vendor-‐centric, silo-‐ed, whack-‐a-‐mole approach to address individual weaknesses as discovered. These security objectives are determined at the enterprise level as part of an overall enterprise architecture framework. A subset of these high level objectives would include:

Ø Authentication – Identifying and verifying all users and systems Ø Segmentation – Separating network traffic, systems, and data according to risk Ø Access Control – Restricting access to sensitive systems and data Ø Encryption – Protecting confidentiality of data and communications Ø Threat Detection/Mitigation – Identifying and reacting to system and network threats

To achieve these objectives, our security engineers implement best of breed security solutions to protect client business data and the systems used to process, store, and transport them. An effective layered defensive posture requires that these solutions and controls be implemented at the Network, Host, Application, and Data layers. These solutions include:

Ø Packet filtering firewall with stateful inspection Ø Application layer firewalls with payload inspection Ø Proxy servers/appliances Ø Network segmentation Ø Network and Host Intrusion detection and prevention Ø Network and Host anti-‐virus detection Ø Content monitoring and filtering Ø Mobile device management Ø Privileged identity management



8

Ø Patch management Ø Network, System, Application least privilege access controls Ø Data and Network encryption Ø Data integrity monitoring and loss prevention

• Security Training and Awareness MCGlobalTech offers information security and compliance training to business leaders and staff to help them better protect their critical data and systems against the ever-‐evolving threat and regulatory landscape. Our training program provides custom security presentations and briefings tailored to your unique business operating environment and requirements. Our Security Training Services include:

Ø Executive Information Security Briefings Ø Security Program Management Training Ø Risk Management Training Ø End User Security Awareness Training Ø HIPAA Compliance Training Ø PCI-‐DSS Compliance Training Ø FISMA Compliance Training Ø Security Professional Development

MCGlobalTech Security Management Service Delivery Model

Using our proven four-‐phased service delivery model: assessment, planning, implementation, and monitoring (APIM), we provide full EISM life-‐cycle support for your organization. We help you develop, implement, maintain, and improve a security program tailored to the specific needs of your organization. Our model is flexible and customizable to meet your organization’s unique security program management needs. Working with your executive leadership team allows us to help you guide investments in IT and security to more closely align with business and mission goals and priorities while increasing ROI and decreasing business risk. We do not simply focus on point solutions and services that may simply address immediate challenges. By working at the management and programmatic levels of an organization, we are able to identify weaknesses in IT infrastructure and security management that are the root cause to many of the more common IT and security problems such as service outages, failed technology investments, data breaches and regulatory, compliance penalties.



9

Each phase of the EISM Service Delivery Model is designed around your specific organizational goals, challenges and culture. As your strategic security advisors, MCGlobalTech partners with you every step of the way.

Phase 1: Assessment Our engagements typically begin with a full assessment of the organization’s information security program and/or IT infrastructure management. This includes a review of your policies, processes, procedures, required standards, people and technologies. We assess your information security, IT infrastructure and compliance risk. Following each assessment

engagement, we provide you with a detailed gap analysis that documents areas of weaknesses and recommendations for remediation.

APIM



10

Phase 2: Planning The planning phase is especially crucial to the success of initiatives involving integrating new procedures, technologies or operational processes into your environment. Many IT and security initiatives fail due to a lack of proper planning that takes into consideration organization culture, capabilities and operational realities. We work with all stakeholders across your organization to create an efficient, operationally feasible and priorities-‐driven remediation and

improvement plan of action based of the results of the assessment and leadership prioritization.

Phase 3: Implementation During this phase, we manage the successful implementation of your approved plan of action to improve and mature your organization’s compliance readiness, enterprise security program, and IT infrastructure management. We help develop appropriate policies, effective procedures and practices, staff and management training and expertise and capability augmentation. Leveraging our strategic partnership network, we help drive and manage new technology integration and infrastructure migration. We help you

implement business focused, cost-‐effective mitigation strategies for risks identified during the assessment engagement.

Phase 4: Monitor Our Continuous Monitoring phase includes an on-‐going combination of performance monitoring, security assessments, awareness training, metrics reporting, and executive advisory services. We partner with your organization’s leadership to ensure continuous improvement of IT infrastructure and security management. We help you ensure that mission critical decisions regarding your IT and security are aligned with your organizational strategic goals.

Improving Your Security Program Reduces Risks to Your Organization

A mature security program will help your organization maintain focus and mitigate organization-‐wide risk associated with information security. It will also help your organization identify and comply with government regulations, industry standards, and best practices associated with your business, its creditability, and any data or electronic assets it has guardianship over. Your security program will enable you to meet the security requirements of your clients and your customers, contractual obligations, while mitigating the risk of adverse legal action being levied against you or your organization. This is paramount for protecting your organization’s most important IT infrastructure, data, brand, and reputation. Contact MCGlobalTech today at [email protected] for a free EISM Quick Assessment to give you a high level view of how well your organization manages security risks and implements the critical components of a security program.

Documents

MCGlobalTech Commercial Cybersecurity Capability Statement