Service Offerings - Overview

 

Introduction

Business information requires sustainable confidentiality (obtainable only by those authorized), integrity (accurate and viable), and availability (accessible when needed).


The needs of the business and the controls necessary to preserve these requirements are defined in the Information Security Management (ISM) process of Service Design and are enacted across Service Transition, Service Operations, and Continual Service Improvement in the Information Technology Infrastructure Library (ITIL, v3.0) framework.


By need and regulation, organizations make investments in standalone technologies or embedded functions in other technology that enforce these plans — requiring continual management and maintenance.


Important Data Breach Metrics

Sustaining the confidentiality, integrity and availability of business information is a great challenge for many organizations. Threats and vulnerabilities are numerous and ever-changing. Threats are increasingly becoming more sophisticated and dynamic to avoid detection by traditional point security technologies.  Vulnerabilities are often created through poor development, weak standards, improper integration and misuse.


The graphic displayed here contrasts how often attackers are able to compromise a victim in days or less (light grey - top line) with how often defenders detect compromises within that same time frame (dark grey - bottom line). In 60% of cases, attackers are able to compromise an organization with minutes.


Beyond proactively addressing vulnerabilities, organizations need to sustain a capability for rapid detection and containment to minimize losses. Failure to quickly detect threats often leads to incidents of higher exposure, broader impact and more costly recovery.

Source: Verizon 2015 Data Breach Investigations Report


Furthermore, progressive regulation and industry initiatives have levied unfunded reporting and operational processes upon many industries. Among these, logs are to be checked and recorded periodically. In many cases, log information is retained for long periods so it is on hand for regulators and auditors.


Rapid detection, quick response, containment, log checking and reporting are just a few of the things that happen within an Information Security Management System (ISMS). You have people, process and technology, combined with vision, steering and culture. Then there is a question of scope and the percentage of the security control deployment within that scope, as well as, the quality and effectiveness of the security control. They all have to be integrated in order for business goals and objectives to be met.


The Information Security Management System (ISMS)

Every organization needs to have an Information Security Management System (ISMS) that is well aligned with international standards and frameworks, such as:


  1. ISO 27001:2013 (ISMS Specification)

  2. ISO 27002:2013 (ISMS Control Guidance)

  3. ISO 27035:2011 (Security Event Management & Incident Response)

  4. NIST Cybersecurity Framework

  5. CIS Top 20 Critical Security Controls

  6. Payment Card Industry – Data Security Standard (PCI-DSS v3.1)

  7. ISO-20000-1:2011 (ITSM Specification)

  8. ISO-20000-2:2012 (ITSM Control Guidance)

  9. ITIL v3 (IT Infrastructure Library)


Did you know that CompuCom’s legacy work led to the development of the world's first compendium of information security controls back in the early nineteen eighties?




These controls led to the development and publishing of British Standard BS-7799, which then became ISO/IEC-17799, and today these controls have morphed into ISO/IEC-27001:2013 and ISO/IEC-27002:2013, which are the international standards that everyone turns to for specification requirements and implementation guidance on information security.



Graphic: The High-Level Information Security Management System (ISMS) Process


The ISMS implements a formalized process and activities optimized to assure the identification of business risks and the execution of steps to avoid, minimize, mitigate, or accept these risks.


CompuCom has designed our Professional Services: Security Consulting Practice service offerings around the high-level ISMS process activities. Our service offerings are designed to help align our client’s ISMS with their legal, regulatory, contractual requirements, risk management and appetite, as well as, their business goals and objectives.



Want to hear more details about the security service offerings?

Click Here or...

 

(717) 395-3063

Andrew R. Reese


Mobile: (717) 395-3063


Links to more detail:

  1. My CV Overview

  2. Security Tips

  3. My Security Pledge

  4. Security Practice