top of page

Information Assurance

Information Assurance Metrics Program

 

CSRS-Corp services guide your organization through the specific development, selection, and implementation of an Information Assurance metrics program.  Our Information Assurance metrics program solutions provide a number of organizational and financial benefits.  Major benefits include increasing accountability of information security performance; improving effectiveness of information security activities; demonstrating compliance with laws, rules and regulations; and providing quantifiable inputs for resource allocation decisions.  Our approach identifies the adequacy of in-place security controls, policies, and procedures and indicates the effectiveness of security controls applied to information systems and supporting information security programs.  By establishing a relationship between information system and program security activities under your organization’s purview and mission, we help you not only demonstrate the value of information security to senior leadership, but we also help senior management decide where to invest in additional information security resources, identify and evaluate non-productive security controls, and prioritize security controls for continuous monitoring.  Our measures can realistically be obtained and can be useful for performance improvement.  At the end, our results will facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance related data, providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission.

 

System Risk Assessments

 

In this digital era, as organizations use automated information technology systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.  At CSRS-Corp, we have been developing comprehensive strategies to manage the risk portfolios of companies across the country.  Through our proactive and dynamic approach and unparalleled expertise in risk management, we can help your organization:

  • Develop an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within Information Technology systems.

  • Develop customized alternative risk programs tailored to your organizations specific needs, as well as, help maximize your organizations current risk management programs to increase profits while better managing IT-related mission risks.

  • Determine the extent of the potential threats and the risks associated with an Information Technology system throughout its system deployment life cycle  and help your organization identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

 

Information Assurance Awareness, Training, and Education Program

 

People are one of the weakest links in attempts to secure systems and networks.  The “people factor” - not technology - is the key to providing an adequate and appropriate level of security.  If people are the key, but are also a weak link, more and better attention must be paid to this asset.  At CSRS-Corp, we understand,  a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their Information Technology security responsibilities, organizational policies, and how to properly use and protect the Information Technology resources entrusted to them.

 

CSRS-Corp Information Assurance Awareness, Training, and Education Program services are provided in a life-cycle approach, that is, we will guide your organization design, develop, implement, and maintain an Information Assurance awareness, training, and education program that is tailored to your specific needs.  Depending on the size and geographic dispersion of the organization; defined organizational roles and responsibilities; and budget allocations and authority, we will provide your organization with three different models for building and maintaining a comprehensive awareness, training, and education program:

  • Model 1:  Centralized policy, strategy, and implementation

  • Model 2:  Centralized policy, strategy, and distributed implementation

  • Model 3:  Centralized policy, distributed strategy, and implementation

 

Certification and Accreditation

 

CSRS-Corp has the breadth and depth of experience, as well as an established track record assisting federal agencies in meeting their certification and accreditation (C&A) requirements.  Through systematic processes and procedures, CSRS-Corp will define the activities, general tasks, and a management structure to certify and accredit your automated information systems – all while maintaining a robust and required Information Assurance posture throughout the system's life cycle.  Our solutions are cost effective, timely, and compliant with appropriate federal certification and accreditation requirements.  Our certification and accreditation solutions provide support for Federal Information Security Management Act (FISMA) compliance and utilize processes such as:

  • National Information Assurance Certification and Accreditation Process (NIACAP)

  • Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

  • NationalInstituteofStandardsand Technology (NIST) Special Publication SP800-37

  • Intelligence Community Directive (ICD) 503.

Information Systems Administration Services

 

CSRS-Corp information systems administration services include:

  • System Administration  

  • Database Administration          

  • Network Administration 

  • Security Administration 

  • Web Administration       

  • Help Desk Administration

 

System Administration

 

Our system administrators maintain major multi-user computer systems, including local area networks as well as mainframe systems. Typical services usually include:

  • Adding and configuring new workstations

  • Setting up user accounts

  • Installing system wide software

  • Performing procedures to prevent, detect, and correct the spread of viruses

  • Allocating mass storage space, etc.

 

Database Administration

 

Our database administrators maintain database structures and systems and are responsible for the integrity of the data and the efficiency and performance of the system. Typical services usually include:

  • Specifying the physical (computer orientated) data definition

  • Changing the physical data definition to improve performance

  • Selecting and implementing data definition to improve performance

  • Selecting and implementing database optimization tools

  • Testing and evaluating programmer and optimization tools

  • Answering programmer queries and educating programmers in the database structures

  • Monitoring database usage, collecting performance statistics and tuning database

  • Defining and initiating backup and recovery procedures, etc.

