Data Flow Analysis

Security Management Partners will follow the path of information through the client's business, in paper and electronic formats, throughout its life cycle and work to determine the existence and accuracy of data classification.

Employing interviews and observations, SMP will assess the controls in place to protect information, taking into account best practices and applicable regulations, and make recommendations to improve security and meet business requirements.

Digital Forensics & Investigative Services

With investigative protocol derived from stringent law enforcement standards, SMP works with you to achieve the proper retrieval of evidence and perform analysis of data to be used as evidence in a court of law.

The need to protect customer and company data has become increasingly important. Maintaining reputation and avoiding costly legal battles are just two critical concerns. Today, organizations must not only identify and stop improper use of information and systems; they are often challenged to investigate further to obtain digital evidence. Such investigations demand specialized skills that often exceed in-house expertise.

Security Management Partners provides the forensic expertise necessary to appropriately collect and examine key electronic evidence. Our forensic consultants apply disciplined investigative techniques to identify the source, contain it, and gather the related evidence. We help you react quickly, effectively, and in an orderly, consistent manner.

Digital Forensics

Using the leading digital forensic solutions, the SMP team works to provide the most comprehensive analysis available. After assessing an individual client’s needs and situation at-hand, we use our technology and expertise to target and replicate relevant data, making sure to protect the original environment for legal purposes. Once SMP determines the data source of the situation, our team will analyze the information collected to validate or disprove the suspected breach and provide support through any subsequent legal proceedings. SMP’s digital forensic work can be used in conjunction with any of our other services to meet any additional client needs.

The SMP Solution

SMP’s forensic services include the identification, acquisition and subsequent examination of key pieces of electronic data. Our investigators proceed in a manner which assures you and your legal team access to evidence which will withstand the challenges in any legal proceeding as it pertains to the methodology involved in its preservation, collection, analysis, and presentation.

SMP keeps a careful record of each step we take in any investigation. All detailed investigations are accompanied by an extensive report to support any evidence we uncover, as well as the conclusions that we draw from that data. We can supply this report and the evidence addenda in a variety of formats to suit our client's needs. SMP's previous investigations at financial institutions, hospitals and corporations have involved:

  • Evidence/data acquisition, preservation, recovery, analysis, and reporting
  • Intellectual property theft
  • Computer misuse
  • Corporate policy violation
  • Embezzlement
  • Harassment
  • System intrusion and compromise
  • Encrypted, deleted, and hidden files recovery
  • Illicit pornography
  • Confidential information leakage

     

    Disaster Recovery Planning & Audit

    In order to better prepare clients should disaster strike, the SMP team offers audits and assessments to help guide planning and execution. Examining regulations, best practices and effectiveness, SMP will use audit information to help clients develop maintenance plans to ensure preparedness and incident response.

    As FEMA says in its Ready.gov information technology business implementation resources,  “Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.

    An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.”

    The SMP Solution

    In order to better prepare clients should disaster strike, the SMP team offers audits and assessments to help guide planning and execution. Examining regulations, best practices and effectiveness, SMP will use audit information to help clients develop maintenance plans to ensure preparedness and incident response.

    HITECH & HIPAA Security Rule Assessment

    The basic purpose of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule is to protect the confidentiality, integrity, and availability of electronic protected health information (EPHI) when it is stored, maintained, or transmitted.

    The final HIPAA Security Rule requires each covered entity to assess its own security needs and risks and then devise, implement, and maintain appropriate measures as business decisions. Each entity must balance their resources and business requirements against the risks to EPHI. The growing number of state and federal regulations including MA 201 CMR 17, Red Flag Rules, and the HITECH Act has added even greater complexity to these struggles.

    The SMP Solution

    Information security plays a major role in compliance. SMP recommends that a covered entity or business associate begin with an EPHI Infrastructure Assessment that allows us to gather information about your entity’s information management and technology baselines and the controls related to information security.

    The intent of an EPHI Infrastructure Assessment is  to develop a preliminary summary of your automation systems information systems, use of electronic information (including EPHI), and to understand the relationship of your organization’s IT security posture, both present and future, to your business needs. Through interviews, direct observation, and review of documents, SMP establishes the organization’s current state of compliance with the regulation. This is followed by further tests (Insert link to pop up which includes information below in red) to confirm that the reported controls are in place and working correctly. 

