PAYMENT CARD INDUSTRY (PCI) ASSESSMENTS | VULNERABILITY ASSESSMENTS | COMPLIANCE AND SECURITY CONTROL ASSESSMENTS | RISK ASSESSMENTS | PENETRATION TESTS | APPLICATION ASSESSMENTS | 3RD PARTY ASSESSMENTS | CURRENT-STATE/FUTURE-STATE | EMERGING TECHNOLOGIES
JANUS has been assisting organizations with information security needs since 1988. We are a vendor neutral company that is well known and respected for our objectivity, on-time delivery, flexibility, and excellence in service. For close to three decades we have advised many of the most widely recognized government agencies, commercial enterprises, and not-for-profits helping them fulfill their assessment needs.
We use carefully thought-through methodologies for the many types of assessments in demand today. Our clients comment regularly about the high quality of our results, our flexibility in dealing with their needs, and our goal of making our customers’ lives as issue free as we can. We also focus intensely on emerging technologies to further the changing security IT needs of our clients.
Examples of several of the types of assessments often requested include the following:
Payment Card Industry (PCI) Assessments
PCI requirements are very strict and require both skilled assessment as well as remediation experts to guide you through the regulations. Preparing for PCI certification can be a daunting and time consuming task. Organizations who do not undertake preparatory work often do poorly and fail the actual audit process. JANUS can assist you by looking at all aspects of your credit card processing environment in advance of an audit to get you ready and by helping you remediate deficiencies that would lead to a failing grade and no certification. Our staff is expert on the requirements as well as technology and processes that meet the PCI Council’s regulatory requirements for any level of PCI compliance or in meeting your quarterly ASV scanning obligations. We have assisted many organizations with PCI projects and we can become your “one-stop” vendor to achieve PCI compliance by easing your management needs and taking over the time consuming tasks inherent with complying with the PCI directive.
Understanding specific vulnerabilities and problems that might allow someone to compromise your systems is a rapidly growing need in today’s computing environment. While your own staff may run scans and conduct in-house tests there is no equal to having an objective 3rd party examine the current state of your security implementation. JANUS employs full-time senior level personnel who are experienced consulting specialists to examine your systems, applications, and networks for what are often highly subtle exposures. JANUS’ well-developed methodology, derived from nearly three decades of experience, provides detailed results that both management and technical staff can understand and provides a path to remediation based on your priorities.
Compliance and Security Control Assessments
Developing and maintaining an effective regulatory compliance program has never been more complicated or more critical. Every regulation such as HIPAA, IRS, FERPA, ISO, NERC, NIST, and PCI has its own special set of requirements and failure to properly meet them can result in civil penalties for your organization and even possible criminal repercussions for your senior management team.
Enterprise risk assessments examine your environment from the perspective of how much risk your current technical implementation and businesses processes introduce into your daily operations. Regulators recognize the value of an enterprise risk approach, and see it as a requirement for a well-controlled organization and most compliance requirements such as HIPAA, Sarbanes-Oxley, PCI, NIST, FFIEC, and NERC CIP require periodic assessments. JANUS staff understands the various types of threats that may be prevalent, what the probabilities are that those threats may actually impact your business, and what the outcomes might be to your operations if they occurred. We help you understand how to mitigate and/or remediate so that your risk profile fits your business risk tolerance and your business objectives.
Performing a penetration test of various components or all of your network helps you focus on what security exposures someone can cause either from the Internet or as a user who is able to circumvent his/her intended access to reach confidential information. JANUS will help you determine the specific types of problems that exist to better understand what types of remediation you need to undertake. Internal and external testing are specialty areas at JANUS, and testing incorporates a variety of tools that JANUS carefully manages as technology advances. JANUS has also developed a set of proprietary tools and these are used in conjunction with industry standards to yield maximum results for your specific infrastructure and applications. Once a possible exposure is identified, manual analysis is performed to provide you with a dual-pronged approach designed to yield a high level of accuracy, detail, and insight into the security issues of your environment. Manual exploitation also helps minimize false positives that your staff would need to investigate.
Applications are designed and written by programmers who often have not learned how to code securely, or do not think about security. Security has not been a mainstream element of what they do; they are programmers, not security experts. In other cases, older applications were written long before security was a major concern and the result is that these applications may be broadly subject to exploitation. Unfortunately for most organizations, newer applications can also suffer from constantly changing coding issues that leave them vulnerable to attack. To complicate matters more, users are often forced to rely on the word of the software developer. Developers rarely discuss the security of their code, even when pressed to do so. JANUS understands application security and can work with you to assess the cyber-hygiene of your applications, their strength and weaknesses, and if they can withstand today’s enormous security pressures from attackers. Using advanced methods, client applications are tested to applicable standards and best practices.
Conducting an application security assessment gives you a realistic view of how secure your application is or isn’t. Testing your applications allows you time to think carefully about what type of remediation you might want to implement, rather than being rushed into a quick solution as the result of an incident or loss.
3rd Party Assessments
You know your IT security is strong, but what about your 3rd party partners? How good is their security? Some of the largest data breaches to-date (think Target, AT&T, Cal State U.) have been as a direct result of 3rd parties. Today, partners are increasingly demanding that you prove that the security of you and your partner’s environments is not only sufficient, but meets best practices and compliance requirements. Many organizations are demanding proof that you have successfully passed an independent 3rd information security assessment that has determined the quality of your infrastructure and data controls. JANUS can assist you in reaching those goals as well as compliance with HIPAA, PCI, FISMA, SSAE16 SOC 1 or SOC 2, or any other standards and regulations to which you are subject. We can also help you verify the security of 3rd party applications in your partner environments or the Cloud, as well as hardware deployments. JANUS has worked with a wide range of clients providing 3rd party risk assessments that focus on all the leading standards in the world, or simply leading practices, and providing clear, detailed results on the state of the controls as well as what remediation tasks will improve them, if needed. We can also assist you to set up and manage a program that examines your vendors on a regular basis and ranks them in order of their security and compliance quotients, thus allowing you to know who is serious about protecting you and your business, and who may not be.
How well does your IT organization respond to today’s changing needs? In most organizations, IT evolves through a series of incremental changes driven less by a strategic vision and more often by the requirements of near term projects, daily operations, and available skills. Mature IT organizations are often resistant to strategic change when it disrupts the familiar order which may be protected by entrenched interests. Even if the change is for the best; it is often viewed as too difficult, and therefore undoable. A Current State/Future State Assessment overcomes these barriers by providing an independent and objective assessment of how your IT organization operates compared with industry specific leading practices. JANUS meets with your executive team to review how your IT environment operates, pointing out opportunities for new revenue, potential cost savings and enhanced Return on Investment (ROI) in addition to improvements in the technology itself and needed security measures. We also analyze the challenges your organization is likely to face over the next few years’ and how your IT organization can evolve in ways that are cost justified, and that can be realistically implemented to meet your organization’s strategic requirements.
As your organization prepares to embrace new and emerging technologies you also need to consider the security implications of those technologies on your infrastructure, people, and data. New concepts are often not appropriately secure since their developers are usually focused on bringing the technology to market. Security in many cases is an afterthought, or not properly implemented due to a lack of knowledge and expertise. JANUS subject matter experts focus on how emerging technology affects your enterprise through Cloud services, web applications, mobile accessibility, Internet of Things, and any other new technology. We are available to assist you by determining what security issues may exist within these environments before they can have a potentially negative effect on daily business operations and your overall business.