Information Security: Expertise

Business Continuity & Disaster Recovery Planning and Assessments
NYSTEC will work with you to establish an effective BC/DR program that allows your organization to:
• Continue functioning and avoid business failure in the event of a calamity,
• Mitigate financial and operational impacts,
• Establish documented and formal processes and procedures to follow when a disaster occurs, and
• Have effective back-up and recovery strategies to mitigate the impact of disruptive events.

Vulnerability Assessments
NYSTEC’s vulnerability assessments provide clients with:
• An identification of vulnerabilities using industry-recognized tools,
• An interpretation of vulnerabilities that clients can understand,
• A prioritization of vulnerabilities, and
• Recommended strategies to mitigate the most serious vulnerabilities.

Risk Assessments
As part of our risk-assessment methodology, NYSTEC will:
• Identify the organization’s assets and categorize potential losses;
• Identify threats, vulnerabilities, existing controls, and the value of different pieces of information to the organization;
• Identify the risk; and
• Propose additional controls and actions for management consideration.

Information Security Policy, Processes, Standards, and Procedures
NYSTEC works with the organization’s stakeholders to:
• Review, develop, and supplement Information Security policies and associated processes, standards, and procedures; and
• Ensure that all polices and procedures are effective and affordable.

Compliance Audit and Gap Analysis
During a Compliance Audit and Gap Analysis, NYSTEC will:
• Compare your existing security posture to internal policies,
• Compare your security posture to international standards,
• Compare your security posture to the requirements of business partners, and
• Recommend measures for coming into compliance.

Security: Application and System Development
We identify key security issues at each stage in the development life cycle:
System feasibility: Identify the security requirements, policies and standards needed.
Software plans and requirements: Identify the vulnerabilities, threats, and risks. Plan the appropriate level of protection. Complete a cost-benefit analysis.
Product design: Plan for security specifications in product design, including access controls and encryption.
Detailed design: Design security controls in relationship to business needs and legal liabilities.
Coding: Ensure that the vendor employs secure coding practices.
Integration product: Test security measures in software and make refinements.
Implementation: Implement security measures and software, and test before going live.
Operations and maintenance: Monitor security software for changes, test against threats, and implement appropriate changes when necessary.
Quality assurance: NYSTEC serves as your quality-assurance agent throughout the development life cycle, especially during system build-out and deployment.

Technology and System Acquisition
NYSTEC works with the organization’s procurement staff and stakeholders to:
• Identify, document, and track security requirements throughout the acquisition process; and
• Assist in performing a “proof-of-concept” of vendor products, including assessments of how well products meet security requirements.

Identity and Access Management
NYSTEC provides assistance with:
• Developing an overall IAM strategy (federated or centralized);
• Reviewing proposed vendor IAM solutions;
• Performing an “as-is” assessment of an organization’s current identity and access systems;
• Developing a “to-be” picture, along with steps necessary to get there; and
• Providing advice on IAM architectures best suited for the organization.

Data Classification
NYSTEC helps clients institute data classification through the following:
• Developing a “Data Classification Standard” that provides a charter for the process as well as classification levels and labels (such as “Confidential,” “Internal Use Only,” and “Public”);
• Assisting the organization with identifying and classifying its information; and
• Identifying existing security controls and developing new controls.

Additional Information Security Services
• Security Training
• Forensics
• Physical Security
• Security Design Review