Security Systems: Network Security
TSI has been developing and utilizing a variety of tools and practices that can protect your business internally and externally without hindering your business processes or communication. The greatest threat to your business today is internal hacking. Internal, from your own employees: the people who know your business inside and out. The days of being able to have your e-mail servers, domain controllers and ERP servers on the same subnet with no access controls between workstations and servers is over. However, internal security is often given a lower priority and put on the back burner while the perimeter is being fortified.
TSI's network security consultants follow the recommendations of the National Institute of Standards and Technology for IT Risk Management Analysis. There is a structure and methodology to risk analysis, followed by a risk mitigation process. Risk mitigation includes a cost benefit analysis, mitigation options and strategy and approach for a controlled implementation.
Our risk assessment process includes identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures. In assessing risks for an IT system, the first step we take is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment. Identifying risk for an IT system requires an understanding of the system's processing environment. As a network security consulting firm, our first step is to collect system-related information, which is usually classified as follows:
- System interfaces (e.g., internal and external connectivity)
- Data and information
- Persons who support and use the IT system
- System mission (e.g., the processes performed by the IT system)
- System and data criticality (e.g., the system's value or importance to the court)
- System and data sensitivity
Additional information related to the operational environmental of the IT system and its data includes, but is not limited to, the following:
- The functional requirements of the IT system
- Users of the system (system users who provide technical support to the IT
- System or application users who use the IT system to perform Court functions)
- System security policies governing the IT system.
- System security architecture
Any, or a combination, of the following techniques will be used in gathering information relevant to the IT system within its operational boundary
- Questionnaire -To collect relevant information, our risk assessment personnel can develop a questionnaire concerning the management and operational controls used for the IT system. This questionnaire would be distributed to the applicable technical and non technical personnel supporting the IT system. The questionnaire could also be used during on-site visits and interviews.
- On-site Interviews - Interviews with IT system support and management personnel will enable our risk assessment personnel to collect useful information about the IT system (e.g., how the system is operated and managed).
The analysis of the threat to an IT system must include an analysis of the vulnerabilities associated with the system environment. The goal of this step is to develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by a potential threat sources.
It should be noted that the types of vulnerabilities that will exist, and the methodology needed to determine whether the vulnerabilities are present, will usually vary depending on the nature of the IT system. During this step, our risk assessment personnel determine whether the security requirements stipulated for the IT system and collected during system characterization are being met by existing security controls. If you are in a niche industry, we will utilize the industry specific network security assessment . For most businesses, a thorough IT Security Audit is performed.
We will use a security requirements checklist will be that contain the basic security standards that can be used to systematically evaluate and identify the vulnerabilities of the assets (personnel, hardware, software, information), non-automated procedures, processes, and information transfers associated with a given IT system.
Security controls encompass the use of technical and non-technical methods. Technical controls are safeguards that are incorporated into computer hardware, software, or firmware , such as access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software). Non-technical controls are management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security.