Service Descriptions

Learn How We Can Help

Cyber Security Risk Management Strategy

ACSG advisors comprehensively assess each clients’ security needs then evaluate associated risks, threats and vulnerabilities to develop a strategic plan and mission focused approach to protecting information assets whether in the cloud or locally.  We recognize that each organization is unique and requires an applied approach to managing security risks. We evaluate these risks based on current trends and industry-specific intelligence along with current business operations that spans many business units.   Every enterprise has its distinctive needs, at ACSG we tailor our solutions to meet them through extensive program management. Understanding the risks that applications, systems and third parties may pose is the first responsible step toward an improved security posture including Disaster Recovery & Business Continuity. Security control design, documentation and guidelines for mapping across industry standards are included with each client engagement. We never work in a vacuum. We work in close coordination technical, management and business unit personnel to ensure cross-functional capabilities remain fluent.

Information Policy Review & Enhancement

We examine and enhance security policies, procedures and guidelines to deliver a cohesive policy structure that supports organizational operations.

Governance, Risk & Compliance (GRC)

Internal and external business relationships are generally in place to add value to an organization. However, governance and risks

Security Engineering

We maintain knowledge of security principles and best practices by remaining current with emerging threats and trends.  We understand the operational and technical needs of security engineering in diverse environments.

 

ACSG begins by analyzing current client operations, including business practices and objectives.  Our engineers then propose an engineering solution or design tailored to the client infrastructure which may include future operational environments. Our work extends to endpoints, switches, Internet access, communications, and security. Our engineers incorporate network security from the beginning, and our security experts use a risk assessment and threat monitoring methodology that includes novel threat monitoring tools to ensure the security of our client’ systems.

Security Architecture

Designing a scalable security environment requires extensive knowledge of leading edge security technologies. Our design process is collaborative and interactive. Our architects work closely with end-users, engineers and service providers to ensure professional installation and successful implementation of security solutions.

 

We participate in the evaluation of new security technologies for client solutions and ensure our client’s architecture is fully documented. The documents and procedures include data flows and technical security specifications.

Security Audit Support

Our professionals have extensive knowledge and experience independently handling compliance audits and customer reviews. Audits, while necessary, can be overwhelming for staff and executive leadership who are ultimately responsible for audit findings.

 

ACSG can manage and coordinate information requests pertaining to internal, external, and regulatory audits. Our solution ensures audit findings and evidence are collected, reviewed, remediated, and presented in a clear and concise manner.  Included is the standard operating procedure we provide our clients for future audits independent of ACSG support services.

We provide our clients a direct phone number to a dedicated compliance expert instead of a “get back to you later” email link. We prefer to represent clients in person during compliance audits instead of over the phone. We do all this while delivering the expert advice our clients can trust.

Cyber Security Training & Awareness

Our training consists of content customized to our client’s environment. From recognizing challenging work environments to business continuity planning and preparedness we deliver hands on effective training. Awareness of security operations, threats and prevention is delivered through instructor-led or web-based solutions.

Risk Assessments & Analysis

Understanding the risks that applications, systems and third parties may pose is the first responsible step toward an improved security posture. We help our clients assess systems and applications then prioritize remediation strategies to further improve cyber security.

 

We identify probable targets of attacks and exploits.

Our comprehensive program goes well beyond traditional vulnerability assessments by incorporating social engineering analysis, public employee information, data mining and remote network analysis.

After identifying possible threats, we analyze each target for relevant vulnerabilities. We examine our clients’ organization through the eyes of a malicious user and simulate both remote and internal attacks. Our assessment may include active attempt to execute the vulnerabilities we’ve detected with client permission and a targeted approach.

Risk assessments combine knowledge of business objectives, information flow, safeguard requirements, network architecture, and operational policies and procedures. The result is an identification of critical assets, an understanding of internal and external threats, and a prioritized set of practical cost-effective risk-mitigation measures.

Management, technical and executive reports accompany all assessment findings with necessary steps to remediate the security risks.

Application Security Assessments

Our application security assessors have strong understanding of secure engineering concepts such as secure coding practices and secure code reviews. We carefully work with our clients’ engineers and developers to embed secure development practices, conduct application security reviews and provide security consultancy and advice. This includes assisting with ongoing application security review testing to examine legacy and new applications.

 

Our process examines how the application performs authentication, authorization, data validation, user and session management, encryption, and error handling. Code review, threat modeling, pen- tests and design analysis are performed as part of our comprehensive application security assessment solutions as well.

We consider security metrics and measurement capability to demonstrate application security and software development lifecycle security activities.

Traditionally, developers create functional process with priority of security.

We guide client development teams on adoption and execution of a Secure Product Life Cycle. Secure Software Development Lifecycle (Secure SDLC) is incorporated within all programming areas for threats and common vulnerabilities.

Vulnerability Assessments

Our assessors identify and examine network vulnerabilities for internal – Intranet and external-Internet facing systems to determine whether an attacker can exploit targeted systems with the vulnerabilities. We further examine if vulnerabilities can be used to gain access to sensitive information.

 

Penetration testing determines the extent of network exposure to external or internal attack and assess the effectiveness of existing safeguards in providing the level of necessary protection. We demonstrate the effectiveness of security measures by attempting to exploit discovered weaknesses following our proven methodology.

An optional external penetration-testing phase includes exploitation of the underlying vulnerabilities. All testing is carefully controlled by authorized Rules of Engagement and is conducted in a manner that avoids network outages and maintains data integrity.

Independent Verification & Validation (IV&V)

Independent Validation & Verification of security control implementation is an important compliance component for the Dept. of Defense and many civilian agencies.  We can perform IV&V and produce detailed reports as experienced independent assessors.

FISMA Compliance (A&A)

The Federal Information Security Management Act (FISMA) outlines valuable controls for protecting information systems. Compliance with the law is complex and time consuming. ACSG delivers the benefits of reduced cost and complexity of FISMA compliance by identifying non-compliant areas planning remediating needed for compliance prior to involvement from the Certifying Authority (CA).

 

ACSG has extensive experience securing the networks and data of government agencies. ACSG’s FISMA experts bring a thorough understanding of the risks agencies face and offer federal agencies Assessment & Authorization (A&A) services, asset classification, risk assessments and ongoing security services to obtain an Authorization to Operate (ATO) or maintain a traditional Agency ATO aligned with cloud services and/or FedRAMP.

Our processes, tools and methodologies are based on the core components identified by FISMA and established by NIST.

Our FISMA services are based upon Risk Management Framework (RMF) and include:

  • Developing a System Security Plan (SSP) and help clients develop and maintain documents that detail internal controls

  • Providing a FISMA risk assessment that demonstrates the independent assessment of the control environment

  • Delivering penetration testing and vulnerability assessments that identify and prioritize weaknesses through physical, logical and social testing techniques

Providing services to support security authorization that offer agency officials the confidence they need to sign off on security system security posture.