    As part of SMP’s deliverable, we identify gaps and detail risks to information assets. Our report establishes a baseline against which progress towards HIPAA and all regulatory compliance can be measured. It assists in prioritizing and setting realistic targets, and it recommends steps to reduce each risk.

    Additional testing may include:

    • Internal Assessment
    • External Assessment
    • Wireless Assessment
    • Application Assessment
    • Regulatory Compliance Review including HIPAA, HIPAA2, MA 201 CMR 17, Red Flag Rules, HITECH Act

    HIPAA Assessment in Action

    Read a case study showing how Security Management Partners and Cape Cod Healthcare partnered in a HIPAA Assessment to develop a preliminary summary of the organizations' information systems, use of electronic information (including EPHI) and current and future security posture vis a vis their business needs.

    Incident Response

    Organizations must react to potential information security breaches quickly and in an orderly manner. Disciplined investigative techniques are necessary to determine if a breach has occurred, to contain the breach, to identify its source, to gather evidence, and to offer recommendations to improve systems and practices.

    The SMP Solution

    A security breach requires a planned organizational response. Security Management Partners incident response experts will:

    • Help your company develop incident response plans including, ‘what is an incident’ and ‘what is the proper response’
    • Minimize damages
    • Identify and preserve proper chain of evidence created as part of a potential crime scene
    • Investigate roots causes of a computer incident
    • Help you plan, train staff and, in the event of a breach, respond, recover & package data for civil or criminal redress.

    Incident Response Retainer Program

    SMP offers organizations a retainer contract that allows the client to accrue hours each month that can be applied when an incident occurs. At the end of the contract, if the client hasn’t used all of the hours stipulated in the contract those hours are considered “banked.” The client has an additional 12 months to apply those hours to any of SMP’s other IT audit and assessment services. Learn more about this program.

    IT Risk Assessment

    State and federal mandates require your organization to protect against unauthorized access or use of customer information that could result in substantial harm or inconvenience to any customer. As such, you must not only consider risk to the business entity, but also risk to your non-public customer information.

    In general, an IT risk assessment must be sufficient in scope to:

    • Discover reasonably identifiable threats from within and outside an institution’s operations that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems
    • Discover reasonably foreseeable threats due to the disposal of customer information
    • Examine the existing security controls to evaluate their sufficiency and identify any weaknesses which could put customer information at risk

    IT risk assessment is the process used to name and understand risks to the confidentiality, integrity, and availability of information and information systems.

    The SMP IT Risk Assessment Methodology identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities.

    An IT Risk Assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results provide evidence as to whether or not the selected controls are achieving their intended purpose; and testing results can also be used to validate the basis for accepting risks.

    SMP’s IT Security Risk Assessment methodology includes three phases:

    Gather Information. The first step in the process of identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution’s risk environment. Information gathering generally includes:

    • Reviewing system asset inventory to identify where data resides and is transmitted
    • Determining threats to those assets
    • Identifying organizational vulnerabilities
    • Identifying technical vulnerabilities
    • Reviewing current controls and processes (logical and physical)
    • Mapping controls to regulatory requirements (GLBA
    • Ensuring there is a program to review and update this process

    Analyze Information. This second step requires an analysis of all information gathered and includes:

    • Identifying and measuring threats (threat scenarios) to the system and data it process, stores, and transmits
    • Estimating the likelihood of a threat occurrence
    • Analyzing and cross referencing vulnerabilities to current controls identifying where controls are adequate and where they are lacking
    • Ranking data and system components according to their sensitivity and importance to the organization's operations while considering the potential harm to customers of unauthorized access and disclosure of customer non-public personal information

    Prioritize Responses.The final step in the process generally includes:

    • Ranking the outcome and probabilities from the various threat scenarios produced in the analysis phase
    • Flagging threats that will be mitigated and those whose risk will be accepted
    • Creating a deliverable with findings and recommendations for improvement of any identified weaknesses

    Specific to Application Risk Assessments - SMP will evaluate the existing security posture of Applications and Systems that represent potential areas of concern with regards to compliance. We will evaluate the existing process for accuracy and completeness and comment on our findings.

