FRSecure Sales Deck

Corporate and Services

Overview

• About Us

• Information Security Explained

• The Need for Information Security

• Information Security Assessment Overview

• Information Security Assessment Deliverables

• Full-Service Consulting

Presentation Topics

• What’s in it for them?

• What’s in it for you?

• Preliminary Assessment

• Who else do we work with?

• Where can you find us?

• What’s the bottom line?

Presentation Topics (cont.)

• Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent.

• Regulatory and industry compliance is built into all of our solutions.

• Over 50 successful assessments performed in the past 18 months

About Us

• EVAN FRANCEN, CISSP CISM• President• Over 15 years as a leading information security

professional and corporate leader in both private and public companies

• Well versed in governmental and industry-specific regulations, standards and guidelines including ISO/IEC 27002 (17799:2005), HIPAA, GLBA, PCI-DSS, FDA CFR Part 11, SOX and COBIT

• Active participant in numerous information security trade associations including ISACA, ISSA, and ISC2

About Us

At FRSecure, our job is to find risks, and we’ve been helping businesses of all sizes and industries for more than 15 years. Our clients include well-known names in:

● Banking ● Insurance ● Accounting

● Health care ● Legal ● Data storage

● Mortgage ● Printing ● And more.

About Us

Information Security Explained

Fundamentally, Information Security is:

The application of Administrative, Physical and Technical controls in an effort

to protect the Confidentiality, Integrity, and Availability of Information.

“Effective information security requires the assessment and accounting for all risks to information in all of its forms throughout the enterprise. Anything less results in wasted resources and the increased likelihood of catastrophic loss.” – Evan Francen

Fundamentally, information security is NOT:

• An IT issue; it is a business issue• Compliance-based; it is risk-based


Administrative Control Questions

• Do you have formal information security policies? If so, do your policies adequately cover all areas of information security?

• How are your information security policies communicated to employees and relevant 3rd-parties?

• Do you have a defined review schedule for your information security policies?

• Has your organization defined a formal risk assessment methodology?

• Does your organization conduct background checks on potential employees prior to hire?

• Do you have an acceptable use policy?

• Do you have a formal information security awareness training program?


Physical Control Questions

• Has a risk assessment of physical security been performed?

• Should your company utilize a multi-tiered approach to physical security?

• Have you developed a physical security policy?

• How are public areas in and/or around your facility monitored?

• How is roof access at your facility secured?

• Do you log the date, time of entry, and time of departure of visitors, contractors, and third-party personnel?

• How do you prevent unauthorized access to office spaces?

• How do you prevent unauthorized access to restricted areas?

• What access controls are implemented for office spaces?


Technical Control Questions

• What are the minimum encryption key strength requirements?

• Is your network adequately segmented and controlled to prevent unauthorized access to sensitive information resources?

• What types of devices and technologies are used to control the flow of network traffic; especially between different “security zones”?

• Has your organization deployed one or more external applications?

• Which ports and services are allowed to remain enabled on network devices?

• How do you ensure that patches are consistently applied to all devices, applications, and systems?

• What types of authentication mechanisms are used to establish a wireless connection?


In an effort to protect:

Confidentiality Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals

Integrity Ensuring the accuracy and completeness of information and processing methods

Availability Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals The opposite of C. I. A. is D. A. D. (Disclosure, Alteration

and Destruction)

The Need for Information Security

• It’s the Law• Sarbanes-Oxley Act of 2002• Gramm–Leach–Bliley Act (GLBA)• FDA CFR Title 21• Computer Fraud and Abuse Act• Various state and local laws

• Protect intellectual property (IP)

• Protect Financial Data

• Protect Personally Identifiable Information (PII)

• Protect other “Confidential” Data• Clinical trial data• Safety data• Regulatory filings

94,000,000 records

8,500,000 records8,500,000 records

130,000,000 records


In the news…


The consequences of insufficient security

• Many times the victim is you, the individual

• Loss of competitive advantage

• Compromised customer confidence; loss of business

• Identity theft

• Embarrassing media coverage

• Equipment theft

• Service interruption

• Legal penalties

FRSecure performs an Enterprise Information Security Assessment to determine:

• what type of information you need to protect,

• the risks related to how you are currently using and protecting information;

• and how to best proceed in reducing risks.

