Data Security Service Offering-v3

of 5
AUTHENTIC INTELLIGENCE
DATA SECURITY ASSESSMENT SERVICE
RATIONALE
 Overwhelming number of inside-out vulnerabilities on most corporate networks requires a risk driven
cost/benefits approach to prioritize and attack.
 Far more important to have insight and control on what leaves your network than what comes in
 Many vulnerabilities are easily fixed without extensive effort once they are identified.
 Regulatory policy as well as asset exposure drives priorities and must be recognized and accounted for
based on organizational profile.
 Other vulnerabilities need to be evaluated in terms of multiple mitigation approaches including third-
party service or product, in-house, acceptable use policy changes. Decisions need to be made based on
time and cost implement relative to the security risks.
 Point-in-time assessment is valuable, but ongoing assessment is needed as assets, risks, and policies all
change rapidly.
APPROACH
 Address the 3 areas of security described by the International Information Systems Security Certification
Consortium (ISC2
)i
– Confidentiality, Integrity, and Availability (CIA).
 Iterative approach based on a cycle of identification, assessment, analysis, and strategy formulation.
 Matrix of risks across 8 keys areas affecting with inside-out security:
o Databases
o Files
o Servers
o Environments
o Applications
o Client devices
o Account Management
o Personnel and Training
 These areas are identified, assessed, analyzed, and targeted for remediation in regard to policies,
vulnerabilities, and potential controls including monitoring and prevention strategies.

of 5
EVALUATION OF COMPONENTS BY AREA
Confidentiality Integrity Availability
Databases  Sensitive content Identified
& encrypted
 Role-based access control
 Unnecessary data exposure
 Row level auditing
 Row/Column level
ownership
enforcement
 Data distribution
latencies,
synchronization, &
conflict resolution
 Resource governance
 Port exposure
 Security delegation
 Backup aligned to business
 Q/A environment
 Staging & rollback
 Recoverability testing
 High availability strategy
Files  Exposure of sensitive
business information
 Exposure of sensitive
credential information
 Folder & file level
permissions
 Change tracking
 Workflow controls
 Delegation of content control
& change approval
needs
Servers  Remote access controls
 Content-oriented access
controls
 Role-based permissions
 O/S Patch levels
 O/S vulnerabilities
 Use of least privilege
for service accounts
(LUA)
 Port exposure
 Template-based Imaging
Environments  Credential protection
 Secure transport (SSL)
 Protective content barriers
 Sensitive content detection
with automated
obfuscation
 Non-repudiation with
source credential
tracking
 Adequate Q/A
environment
 Staging & rollback
 PKI governance
 Installation/configuration
automation
 Complete environment
snapshot capability
Applications  Best practices for
endpoints, credential
storage, & key management
 Audit trails
 Non-repudiation
across tiers
 Least privileged
application account
 Security patch
strategy
 Automated deployment
 Scalability support including
failover & load balancing
capabilities
 Port exposure profile and DoS
risks
Client Devices  Organizational Security
policy enforcement
 Multi-factor authentication
enforcement
 Encryption policy
 Non-repudiation for
all services utilized
from device
 Server-level auditing
 Policies/Procedures for lost or
stolen devices
 Server-based backup
automation
Account
Management
& Personnel
Management
 Role-based
 Least-user privilege needed
 Delegation infrastructure
 Auditing
 Delegation based on
business structure
 Group membership
 Shared responsibilities
 Role-based training

of 5
PROCESS
IDENTIFY
 Personnel: interview individuals as well as groups. Obtain key information in an anonymous non-
threatening fashion to promote accuracy for the assessment. Interview across all groups: IT Infrastructure,
developers, database administrators, users, network administrators, and policy makers. Ensure
appropriate containership (granting privileges to individual groups and roles rather than users, delegated
security management, and sufficient policies for password/multi-factor authentication. Verify that the
necessary security training is in place based on individual and group roles.
 Databases: Identify over-privileged accounts, unpatched or vulnerable instances, sensitive information
unencrypted, unsecured partitions of data whether horizontal (by row) or vertical (by column), lack of
adequate auditing, lack of instance protection (non-use of resource governor or other controls to limit
denial of service), status of high-availability implementation, backup and recovery controls
 File systems: Over privileged users, exposed credentials, sensitive content, lack of adequate access
control lists, file change tracking
 Servers: Over-privileged service accounts, unsecured pathways between servers and environments (i.e.
database server exposed directly to clients instead of only to a gateway application server), backup and
recovery controls
 Applications: Lack of best practices in areas of encryption, auditing, role-based security, high-availability,
adequate test and development environments, code configuration management, q/a process, use of
secure coding techniques
 Client devices: Multi-factor authentication, over-privileged accounts for services on devices, password
and encryption protections
 Environments: Controls on moving information between environments, adequate/realistic testing,
staging, disaster recovery testing, and development environments, separation of environments.
ASSESS
 Enumerate all of the above in regard to vulnerabilities found and rate the risks based on policies relevant
to organization.
ANALYZE
 Analyze all areas to rate risks, costs to mitigate with scoring in ranked, point, and dollar fashion.
STRATEGIZE
 Define potential remediation and integration strategies including high level project plan for integrating
multiple solutions that may have dependencies.
 Prioritize and identify mitigation options
REPORT
 Implement Microsoft™ ii
Power BI Dashboard or help deploy dashboard to an internal Microsoft
SharePoint site
 Provide a comprehensive detailed report for all of the findings along with recommendation strategies