     

    Massachusetts/MA 201 CMR 17 Privacy Laws

    Beginning in March 2010, every business that carries personal information about a Massachusetts resident is required to adhere to the requirements listed in 201 CMR 17. For many organizations, navigating these new standards and ensuring compliance is quite challenging. Newer regulations require companies to:

    • Identify who can access information
    • Complete training for individuals responsible for the ongoing management
    • Establish a comprehensive security program with a set of written policies
    • Determine if a gap exists through interview, observation and policy review as well as establish remediation recourse

    Beyond regulatory compliance, organizations that identify the strengths and weaknesses of their information security management systems protect their business from an increasing number of threats while protecting their reputation and brand. Using our assessment methodology, Security Management Partners can help your organization navigate new Massachusetts data protection law 201 CMR 17 to prevent security breaches and identify theft.

    Security Management Partners provides support in policy creation and risk assessments, while system, firewall and network testing helps your organization reduce the risk of financial and legal ramifications from violating 201 CMR 17 requirements and strengthens your overall information security. In addition, SMP provides remediation recommendations that help organizations better manage their security initiatives and remain in compliance with today's evolving compliance rules.

    Methodology

    • Analyze data flow
    • Assess risk of personally identifiable information
    • Analyze inventory of personally identifiable information
    • Verify current information security management system
    • Assess existing policies and policy enforcement
    • Assess employee training
    • Assess and verify access to personal information
    • Assess hardware, software, antivirus and firewall management
    • Assess secure access controls
    • Assess annual audit plan for ongoing monitoring and review
    • Assessment of encryption of all mobile personally identifiable information files, folders and removable storage
    • Assess disaster recovery and business continuity plans
    • Review vendors to ensure third-party compliance
    • Assess physical access to records controls
    • Remediate recourse to address any gaps

    MA 201 CMR 17 Consulting in Action

    Read about how SMP guided Genzyme Corporation's compliance efforts with Massachusetts Regulation 201 CMR 17.

     

    Meaningful Use Stage 1 & 2 Risk Assessment

    The United States federal government released its criteria for the meaningful use of electronic health records (EHRs) on July 13, 2010. According to the provisions of the Healthcare Information Technology for Economic and Clinical Health Act (HITECH), healthcare organizations that have achieved meaningful use will be eligible for their share of the $20 billion-plus government-offered financial incentives based on how well eligible professionals ‘use’ certified EHR technology to meet fifteen core and five (out of ten) discretionary objectives. Risk assessment is one of the fifteen core mandatory requirements. Those who have failed to achieve these standards by 2015 may be penalized.

    Three Stages of Meaningful Use

    The three stages of meaningful use under the CMS EHR incentive program will roll out over the course of the next five years:

    • Stage 1 (2011 and 2012) sets the baseline for electronic data capture and information sharing. This stage includes a 90-day attestation reporting period. As reported in Government Technology, hospitals must begin their 90-day attestation period no later than July 3 and physicians by Oct. 1.  The reporting period is 90 days as long as it is the first payment year for that particular provider—whether that year is 2011, 2012, 2013, or even 2014.
    • Stage Two (2013 & 2014) ”On September 4 2012, CMS published a final rule that specifies the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to continue to participate in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. All providers must achieve meaningful use under the Stage 1 criteria before moving to Stage 2.
    • Stage 3 (expected to be implemented in 2015) will continue to expand on this baseline and be developed through future rulemaking  

    Certified EHR Technology

    Further, “to get an incentive payment, you must use an EHR that is certified specifically for the EHR Incentive Programs. Certified EHR technology gives assurance to purchasers and other users that an EHR system or module offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria. Certification also helps providers and patients be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information.”

    The SMP Solution

    SMP’s meaningful use risk assessment will help your healthcare organization comply with the requirements under 45 CFR 164.308(a)(1) and identify security vulnerabilities as part of your risk management process so that you may confidently apply for meaningful use funds and reap the financial benefits of compliance.

    Meaningful Use Risk Assessment in Action

    Learn how Monadnock Community Hospital partnered with SMP to implement a four-pronged risk analysis so that they could apply for meaningful use incentives and feel confident about their compliance with regulatory standards. 

    Notice: Information for this page was collected and quoted from the US Department of Health & Human Services (HHS), Center for Medicare & Medicaid Services (CMS) website. For more information, please reference the CMS website.

    Network Security Assessments

    External Assessment - Through vulnerability assessment and/or penetration testing performed from an outsider's perspective (usually across the internet),  identifies publicly accessible vulnerabilities and determine what information is available to hackers.

