PAYMENT CARD INDUSTRY (PCI) ASSESSMENTS | VULNERABILITY ASSESSMENTS | INSIDER THREAT | COMPLIANCE AND SECURITY CONTROL ASSESSMENTS | RISK ASSESSMENTS | APPLICATION ASSESSMENTS | 3RD PARTY ASSESSMENTS | CURRENT-STATE/FUTURE-STATE | EMERGING TECHNOLOGIES
JANUS has been assisting organizations with cybersecurity and compliance testing and assessments since 1988. We are a vendor-neutral company that is well known and respected for our objectivity, on-time delivery, flexibility, and excellence in service. For close to three decades we have advised many of the most widely recognized government agencies, commercial enterprises, and not-for-profits helping them fulfill their assessment needs.
We use carefully thought-through methodologies for the many types of assessments in demand today. Our clients comment regularly about the high quality of our results, our flexibility in dealing with their needs, and our goal of making our customers’ lives as issue free as we can. We also focus intensely on emerging technologies to further the changing security IT needs of our clients.
Examples of several of the types of assessments often requested include the following:
Payment Card Industry (PCI) Assessments
PCI requirements are very strict and require skilled assessments, as well as remediation experts to guide you through the regulations. Preparing for PCI certification can be a daunting and time-consuming task. Organizations that do not undertake preparatory work often do poorly and fail the actual audit process. JANUS can assist you by looking at all aspects of your credit card processing environment in advance of an audit to get you ready and by helping you remediate deficiencies that would lead to a failing grade and no certification. Our staff is expert on the requirements as well as technology and processes that meet the PCI Council’s regulatory requirements for any level of PCI compliance or in meeting your quarterly ASV scanning obligations. We have assisted many organizations with PCI projects and we can become your “one-stop” vendor to achieve PCI compliance by easing your management needs and taking over the time-consuming tasks inherent with complying with the PCI directive.
Understanding specific vulnerabilities and problems that might allow someone to compromise your systems is a rapidly growing need in today’s computing environment. While your own staff may run scans, conduct in-house tests, and perform assessments, there is no equal to having an objective 3rd party examine the current state of your security implementation. JANUS employs full-time senior level personnel who are experienced consulting specialists to examine your systems, applications, and networks for what are often highly subtle exposures. JANUS’ well-developed methodology, derived from nearly three decades of experience, provides detailed results that both management and technical staff can understand and provides a path to remediation based on your priorities.
Insider threat attacks have become one of the most prevalent attack vectors, and it’s estimated that in excess of 50% of all attacks come from within. These threats are comprised of 3 general categories: Malicious Intent, Unintended Negligence, and User Error. Any one of these can seriously impact your daily operations, and create problems with clients, end users, brand reputation, and government authorities.
Malicious Intent typically is a result of angry or terminated employees. Most organizations do not actually know if they have angry employees, but the odds are that someone in your enterprise feels slighted or overlooked. Employee theft of intellectual property and sensitive internal data present a clear and present danger of how employees will strike when disgruntled, leaving and/or gathering information for potential future use. To make matters worse, terminated employees are often inadvertently left with access to systems and data that should have been disabled.
Unintended Negligence can occur when creating new systems and applications. Implementing an application without sufficient security controls in place is one of the most common ways for business to inadvertently open access into an organization’s data. A lack of understanding or clear requirements for secure design practices, coupled with carelessness or an imperfect implementation of Agile software development methodologies can lead to unintended data access and control weaknesses. System misconfigurations, poor patch management and the use of default accounts and passwords by system and network administrators can also lead to unintended exposure.
User Error represents a high percentage of insider threats. Many successful data exfiltration incidents are the result of external attackers preying on internal users to unwittingly provide them with access to sensitive information through email phishing schemes. Some of these types of attacks, such as spear phishing, are targeted towards a specific individual, organization or business with the intent to steal data. Miscreants may also attempt to install malware on a targeted user’s computer. Another error often made by insiders is the sending of controlled data to unintended recipients through email, electronic or hardcopy media.
JANUS can help you address insider threat concerns by creating an Insider Threat Program (ITP) for your enterprise. This comprehensive program deters, detects, and mitigates actions by insiders who may represent a threat to your enterprise. Our program methodology first and foremost ensures that access controls are adequate for specific personnel or roles. It also prevents insiders from accessing data that they shouldn’t, stops escalation of privileges without authorization, defeats insertion of thumb drives and other types of mass storage devices, locks down physical workstations, and looks at other activities germane to your specific environment. JANUS will scope out a program of identification and assessment that clearly defines what type of weaknesses exist and where those vulnerabilities are. We will then work with you and your team to define and enable controls over each of the identified areas, and help you create policies and procedures that won’t cripple your daily operations.
