Below are examples of some of the types of clients we’ve assisted with cybersecurity and privacy compliance. As you would expect, clients are reluctant to disclose details about the security threats and privacy risks they faced. So instead, we describe the company in more generic terms, such as their industry or type of business.
The client wanted to establish a process to manage risk across six hospitals and report how well each hospital complies with specific standards to their management team. The engagement focused on inventory, identifying risks, documenting processes, and meeting compliance regulations.
We identified the organizational hierarchy and documented critical contacts for each department, including Radiology, Anesthesiology, Cardiology, and Emergency Medicine. Next, we inventoried the software used by each department and captured the business use case for each application. Our work also included reviewing all previous assessment data shared with us, and we established a baseline set of security controls.
1. Policy and procedure development and updates
2. HIPAA Assessment Report
3. Penetration Testing Report
4. Tabletop testing for Incident Response and Business Continuity
5. Third-Party Risk Register
6. Security Awareness Training
SecureFLO helped the client achieve HIPAA compliance.
The goal was to develop a risk management process for a new platform that allows sharing of vast amounts of genetic data. A government agency requires this assessment for any organization that shares sensitive information.
We developed an ongoing process to document technology built in the cloud and identify risks. We attended Agile development meetings to understand how data would be used. We got a data flow and a network flow perspective for all software written. We also developed NIST 800-53 controls across the organization.
We participated in meetings to select and deploy security technologies in the cloud. We helped develop controls for the application and audited the release management process.
Our team helped the entity document policies and procedures for strong governance of this new platform used for internal training and negotiation with government regulatory bodies to improve compliance further. We helped conduct business continuity and Incident Response tabletop testing and documented our results.
1. Policy and Procedure development
2. Training
3. NIST 800-53 Assessment and Report
4. NIST 800-171 Assessment and Report
5. FISMA Assessment and Report
6. Third-Party Risk Register
SecureFLO’s work enabled the client to gain approval for the grant they were seeking. Additionally, the client progressed from using NIST 800-53 controls to conducting NIST 800-171 assessments on an ongoing basis for the product they developed and for genetic testing.
The goal was to conduct penetration testing and a vulnerability scan of their web application and mobile app. The client also wanted to keep the SaaS platform secure by performing regular testing and remediation.
The first step was to identify and document business use cases of the platform for both internal users and customers. We reviewed the access and roles that the platform had for internal and external users. Tests were conducted to check for OWASP’s top 10 vulnerabilities.
1. Penetration Testing Report
2. Remediation suggestions
3. SSAE 18 SOC2 readiness report
4. Policy and Procedure development
5. Technology integration for Zero Trust
6. Compliance regulation testing for SSAE18 SOC2, HIPAA, 21 CFR 11
7. Security Awareness Training
8. Training on SOC2, HIPAA, and Phishing
The client learned the vulnerabilities in their web and mobile apps and the steps they need to complete to remediate those risks. The client appreciated our flexibility in retesting at no additional cost and providing a set of professional reports for their records.
The goal was to design a secure architecture for this large insurance whose employees had high volume access to retirement and brokerage accounts. We reviewed and provided recommendations on how the client can meet the compliance and security controls and communicate them to various departments, including IT, Fraud, Customer Service, Legal, and Security.
Our engagement began with interviewing stakeholders of each department and reviewing the existing business use cases. We also captured the current technology deployed and the key strategic initiatives for each department.
Designing their security architecture included implementing new technology for rapid incident response. We also assisted employees with access to very sensitive business data whose email addresses may have been compromised by hackers.
1. Security Architecture
2. Identity and Access Management review and reporting
3. Zero Trust architecture review
4. Incident Response Process review
The client learned the steps they needed to complete to achieve compliance and established security controls for critical processes in each department.
The goal was to manage and remediate vulnerabilities for all new versions of the software platforms that they sell to their commercial real estate clients.
We conducted ongoing pen testing and vulnerability scanning for various applications used by our client’s customers, who are large commercial real estate firms. Our focus was to manage risk by testing against OWASP vulnerabilities and provide remediation and a fix for any vulnerabilities.
1. Penetration testing report for Web application and Mobile Application
2. Secure Code Review
We helped the client develop a process for secure application delivery with clear and concise reporting of vulnerabilities and how to remediate them. Our client was able to provide this information to their prospective customers, which helped them increase sales and growth.
The goal was to develop a risk management practice using NIST 800-53 standards.
We inventoried all the technology used for the various solutions in the cloud, reviewed all documentation for the organization, and developed an understanding of training for internal employees. As part of the risk assessment using the NIST standards, we found and graded the risks in the environment. We provided several reports that documented risks and suggested remediations.