Information Security AssessmentOverview

The FRSecure Information Security Assessment:

• Comprehensive – We review and assess all of your current physical, administrative, and technical protections.

• Standardized – Our assessment is based on and mapped to the ISO 27002 (17799:2005) international standard

• Compliant – Comprehensive enough to satisfy all major industry and regulatory requirements including GLBA, HIPAA, SOX, and various state laws

• Functional – The results from our assessment are easily understood and our recommendations are functionally sound


How do we assess their current environment?We walk through as many as 3000 aspects of your information security program with you during our

assessment. Our questions are tailored around the specific information that you need and want to protect. We focus our questions in these main areas:

• Security Policy Management• Corporate Security Management• Organizational Asset Management• Human Resource Security Management• Physical Security Management• Environmental Security Management• Compliance Management• Communications Management• Operations Management• Information Access Control Management• Information Systems Security Management• Information Security Incident Management• Business Continuity Management


What do you get from an FRSecure Information Security Assessment?

– Executive Summary• Overview of most significant risks• High level mitigation plans

– Technical Specification• Detailed documentation of all findings, including risks, risk ratings, and

mitigation strategies

– Action Plan*• Detailed risk mitigation plan

*We don’t just tell you what’s wrong and leave you to figure out how to fix it.

Information Security AssessmentDeliverables

How do we help you implement the action plan?

We determine the areas where we can make simple, low cost changes that will improve security significantly. We then plan and coordinate the larger changes needed to fully implement the security plan.

We act as your Information Security department, if needed. We create policies and procedures, as well as help with training and corporate acceptance.

Once the Action Plan is complete, typically 6-12 months, we will do a second Assessment to show that your environment is now adequately secure.

Implementing the Action Plan

A full accounting of FRSecure’s Services:

• Information Security Assessment

• Information Security Program Development

• Information Security Management

• Penetration Testing

• Business Continuity Planning

• Incident Response

• Training & Awareness

• Legal Expert Witness and Testimony

Full-Service Consulting

Information Security Assessment

An independent and objective assessment of your current information security program.

We have a keen understanding of practical information security in business, not just theory and academics. FRSecure personnel average more than 10 years of direct information security experience. The reasons for conducting an information security assessment range from just wanting to know where you stand, to satisfying compliance requirements. FRSecure information security assessments are specifically customized to meet (or exceed) your objectives and provide you with valuable, actionable information. Most of our information security assessments are based on the ISO 27002 international standard


Information Security Program Development

Cost-effective and customized information security program development that reduces risk and improves efficiency.

In order to maximize your information security investments, you need to take a formal, risk-based approach. FRSecure has developed cost-effective information security programs for companies of all shapes and sizes, public and private, in a variety of industries. Over the years we have gained a tremendous amount of experience, and this experience has led to principles that guide each one of our information security development projects. Most organizations know that they need to something in regards to information security, but don’t have the expertise to implement a program themselves.


Information Security Management

Leverage years of expertise without the tremendous expense that can accompany it.

An information security professional on par with those employed by FRSecure can be costly and unaffordable for many companies. After factoring in salary, benefits, bonuses, and office space, an experienced information security professional can cost as much as $180,000 annually. FRSecure saves our clients money by using our proven approach to information security management.


Penetration Testing

An active evaluation or assessment of your information security controls.

You have taken the time and spent the money in an effort to protect your information assets, but how secure are you? How effective are your controls? The only true way to be sure that your controls are effectively protecting your information assets is to test them. Expert engineers who understand current, real-world threats conduct our penetration testing services. Before we start any penetration test, we take the time to understand your goals and objectives and then customize an approach to maximize your value.