 

Network Administration

 

Our network administrators maintain key network infrastructures such as switches, routers, and firewalls and diagnoses problems with these or with the behavior of network-attached computers. Our experts are experienced with the technical and administrative control over local and wide area networks and wireless networks. Typical services usually include:

  • Ensuring transmissions links are functioning correctly

  • Backups of the systems are occurring

  • Software and hardware purchases are authorized and installed properly, etc.

 

Security Administration

 

Our security administrators are specialist in ensuring that the various users are complying with the corporate security policy and that controls are adequate to prevent unauthorized access to the company assets (including data, programs, and equipment). Typical services usually include:

  • Maintaining access rules to data and other IT resources

  • Maintaining security and confidentiality over the issuance and maintenance of authorized user IDs and passwords

  • Monitoring security violations and taking corrective action to ensure that adequate security is provide

  • Periodically reviewing and evaluating the security policy and suggesting necessary changes to management

  • Preparing and monitoring the security awareness program for all employees

  • Testing the security architecture to evaluate the security strengths and detect possible threats

  • Working with compliance, risk management and audit functions to ensure that security is appropriately design and updated based upon feedback or testing, etc.

 

Web Administration

 

Our web administrators maintain web server services (such as IIS or Apache) that allow for internal or external access to web sites.  Typical services usually include:

  • Managing multiple sites

  • Administering security and configuring necessary components and software

  • Software change management, etc.

 

Help Desk Administration

 

Our services include overall administration and 24/7 help desk support personnel ready to respond to individual users' difficulties with computer systems, provide instructions and sometimes training, and diagnose and solve common problems. Typical services usually include:

  • Acquisition of hardware and software on behalf of end users

  • Assisting end users with hardware and software difficulties

  • Training users to use hardware and software and databases

  • Answering end user queries

  • Monitoring technical developments and informing end users of developments that might be pertinent to them

  • Determining the source of problems with production systems and initiating corrective actions

  • Informing end users of problems with hardware and software or databases that could affect their control of the installation of hardware and software upgrades

  • Initiating changes to improve efficiency, etc.

Patch and Vulnerability Management

 

While patching and vulnerability monitoring can often appear an overwhelming task, consistent mitigation of organizational vulnerabilities can be achieved through a tested and integrated patching process.  At CSRS-Corp, we understand, having a proactive (rather than reactive) mature patch and vulnerability management program will allow your organization to maintain the appropriate levels of security for their systems.  Our services will combine patch automation with preventative maintenance so your organization can spend less time, less resources, and less money on incident response.  Our patch and vulnerability management services will guide you through 13 security practice steps designed to prevent the exploitation of Information Technology vulnerabilities that exist within an organization:

  • Create a patch and vulnerability group.

  • Continuously monitor for vulnerabilities, remediations, and threats.

  • Prioritize patch application and use phased deployments as appropriate.

  • Test patches prior to deployment.

  • Deploy enterprise-wide automated patching solutions.

  • Use automatically updating applications as appropriate.

  • Create an inventory of all information technology assets.

  • Use standardized configurations for Information Technology resources as much as possible.

  • Verify that vulnerabilities have been remediated.

  • Consistently measure the effectiveness of the organization’s patch and vulnerability management program, and apply corrective actions as necessary.

  • Train applicable staff on vulnerability monitoring and remediation techniques.

  • Periodically test the effectiveness of the organization’s patch and vulnerability management program.

  • Use vulnerability mitigation resources as appropriate.

 

Through our services, your organization will establish a systematic, accountable, and documented process for managing exposure to vulnerabilities through the timely deployment of patches.  Our goal is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities.

Information Assurance Readiness Assessments

 

Our readiness assessment services will assist your organization determine how effectively an entity being assessed (e.g., people, operations, and technology) meets specific security objectives in support of organizational objectives.  Three types of assessment methods can be used to accomplish this;technical vulnerability assessments, non-technical vulnerability assessments, and penetration testing.  Our experts will analyze the results and translate technical and non-technical data with the goal of extracting useful data elements that could then be used to compare and identify Information Assurance trends, root cause analysis and security shortfalls.  Once the analysis is complete for these assessments, our findings, results, ands technical and non-technical mitigation recommendations will be presented in a comprehensive, detailed, and easy to read report.

 

Technical Vulnerability Assessments

 

A Technical vulnerability assessment is designed to addresses the evaluation of an organization’s technology posture.  This type of assessment consists of conducting vulnerability scans of all technologies in your networks to include:

  • Local Computing Environment (workstations and servers)

  • Enclave Boundary (firewalls, guards, and Virtual Private Network [VPN])

  • Network and Infrastructure (routers, switches, wireless, and VoIP)

  • Supporting Infrastructure (Intrusion Detection Systems [IDSs] and Public Key Infrastructure [PKI])

 

The technical assessments are a form of “active testing”; however, they are conducted in such a manner as to be non-disruptive to the network’s normal operations.