of 5
DELIVERABLES
 Matrix reports by CIA across each area with sub-items for the various tasks and the grades, potential costs
due to risks, and costs to mitigate
 Implement Power BI interface with a gateway to auto-update from the customer’s assets through
implementation of scripts to search/identify the various types of assets operating on the network. For
some asset types such as people and environment, along with policies, and strategies – a web interface
will be provided as well as a drop file location for comma-delimited files to upload into the system.
COSTS AND DELIVERY OPTIONS
Service costs: $35,000 - $50,000 depending on organizational size performed over a 3 - 5 week period. The offering
is customizable and may be performed on an hourly basis with rates varying from $150.00 to $250.00 per hour
depending on the particular components desired. Customers that choose a level of service which meets the
$35,000 minimum will be provided an automated process for the Power BI system to automatically update asset
information based on the corporate assets. The customer may also choose deployment of an in-house SharePoint
infrastructure for Power View to achieve similar capability using Microsoft Power View without Power BI. In such
case the quick insights and guided Question/Answer features are not provided. The organization will receive free
patches and upgrades to the assessment software implemented. Follow-on work may be contracted to resolve
specific security areas.
MICROSOFT POWER BI SECURITY ASSESSMENT EXAMPLE

of 5
OTHER SERVICES
In addition to the data security assessment service, we offer the following additional services on fixed-price or
hourly basis. Hourly rates vary between $150.00 to $250.00 depending on the level of expertise, duration of
engagement, and travel requirements/expenses.
 Operational Efficiency Data Audit – Focuses on the data flows within an organization including the
physical and technical constraints that result in inefficiencies. Provides identification of choke points,
inside data security vulnerabilities, inadequate audit controls, data quality issues, concurrency and
consistency problems, and inadequate analytic support along with recommendations for resolution.
 Custom Training – Microsoft Certified training delivered in a mentorship venue that works around staff
availabilities to help individuals gain training to improve job performance and acquire job-related
credentials. Training delivery is provided in most areas related to Microsoft data and platform including
Azure, Hyper-V, and SQL Server as well as introductory topics in data science.
 Chief Technology Officer contract consulting – Act as a CTO advisor, particularly well-suited to technology
startup companies with inadequate budget for a full-time CTO or require short-term assistance to verify
their vision and define a technological approach aligned to business goals.
 DBA Supercharge service: Delivered by a Microsoft Certified Master with 20 years’ experience in SQL
Server to rapidly resolve performance issues, automate instance and database management backup,
recovery, and tuning, and provide advanced skills mentoring to ensure customer database self-sufficiency.
 24 x 7 Database support: Allows outsourcing database administration on a monthly basis with a retainer
to resolve issues while also implementing automated database processes to ensure adequate database
backup, recovery, and optimal performance.
WHY AUTHENTIC INTELLIGENCE?
Authentic Intelligence is uniquely equipped with expertise and experience to address the entire spectrum of
enterprise data systems. Our staff hold a wide variety of Microsoft and industry-standard certifications and
distinctions. The company founder holds a Ph.D. in the area of frameworks for automated problem solving. Our
technical credentials includes Microsoft SQL Server master, .NET Developer, System Engineer, Microsoft Certified
Trainer certifications and industry-standard CISSP and CompTIA certifications with individuals having over 30 years’
experience. We are a Microsoft Bizspark partner with practical experience in the Microsoft platform as well as
VMware ESXi including vCenter. We host several servers in a secure co-location facility operating on a 10GbE
network, running high-speed storage supporting nested virtualization to enable rapid sandboxing, custom training,
large-scale lab testing, and complex software development ventures.
Our focus is on automation. In all of our services, we utilize authentic intelligence™ over artificial intelligence, and
machine solving™ over machine learning to provide a framework for system automation which enables continuous
improvement based on feedback. We have great confidence in our ability to solve your challenges and are willing
to work with smaller firms or startup firms that cannot make large commitments. Once a NDA is in place, but even
before agreement for paid services, we will come onsite and work with the customer to establish a value
proposition and gain the trust and confidence of the customer to move forward.
i
ISC2
is a registered trademark of the International Information Systems Security Certification Consortium.
www.isc2.com
ii
Microsoft and i’s associated products (Power BI, SharePoint, and SQL Server) are registered trademarks of
Microsoft Corporation.

Data Security Service Offering-v3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Data Security Service Offering-v3

Similar to Data Security Service Offering-v3 (20)

Data Security Service Offering-v3