Information Security: Expertise
Business Continuity & Disaster Recovery Planning and Assessments
NYSTEC will work with you to establish an effective BC/DR program that allows your organization to:
• Continue functioning and avoid business failure in the event of a calamity,
• Mitigate financial and operational impacts,
• Establish documented and formal processes and procedures to follow when a disaster occurs, and
• Have effective back-up and recovery strategies to mitigate the impact of disruptive events.
NYSTEC’s vulnerability assessments provide clients with:
• An identification of vulnerabilities using industry-recognized tools,
• An interpretation of vulnerabilities that clients can understand,
• A prioritization of vulnerabilities, and
• Recommended strategies to mitigate the most serious vulnerabilities.
As part of our risk-assessment methodology, NYSTEC will:
• Identify the organization’s assets and categorize potential losses;
• Identify threats, vulnerabilities, existing controls, and the value of different pieces of information to the organization;
• Identify the risk; and
• Propose additional controls and actions for management consideration.
Information Security Policy, Processes, Standards, and Procedures
NYSTEC works with the organization’s stakeholders to:
• Review, develop, and supplement Information Security policies and associated processes, standards, and procedures; and
• Ensure that all polices and procedures are effective and affordable.
Compliance Audit and Gap Analysis
During a Compliance Audit and Gap Analysis, NYSTEC will:
• Compare your existing security posture to internal policies,
• Compare your security posture to international standards,
• Compare your security posture to the requirements of business partners, and
• Recommend measures for coming into compliance.
Security: Application and System Development
We identify key security issues at each stage in the development life cycle:
• System feasibility: Identify the security requirements, policies and standards needed.
• Software plans and requirements: Identify the vulnerabilities, threats, and risks. Plan the appropriate level of protection. Complete a cost-benefit analysis.
• Product design: Plan for security specifications in product design, including access controls and encryption.
• Detailed design: Design security controls in relationship to business needs and legal liabilities.
• Coding: Ensure that the vendor employs secure coding practices.
• Integration product: Test security measures in software and make refinements.
• Implementation: Implement security measures and software, and test before going live.
• Operations and maintenance: Monitor security software for changes, test against threats, and implement appropriate changes when necessary.
• Quality assurance: NYSTEC serves as your quality-assurance agent throughout the development life cycle, especially during system build-out and deployment.
Technology and System Acquisition
NYSTEC works with the organization’s procurement staff and stakeholders to:
• Identify, document, and track security requirements throughout the acquisition process; and
• Assist in performing a “proof-of-concept” of vendor products, including assessments of how well products meet security requirements.
Identity and Access Management
NYSTEC provides assistance with:
• Developing an overall IAM strategy (federated or centralized);
• Reviewing proposed vendor IAM solutions;
• Performing an “as-is” assessment of an organization’s current identity and access systems;
• Developing a “to-be” picture, along with steps necessary to get there; and
• Providing advice on IAM architectures best suited for the organization.
NYSTEC helps clients institute data classification through the following:
• Developing a “Data Classification Standard” that provides a charter for the process as well as classification levels and labels (such as “Confidential,” “Internal Use Only,” and “Public”);
• Assisting the organization with identifying and classifying its information; and
• Identifying existing security controls and developing new controls.
Additional Information Security Services
• Security Training
• Physical Security
• Security Design Review