Civilian Services
| Program Management |
| |
Program Management at the federal level is primarily contacted to provide the government with a key manager/partner empowered to execute the statement of work. Not too dissimilar to the executive officer on board a boat, the PM role guides the effort against the statement of work requirements and modifies the team’s focus as conditions and requirements evolve.
Program Management at OLTS is no different. We offer a range of specific services housed in our Standard Operating Procedures crafted to exceed the statement of work requirements. A few of our SOPs are Change Management, Risk Management, Program Management Office execution, and Security Management.
Our team follows the industry Standard Project Management Body of Knowledge for project execution. Other models and standards guide Security Management for example NIST 800 53a, or FIPS 140. |
| |
| Intrusion Prevention |
| |
Perimeter security plays a key role, but not the only role in a defense-in-depth model. Oak Leaf brings operational skills in handling continuous monitoring tasks, signature management, patch updates, and experience minimizing false positives. Combining excellent skilled staff with sound, field-hardened processes all supported by real-time situational awareness ‘feeds’ provides a flexible defense-in-depth structure vital to your network health. |
| |
| Identity Management |
| |
| Whether addressing Identity Provisioning, Authentication or Federation, Oak Leaf stands poised to offered solid, resilient solutions and staff capable of meeting your present and future challenges. On-boarding across the enterprise or via the cloud is a delicate task—yet a task Oak Leaf handles with skill and innovation. Larger organizations are migrating to a Software as a Service (SaaS) solution to support group on-boarding(e.g. SPML). Oak Leaf staff upgraded and provisioned a solution for a DOD customer where processes drove a reliable system upgrade in provisioning access across the enterprise. |
| |
| Access Control |
| |
| Access Management addresses authentication-related challenges such as credential management, strong authentication, delegated authentication, and managing trust across the enterprise and all types of cloud services. The Oak Leaf team stands prepared to support an agency’s venture into or enhancement of an Identity and Access Management (IAM) program. Oak Leaf also brings experience designing and deploying a Role-Based Access Control solution for a national agency. |
| |
| Information Security Management System |
| |
An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arise primarily from ISO 27001.
Formed through the work required to establish the ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements. [link]
The key strategy of an effective ISMS is the balance between coherent policies and associated risk designed to maintain system integrity across the enterprise.
Components of an ISMS
The overarching goal of the ISMS is to remain effective and efficient in the long term, adapting to changes in the internal organization and external circumstances and environment. ISO/IEC 27001 incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
- The Plan phase is about designing the ISMS, installing appropriate policy, assessing information security risks and selecting appropriate controls and related responsibilities.
- The Do phase involves implementing and operating the controls and validating countermeasure effectiveness.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
Oak Leaf Technology Solutions is prepared to guide clients through the evaluation of alternative ISMS models. An alternative ISMS is Information Security Forum's Standard of Good Practice (SOGP). Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for general IT deployment. COBIT has a companion framework Risk IT dedicated to Information security.
A few other initiatives have focused our attention on the governance and organizational issues of securing information systems, expanding beyond the technical issues:
- Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
- Governing for Enterprise Security Implementation Guide of the Carnegie Mellon University Software Engineering Institute CERT is designed to help business leaders implement an effective program to govern information technology (IT) and information security. Our objective is to help you make well informed decisions about many important components of GES such as adjusting organizational structure, designating roles and responsibilities, allocating resources (including security investments), managing risks, measuring results, and gauging the adequacy of security audits and reviews. The intent in elevating security to a governance-level concern is to foster attentive, security-conscious leaders who are better positioned to protect an organization’s digital assets, its operations, its market position, and its reputation.
- A Capability Maturity Model for system security engineering was standardized in ISO/IEC 21827.
- Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS. ISM3 builds on standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and general information governance and security concepts. ISM3 can be used as a template for an ISO 9001-compliant ISMS. While ISO/IEC 27001 is controls based, ISM3 is process based and includes process metrics. ISM3 is a standard for security management (how to achieve the organization’s mission despite of errors, attacks and accidents with a given budget). The difference between ISM3 and ISO/IEC 21827 is that ISM3 is focused on management, ISO 21287 on Engineering.
Does your organization need an ISMS?
Security experts say and statistics confirm that:
- Are the organizational efforts in balance? Information technology security administrators should devote about one-third of their time addressing technical aspects and two-thirds on developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
- Security depends on people more than on technology. How comprehensive is your security training?
- Employees are a far greater threat to information security than outsiders. Are employees aware of their role and position within the control paradym?
- The degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay. The balance and trade off of these elements demands regular review and analysis.
- Security is not a static position or a snapshot but a running, moving, adapting process. Is your organization adapting?
|
| |
Case Studies
Case study: US Department of Treasury
Background
The US Treasury manages the collection, accounting, dispersal and related tracking of the federal government's funds. Through its bureaus, the Treasury touches and benefits all Americans. From a security perspective, the US Treasury represents a target worthy of the strongest set of security countermeasures. The various systems supporting the operations of Treasury collection and dispersal operate through establish communications models and platforms with a wide range of constituents across the country.
The Challenge
The systems supporting the US Treasury must remain highly reliable, available, confidential and provide services to constituents with the utmost integrity. As all internet-based communications face threats, the Treasury systems are not different. Maintaining a robust layered defense profile means diligent, persistent awareness and maintenance of systems made available through the internet, whether through a VPN or through encrypted traffic.
The Solution
Oak Leaf Technology Solutions provides that assurance to the stakeholders. With the unexpected departure of the key security office, Oak Leaf stepped in and provided seamless professional security services required to maintain the necessary countermeasures. We handled steps necessary to comply with standards sponsored by NISPOM, FIPS 199, NIST 800 53, Treasury and banking best practice. We effectively evaluated the team's use of Internet facing controls, intrusion prevention and detection systems, firewalls, VPN access (both internal and external), physical controls involving camera surveillance (internal and external) and DVR monitoring roles, guard management, badging , new hire orientation.
The Result / Benefit
The Treasury services remain protected and fully operational. The vulnerabilities are addressed with diligence and persistent care with the eye on passing the next internal or external audit, usually far more often than annually for other critical systems. Migration to new systems receive their Authority to Operate on time and with few issues.
|
|
