280 likes | 302 Views
Company Overview, Products and Sample Reports. January 2007. Corporate Background • Founded in Nov. 2006 - Headquartered in Lilburn, GA - Sales and Marketing office in Buford, GA • Unique compliance solution - Addresses GLBA, HIPAA, FISMA and PCI markets
E N D
Company Overview, Products and Sample Reports January 2007 www.acr2.org
Corporate Background • Founded in Nov. 2006 - Headquartered in Lilburn, GA - Sales and Marketing office in Buford, GA • Unique compliance solution - Addresses GLBA, HIPAA, FISMA and PCI markets - Traceable and Compliant with NIST protocols - Risk scores automatically updated using network data, new safeguards, Intrusion and Anti-virus data www.acr2.org
Introducing …. ACR2Basic - Risk Assessment Available in 2 versions January 2007: • ACR2Basic - Business Edition reports encrypted and auditable • ACR2Basic - MSP Edition reports headers can be modified And in Q1 2007.. • ACR2Basic - Enterprise Edition For managing multiple locations Ships with 10 site licenses www.acr2.org
The Compliance Process www.acr2.org
Automated Compliance Reporting • Information Security involves reducing the risk of loss or theft of protected information • Perfect Information Security would require infinite resources • Compliance involves providing enough security to meet the “standard of care” • Compliance is perfectly possible – and required! www.acr2.org
Automated Compliance Reporting • How does an organization determine a “reasonably foreseeable” risk? • Or a “material change”? • “reasonably foreseeable risks” under Federal law are defined by the National Institutes of Standards and Technology (NIST) • The NIST standards are freely available… www.acr2.org
They are also complex and extensive www.acr2.org
Automated Compliance Reporting • There is a better way. • 79% of Americans use Turbo-Tax™ to deal with IRS regulations, which are long and complex • ACR2 is a Turbo-Tax™ style simplification of the NIST protocols to deal with information security regulations, which are also long and complex www.acr2.org
Automated Compliance Reporting • Risk Score - is determined by multiplying the probability of event by the impact of the event • Risk Scores range from 1 to 100, with 50-100 High, 10-50 Medium and scores <10 considered Low. • For risks labeled High, corrective action must be taken "as soon as possible" (NIST 800-30). www.acr2.org
Automated Compliance Reporting • For Medium Risks, correction must be within a "reasonable amount of time", while Low risks may be merely observed. • How do organizations achieve acceptably Low Risk? • NIST definition of “Low Risk” means that “controls are in place to prevent…the vulnerability from being exercised” •What controls are needed to achieve acceptably “Low Risk?” www.acr2.org
Special Publication 800-53 Recommended Security Controls for Federal Information Systems Ron Ross, Stu Katzke, Arnold Johnson Marianne Swanson, Gary Stoneburner, George Rogers, Annabelle Lee www.acr2.org
NIST 800-53 includes citations of these additional protocols www.acr2.org
Automated Compliance Reporting is Much Easier • To Initiate the “Turbo-Tax™” approach to compliance, just browse to: www.acr2solutions.com www.acr2.org
Using the ACR2 Basic Reports The first three ACR2 reports are The Safeguards Status Report – a summary of the current system status vs NIST standards The Automated Baseline Report – 30 threat source/vulnerability pairs scored from 1-100 The Risk Assessment Chart – same data as the Baseline, scored as red/yellow/green www.acr2.org
Using the ACR2 Basic Reports - cont. Detailed information on each safeguard is available from the NIST www.acr2.org
Using the ACR2 Basic Reports - cont. • the Deficiency Report lists the missing or underperforming safeguards relative to each risk. • This allows creation of a remediation plan that addresses the high risk elements first, as required by the NIST protocols • Each of the 30 risks is assessed separately www.acr2.org
ACR 2 reduces over 90 NIST protocols to a simple “Turbo-Tax™” style question and answer format. The ACR 2 reports can be updated on demand whenever new data becomes available www.acr2.org
One Compliance Option is to Read, Understand and Apply the NIST Protocols www.acr2.org
The Better Option is to Use Automated Compliance Reporting How Much is Your Time Worth? www.acr2.org