1. NIST 800-53 Assessment Report
2. Policy and Procedure Framework
3. Security Awareness Training
Using our recommendations, our client improved its cybersecurity and privacy compliance. Our advice allowed the client to demonstrate to their prospective and existing customers that their software environment includes strong controls and well-documented risk management and remediation process.
Gain cyber breach insurance for the college/school. They needed to satisfy the basic risk criteria. The college/school did not have strong authentication using multifactor deployed on laptops for employees and/or students.
We reviewed the insurance requirements and understood the specifics of the strong authentication needs of the college/school. Our process at that point was to understand the business uses. We looked at the market for the tools available that satisfy the needs for adaptive authentication not only using a mobile phone but using the specific browsers as well.
1. Document all the requirements for deploying strong authentication.
2. Review policies that are documented for internal employees.
3. Review Child online privacy protection rule (COPPA).
4. Develop a list of tools.
5. Document a simple checklist and a committee to evaluate solutions.
6. Deploy two of the best solutions in a proof of concept mode to test and satisfy the requirements.
Tested and deployed a multi factor authentication technology in a phased manner for the college/school. This has helped them gain a cyber breach insurance and provide strong authentication to employees and students with access to internal databases and cloud environments.
Deploy a provisioning process to confirm that only college/school employees that are active are able to access the environment. The provisioning included applications and a key card access database to enter the college/school. This was deployed as requirement to manage access to applications, key card, and cameras on the college campus.
We developed an assessment to collect the current state of provisioning and reviewed the documented process. We developed an inventory of all the applications accessed by employees and students. Our next phase was to review the various use cases on onboarding/offboarding/audit of access. Our team looked at not only software but hardware provisioning as well. So students were given chromebooks or teachers/professors were given devices by the college.
Additionally, there was a database that engaged keycard access for various buildings on campus. We looked at the various privileges/roles that existed for the college/school. We looked at other technical requirements for integration including managing mobile devices.
We developed the following for the college/school:
1. Documented an updated provisioning process.
2. Developed roles /privileges for the identity management solution.
3. Identified a LDAP structure as the centralized provisioning source.
4. We looked at various technologies and short listed ones that met the technical and budgetary requirements.
5. Tested a few solutions in a proof of concept to confirm the features and functions work for the college/school.
6. Integrated key card access and cameras using SDK’s.
We were able to deploy a provisioning solution using Active Directory as the source of truth. The solution was deployed in a phased manner. We deployed roles within the college/school. We were able to manage both software and hardware provisioning. This allowed the college to save money on hardware and licensing fees for software. Additionally it improved security of data as we were able to manage access to various machines and databases. Cloud access was managed as well as key cards and cameras.
While SecureFlo is ready and able to assist you in securing your vital educational information covered by the various FERPA (Federal Education Rights and Privacy Act) initiatives, we also help to secure your most precious resource-your students and staff. Unfortunately physical security enhancements have become a necessity in today’s unpredictable world.
Recent mass shootings in educational environments over the last decade point to several critical factors in a hostile person gaining access to campus. The first is through the office area or normal entry way. Often times the assailant is a student/former student who passes through the normal entry points without raising suspicions. Hardened access points help to prevent this “ease of access” gap by ensuring that people entering/exiting the facility are visually screened. If they are suspicious or deemed to be a threat, they can safely be denied entry. Keyless/badge access control helps to secure these ingress points during non-peak hours allowing staff to enter as needed and save manpower/costs. Hardened doors prevent suspicious individuals from being able to gain entry until proper authorities can properly vet the person and ensure that there is no threat.
The second historical method of entry has been to enter campus from a perimeter location or unmonitored side door. Security fencing serves to channelize people to authorized entry points where they can be effectively screened. CCTV cameras provide watch over these areas, and enhance the overall effectiveness of the fencing. Locking perimeter building doors serves to direct people to the proper entry points, again, where screening can be conducted more effectively. Staff can have badge type swipe cards to access perimeter doors as necessary.
Effective perimeter and entry point physical security enhancements can buy critical time and allow staff and campus police to respond effectively before a disaster happens.
Similar to our approach when assisting with your cyber-security needs, SecureFLO experts will provide an assessment to scope your project and to comply with unique state and.local requirements.
Typically enhancements often include:
1. Perimeter fencing
2. Hardened and monitored access control
3. CCTV camera coverage
4. Cypher locks
5. Lighting
6. Hardened doorways and windows
Other areas to consider are mobile apps used to rapidly and silently alert staff to threats and to guide response actions.
Using our recommendations, our client improved its cybersecurity and privacy compliance. Our advice allowed the client to demonstrate to their prospective and existing customers that their software environment includes strong controls and well-documented risk management and remediation process.