    Internal Assessment - Performed from inside the network to determine how much information an employee or contractor can acquire without detection.

    Wireless Assessment - Assesses the security of an authorized wireless network while identifying rogue access points, mapping an area's wireless activity and highlighting signal leakage. 

    Mobile Application Security Assessment - Evaluates overall mobile infrastructure using tests to assess the security of all mobile devices (iPhone, Android, tablets, etc) and applications to determine their susceptibility to data breaches as well as any gaps between current policies, procedures and best known practices.

    Dial-Up Assessment - Identifies unauthorized modems that could allow remote access and tests known modems for security weaknesses.

    Web Application Security Assessment - Uses an in-depth probing to fully test access controls in order to find configuration deficiencies and security vulnerabilities. Common web application exploits often include SQL injections, cross-site scripting, request forgeries, directory transversals, buffer overflow checks and 'remote file includes' in PHP. 

    Social Engineering Assessment - Using means such as lies, impersonation, and subversive access attempts to test the strength of existing policies, staff training, and technical controls. Physical security review identifies areas of security risk around and within the facility and examines processes for gaining physical access to restricted locations.

     

    Operational Assessments

    IT General Controls & Risk Audits - Identifies relevant systems and processes, determines the effectiveness of existing controls and practices, and comments on quality of risk management and aggregate risk.

    IT Risk Assessment - In-depth evaluation of the existing risk management process to determine if it is adequate to protect business assets and complies with regulatory requirements.

    Security Policy and Procedure Review - Verifies policies are comprehensive and/or identifies areas requiring improvement, reveals gaps between operational controls and those mandated by existing policies. Examples of policies we review: 

    • Vendor Management
    • Facility/Physical Security
    • Network Configuration and Security Measures
    • Incident Response
    • IT Acquisition
    • Disaster Recovery—Business Continuity Planning
    • Information Security Training/User Education/Awareness Training
    • Mobile Computing

    Architectural and Firewall Review - Examines network topology, rulebases and device configuration along with first-hand observation and direct questioning of existing controls to determine adequacy.

    Social Engineering Assessment - Using means such as lies, impersonation, and subversive access attempts to test the strength of existing policies, staff training, and technical controls. Physical security review identifies areas of security risk around and within the facility and examines processes for gaining physical access to restricted locations.

    Payment Card Industry (PCI) QSA Services 

    Whether you are a level one or level four retailer, financial institution, hospital, restaurant, hotel, e-merchant, or using a third party payment provider, if your organization accepts, acquires, transmits, processes, or stores data that contains payment card information, you MUST protect the confidentiality, integrity, and privacy of that data according to the requirements of PCI Data Security Standard (PCI DSS). Members, merchants, and service providers who do not adhere to the PCI DSS are at risk of losing processing privileges or significant fines (up to $500,000) for each incident. The requirements for merchants vary, based on the number of payment card transactions processed per year.

    The SMP Solution Security Management Partners is one of a preferred group of organizations certified as a Qualified Security Assessor (QSA) of the Payment Card Industry Security Standards Council. Any PCI engagement with SMP will help to ensure that your organization achieves compliance with PCI Data Security Standard (PCI DSS) through assessment prevention, detection, remediation and finally, if necessary, certification via a written letter of compliance (ROC) detailing your company’s information and network security.

    The PCI Certification Engagement 

    Security Management Partners’ PCI engagement focuses on assessment, remediation, and certification of our client’s information assets and network security. Our comprehensive team approach aligns your business units with your technology needs according to the PCI Security Audit and Reporting Procedures. Each card brand has a few unique requirements of their own for compliance.

    Here is a brief overview of the key steps included in the SMP PCI certification engagement process:

    1. Scope and define project plan
    2. Sampling
    3. Conduct gap analysis
    4. Verifying controls
    5. Complete report (either ROC or assist with SAQ)

    Policy Development

    Working to understand business needs and requirements, SMP will develop or update policy based on best practices and industry standard and regulations.

    These are just a few examples of the policies  SMP can develop or update:

    • Vendor Management
    • Facility/Physical Security
    • Network Configuration and Security Measures
    • Incident Response
    • IT Acquisition
    • Disaster Recovery-Business Continuity Planning
    • Information Security Training/User Education/Awareness Training
    • Mobile Computing