 

Non-Technical Assessments

 

A Non-Technical vulnerability assessment is designed addresses the evaluation of an organization’s people and operations posture.  This type of assessment seeks to determine whether an establish Information Assurance program meets mandated policies and procedures, as well as the organizations’ own stated objectives.  This assessment will include a programmatic review of the target audience’s enclaves and systems, IA documentation, and the implementation of policies and procedures used to protect, detect, and react and recover these systems.  The non-technical assessments are procedural based, non-disruptive to the systems/enclaves, and are composed of the following activities:

  • Interview of Information Assurance Workforce Management

  • System Demonstration

  • Information Assurance Documentation Review

Recovery and Reconstitution

 

CSRS-Corp provides a broad array of solutions designed to sustain, recover, and reconstitute critical information technology services following an emergency.  Our solutions are designed to ultimately assist organizations prepare response, recovery, and continuity activities for disruptions affecting the organization's information technology systems, business processes, and facilities.  We provide solutions for your Business Continuity, Business Recovery, Continuity of Operations, Continuity of Support Plan/IT Contingency, Cyber Incident Response, and Disaster Recovery Programs.

 

Business Continuity Plan

 

Our Business Continuity solutions provide procedures for sustaining essential business operations while recovering from a significant disruption and addresses business processes; Information Technology addressed based only on its support for business process.

 

Business Recovery Plan

 

Our Business Recovery solutions provide procedures for recovering business operations immediately following a disaster and addresses business processes; not IT-focused; Information Technology addressed based only on its support for business process.

 

Continuity of Operations Plan

 

Our Continuity of Operations solutions provide procedures and capabilities to sustain an organization's essential, strategic functions at an alternate site for up to 30 days.  Our services address the subset of an organization's missions that are deemed most critical; usually written at headquarters level; not IT-focused.

 

Continuity of Support /Information Technology Contingency Plan

 

Our Continuity of Support /Information Technology Contingency solutions provide procedures and capabilities for recovering a major application or general support system Same as Information Technology contingency plan and addresses Information Technology system disruptions; not business process focused

 

Disaster Recovery Plan

 

Our Disaster Recovery solutions provide detailed procedures to facilitate recovery of capabilities at an alternate site.  Often IT-focused; limited to major disruptions with long-term effects.

Auditing and Testing Services

CSRS-Corp is your place for "one-stop systems auditing and testing services".  Our services include:

 

Auditing Services

 

Operational Audits

 

CSRS-Corp operational audits are designed to evaluate the internal control structure in a given process or area. Audits of application controls or logical security systems are some examples of operational audits.

 

Administrative Audits

 

CSRS-Corp administrative audits are oriented to assess issues related to the efficiency of operational productivity within an organization.

 

Information System Audits

 

CSRS-Corp information systems audit collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and systems integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have, in effect, internal controls that provide reasonable assurance that business, operational and controls objectives will be met and that undesired events will be prevented, or detected and corrected, in a timely manner.

 

Specialized Audits

 

Within the category of information systems audits, CSRS-Corp provides a number of specialized reviews that examine areas such as service performed by third parties. Because businesses are becoming more increasingly reliant on third-party service providers, it is important that internal controls be evaluated in these environments.

 

Forensics Audits

 

CSRS-Corp forensics audit specializes in discovering, disclosing, and following up on fraud and crimes. The primary purpose of such review is the development of evidence for review by law enforcement and judicial authorities.

 

Testing Services

 

Conformance Testing

 

CSRS-Corp conformance testing provides a process for assessing the compliance of a product to the defining specification or standard.  Specialized test tools are used to exercise a product to determine if the proper actions and reactions are produced.  The test tool is normally the only device the product being evaluated is connected to.  Successful completion of a conformance test will enhance the probability of interoperability with other products that have been successfully conformance tested.

 

Developmental Testing

 

Developmental testing is the process of testing concurrent with product development.  It can be used to prepare for formal, operational testing, as well as shortening the time to bring a product to market.

 

Operational Testing

 

Operational testing is the process of evaluating the performance of products in an operational environment.  Due to the resource requirements needed to generate realistic environments, operational testing is usually conducted in conjunction with military exercises.

 

Validation Testing

 

Validation testing is the process of ensuring: (1) proper requirements coverage by the proposed standards or specifications and (2) correct standards or specifications are available as the basis for developing products.  In the context of validation, correct standards would be those demonstrated to be self-consistent, complete, and feasible.  Validation testing consists of two general phases: static analysis which satisfies item (1) above and dynamic analysis, which satisfies item (2) above.

bottom of page