Contact us today to learn how a JANUS insider threat program can assist you by anticipating issues, addressing dangerous or damaging conditions, and mitigating vulnerabilities prior to an incident.
Compliance and Security Control Assessments
Developing and maintaining an effective regulatory compliance program has never been more complicated or more critical. Every regulation such as HIPAA, IRS, FERPA, ISO, NERC, NIST, and PCI has its own special set of requirements and specific assessments. Failure to properly meet them can result in civil penalties for your organization and even possible criminal repercussions for your senior management team.
Enterprise risk assessments examine your environment from the perspective of how much risk your current technical implementation and businesses processes introduce into your daily operations. Regulators recognize the value of an enterprise risk approach, and see it as a requirement for a well-controlled organization and most compliance requirements such as HIPAA, Sarbanes-Oxley, PCI, NIST, FFIEC, and NERC CIP require periodic assessments. JANUS staff understands the various types of threats that may be prevalent, what the probabilities are that those threats may actually impact your business, and what the outcomes might be to your operations if they occurred. We help you understand how to mitigate and/or remediate so that your risk profile fits your business risk tolerance and your business objectives.
Application assessments are an often overlooked aspect of cybersecurity. It is important to remember that applications are designed and written by programmers who often have not learned how to code securely, or do not think about security. Security has not been a mainstream element of what they do; they are programmers, not security experts. In other cases, older applications were written long before security was a major concern and the result is that these applications may be broadly subject to exploitation. Unfortunately for most organizations, newer applications can also suffer from constantly changing coding issues that leave them vulnerable to attack. To complicate matters more, users are often forced to rely on the word of the software developer. Developers rarely discuss the security of their code, even when pressed to do so. JANUS understands application security and can work with you to assess the cyber-hygiene of your applications, their strength and weaknesses, and if they can withstand today’s enormous security pressures from attackers. Using advanced methods, client applications are tested to applicable standards and best practices.
Conducting an application security assessment gives you a realistic view of how secure your application is or isn’t. Testing your applications allows you time to think carefully about what type of remediation you might want to implement, rather than being rushed into a quick solution as the result of an incident or loss.
3rd Party Assessments
You know your IT security is strong, but what about your 3rd party partners? How good is their security? Some of the largest data breaches to-date (think Target, AT&T, Cal State U.) have been as a direct result of 3rd parties. Today, partners are increasingly demanding that you prove that the security of you and your partner’s environments is not only sufficient, but meets best practices and compliance requirements. Many organizations are demanding independent 3rd party assessments to prove that you can be a trusted partner. Successfully passing an independent 3rd party information security assessment confirms quality of your infrastructure and data controls. JANUS can assist you in reaching those goals as well as compliance with HIPAA, PCI, FISMA, SSAE16 SOC 1 or SOC 2, or any other standards and regulations to which you are subject. We can also help you verify the security of 3rd party applications in your partner environments or the Cloud, as well as hardware deployments. JANUS has worked with a wide range of clients providing 3rd party risk assessments that focus on all the leading standards in the world, or simply leading practices, and providing clear, detailed results on the state of the controls as well as what remediation tasks will improve them, if needed. We can also assist you to set up and manage a program that examines your vendors on a regular basis and ranks them in order of their security and compliance quotients, thus allowing you to know who is serious about protecting you and your business, and who may not be.
How well does your IT organization respond to today’s changing needs? In most organizations, IT evolves through a series of incremental changes driven less by a strategic vision and more often by the requirements of near term projects, daily operations, and available skills. Mature IT organizations are often resistant to strategic change when it disrupts the familiar order which may be protected by entrenched interests. Even if the change is for the best; it is often viewed as too difficult, and therefore undoable. Current State/Future State Assessments overcomes these barriers by providing an independent and objective assessment of how your IT organization operates compared with industry specific leading practices. JANUS meets with your executive team to review how your IT environment operates, pointing out opportunities for new revenue, potential cost savings and enhanced Return on Investment (ROI) in addition to improvements in the technology itself and needed security measures. We also analyze the challenges your organization is likely to face over the next few years’ and how your IT organization can evolve in ways that are cost justified, and that can be realistically implemented to meet your organization’s strategic requirements.
As your organization prepares to embrace new and emerging technologies you also need to consider the security implications of those technologies on your infrastructure, people, and data. New concepts are often not appropriately secure since their developers are usually focused on bringing the technology to market. Security in many cases is an afterthought, or not properly implemented due to a lack of knowledge and expertise. JANUS subject matter experts focus on how emerging technology affects your enterprise through Cloud services, web applications, mobile accessibility, Internet of Things, and any other new technology. We are available to assist you by determining what security issues may exist within these environments before they can have a potentially negative effect on daily business operations and your overall business.