SecureInfo Cloud Computing Security Solution
Move to the Cloud with Confidence
Federal Agencies
Cloud Security Readiness Assessments
SecureInfo's Cloud Security Readiness Assessment assesses an organization's information security posture and determines how well its cloud computing solution meets relevant regulations and guidance. More than just a checklist, we perform a detailed gap analysis and deliver a Findings and Recommendations Report, which identifies gaps and details a corrective actions roadmap. The result is an accurate view of the level of preparedness of your cloud initiative and the steps required to manage and/or mitigate cybersecurity risks. Agencies take advantage of the Cloud Security Readiness Assessment before creating a cloud computing RFx to ensure a comprehensive view of cybersecurity requirements is articulated to potential service providers.
SLA Advisory Services
Agencies that adopt cloud computing solutions from external service providers must ensure that Service Level Agreements (SLAs) meet stringent regulations and guidance. SLAs must include the right to understand cybersecurity risk and metrics through the right to inspect up front and over time all aspects of the cloud computing solution's information security posture. SecureInfo works closely with you to craft measurable Service Level Agreements (SLAs) with your service providers to mitigate your risk. Your cloud computing SLAs must include the appropriate level of rigor, inspection, and accountability specific to federal government and agency specific standards and guidance. For example, according to federal guidance, computer security incidents involving PII (Personally Identifiable Information) must be reported to the USCERT within one hour of detection. Your cloud service provider must notify your agency of such an event in less than one hour to ensure you are able to meet the regulation guidelines.
Cloud Security Assessment and Authorization
SecureInfo customers rely on SecureInfo's Cloud Security Assessment and Authorization Services to more effectively comply with OMB directives, Federal Information Processing Standards, NIST guidance, DIACAP directives and/or other relevant standards and guidance. Working closely with your organization, we will develop, assess and monitor your information security posture up front and over time.
Develop
We develop and document a comprehensive Cloud Security Assessment and Authorization package. The package will be comprised of all the required artifacts, including: a System Security Plan (SSP), Security Assessment Report (SAR) Privacy Impact Assessment (PIA), configuration management plans, business continuity plans, incident response plans, and plans critical to cloud computing, such as defining and documenting system boundaries.
Assess
We perform an independent assessment of your cloud computing security controls implementation, including a review of the following:
- Incident response processes to ensure you have the right processes in place to respond to USCERT and others
- Vulnerability scanning
- Inspection of cloud computing networks, systems, hypervisors, virtual images and applications
- Logging and auditing processes for tracking user activity
- Training programs - your users must be cloud-security-aware, not just security-aware
- Background investigation policies and procedures to ensure that only authorized personnel have access to systems and data
We perform penetration testing of your internet facing systems to ensure they are resistant to attack. Our goal is to identify vulnerabilities before an adversary.
Monitor
SecureInfo enables you to sustain your security posture through continuous monitoring as specified by NIST 800-37, FedRAMP and other guidelines. We perform the following services∗
- Monthly scan reports of all systems within the boundary for vulnerability (patch) management
- Quarterly scans for verification of FDCC compliance (USGCB, CIS).
- Annually Incident Response Plans updates
- Quarterly POA&M Remediation
- Annual Change Control Process updates
- Annual Penetration testing
- Semi-Annual IV&V of controls
- Quarterly scans to verify that boundary has not changed (also that no rogue systems are added after ATO)
- Quarterly system configuration management software updates
- Quarterly FISMA reporting data updates
- Annual documentation updates
- Annual Contingency Plan and Test Report testing
- Annual Separation of Duties Matrix
- Annual Information Security Awareness and Training, including recording results
∗Specified service and frequency of service can be adjusted based on your agency's requirements.
Benefits
Government Agencies
- Undertake cloud computing initiatives with confidence
- Gain unprecedented level of information security and risk transparency
- Gain rigorous information security and risk performance measurement of service provider
- Reduce costs, reduce time to deployment, increase flexibility and support Green initiatives for data center consolidation initiatives
“SecureInfo provides us with the critical FISMA expertise to certify our federal Cloud Computing solution. Their objective and independent work enables us to obtain Authority To Operate on federal networks.”
Mark Williams,
Chief Security Advisor for MS Online,
Microsoft Federal