Business Continuity Planning

Planning that keeps your business in business if bad things happen.

The wrong time to find out that your business continuity plan is ineffective is when you have to use it. Good business continuity planning keeps your business up and running through interruptions of any kind; power failures, IT system crashes, natural disasters, supply chain problems and more. FRSecure business continuity planning has helped our clients avoid disaster when disaster strikes.


Incident Response

Professional assistance in helping you respond appropriately to an information security incident.

Any good information security professional will tell you that it is impossible to stop all threats to your information security assets. Realized threats must be detected promptly and responded to systematically. A poor incident response can be more costly than the incident alone. FRSecure has responded to hundreds of incidents, which has led to minimized financial impact, improved processes, and thorough investigations leading to civil and/or criminal prosecutions.


Training & Awareness

Effective training and awareness programs proven to improve employee compliance with your requirements.

Another fact; people present the most significant risks to your company’s information assets. Poor information security practices are a common cause of breaches. One of the best investments you can make in regards to information security is in the area of employee training and awareness. FRSecure has developed and delivered over a thousand hours of information security training for our clients.


Legal Expert Witness and Testimony

Making a case is difficult enough, but making a case without the right expertise is nearly impossible.

We are not lawyers, but we help lawyers understand information security related matters and decipher the facts involved in their cases. We help lawyers win cases for their clients.


• Have you done a SAS70 or are you being asked to perform one?• Are you in a regulated industry?• Has a valued client ever asked you to answer an information security questionnaire?• Do you have a formal information security program?• Do you have problems getting executives or employees to buy into your information

security ideas, changes, or programs?• Do you have regular training for employees regarding securing information?• Do you already know that there are holes, but you don’t know what to do about

them?• What percentage of your time is spent on information security? What should it be?• What information security challenges do you currently face?• How would you announce a sensitive information breach to the public? • How confident are you that your data protection is what it should be?

Good Questions to Ask

Experts that act as their Information Security Department or CSO (Chief Security Officer)

Signoff on regulatory compliance issues

Signoff on client required security audits

Ability to add additional sales channels

Competitor differentiation

Knowledge that they’re doing everything they can to protect their business.

What’s in it for them?

Revenue Sharing• 10% of all realized revenue will be paid as a commission for all revenue

generated within 1 year of the original SOW.• This commission will be paid as 1099 income for any business you refer

us.

Sub ContractingWe can also be included in a project as a sub contractor. In this case, we will

quote you our cost, and you can mark up as appropriate.

What’s in it for you?

We offer a free Preliminary Assessment to any prospective client. A Preliminary Assessment includes a short questionnaire and a 30 minute phone conference with one of our experts.

The goal of this Preliminary Assessment is to find out if there is information that needs to be protected, as well as establishing credibility within their organization.

Preliminary Assessment

In order to help our clients address specific needs that are outside of FRSecure’s core business, we have established partnerships with respected organization that we are pleased to work with and refer to.

Who else do we work with?

With more to come!

FRSecure is actively participating online through our Web site, blog, and social media sites.

• Web: http://www.frsecure.com

• Blog: http://www.breachblog.com

• Facebook: http://www.facebook.com/frsecure

• Twitter: http://www.twitter.com/frsecure

• LinkedIn: http://www.linkedin.com/company/frsecure-llc

Coming soon – Redesigned blog and podcasts

Where can you find us?

http://www.frsecure.com/

http://www.breachblog.com/

http://www.facebook.com/frsecure

http://www.twitter.com/frsecure

http://www.linkedin.com/company/frsecure-llc

FRSecure is the best solution for you to assess your information security needs, address those needs and

partner with you for the future.

Questions?Contact Us – [email protected] or

http://www.frsecure.com

It’s not just protecting your information. It’s protecting your business.

What is the bottom line?

mailto:[email protected]

Technology

FRSecure Sales Deck