p a g e 1 | w w w . c ib er . c o m | ©2009

www.ciber.com

A Look at

The Global Security PracticePractice Overview

p a g e 2 | w w w . c ib er . c o m | ©2009

CIBER Global Security Practice

• CIBER Global Security Practice focuses exclusively on IT security services

• CIBER Global Security Practice has been providing security services continuously for over 15 years

• The CIBER Global Security Practice has been part of CIBER for 8+ years

• Based in CIBER’s Denver Colorado headquarters, we deliver services worldwide in partnership with CIBER branch offices

• Small company agility and focus,backed by the full resources of CIBER

p a g e 3 | w w w . c ib er . c o m | ©2009

Key Strengths

• 15+ years of successful delivery of security services– Outstanding references and reputation

• Staff with average 14+ years of security experience– Dedicated staff – security is primary career focus of all staff

– CISSP certifications

– Background checks/security clearances

• Proven track record on world-class, large-scale projects• Able to address the universe of strategic security issues• Broad experience

– Commercial – small, medium, large

– Federal/State/Local Government

– Regulatory/standards compliance experience – SOX, HIPAA, GLB, FISMA, ISO 17799, PCI-DSS, many others

• Able to design and build comprehensive, integrated security solutions– Not just point products

– Not tied to specific vendors

p a g e 4 | w w w . c ib er . c o m | ©2009

Define.Achieve.MaintainCIBER's Approach to Security

p a g e 5 | w w w . c ib er . c o m | ©2009

CIBER’s Approach to Security

Define

• Security Assessment and Strategy

Achieve

• Security Solution Design and Implementation

Maintain

• Information Security Outsourcing

p a g e 6 | w w w . c ib er . c o m | ©2009

DefineCIBER Global Security Practice helps you define

your security goals!

p a g e 7 | w w w . c ib er . c o m | ©2009

Define

• CIBER Global Security Practice helps you define your security goals through a risk management approach:

– Risk & vulnerability assessments

– Regulatory compliance analysis

– Enterprise security strategy

– Identity theft assessment

– Third Party Risk Management

p a g e 8 | w w w . c ib er . c o m | ©2009

Risk & Vulnerability Assessment

Scope of Modules Can Be Easily Tailored To Address Client-Specific Security Standards, Assessment Methods, or Regulations

p a g e 9 | w w w . c ib er . c o m | ©2009

Regulatory Compliance Analysis

• Best of breed security frameworks

• Requirements traceability

• Readiness planning for HIPAA, GLB, PCI-DSS, Sarbanes-Oxley and other 3rd party or legislated requirements

p a g e 10 | w w w . c ib er . c o m | ©2009

Enterprise Security Strategy

• Security program planning

• Security architectural development

• Achievable business-driven security roadmap

Build U

p

PROGRAM

MANAGE

DOCUMENT

EDUCATE

PROTECT

DETECT

RESPOND

Executive Commitment

Charter

Dedicated

ISO

Strategic Planning FundingCross-Functional

Security Oversight

Roles and

Responsibilities

Security

Skills

Asset Risk Management

(Life Cycle Approach)

Policies Standards ProceduresAsset ID and

Classification

Awareness

ProgramsGeneral Training Specialized Training

Procedures

Non-Technical Controls

Net

Technical Controls

Physical

Controls OS DB AppElec

Comm

Verbal/

writtenPersonnel

Reviews Compliance MonitoringIntrusion

Detection

Auditing and

Event Logging

Incident

ResponseDisaster Recovery Business Continuity

p a g e 11 | w w w . c ib er . c o m | ©2009

Identity Theft Assessment

• Business application and database surveys to determine location of personal information storage

• Identity management process and controls assessments with recommendations

p a g e 12 | w w w . c ib er . c o m | ©2009

Third Party Risk Management

• Third Party Vendors process, transmit, and store sensitive company and client data

– Vendors have access to sensitive information. Which vendors? What information?

– Third parties may not meet security standards

– Check box” audits are a snapshot in time

• Management of Risk posed by service providers through Identification, Assurance, and Maintenance

– Determining what vendors have access to what data

– Establish security controls, risk ratings, and define corrective actions

– Ensure risk is mitigated and conduct annual reviews

• Benefits– Immediate improvement to security posture

– Fully managed process

– Informed business decisions

– Regulatory compliance

– Customizable

p a g e 13 | w w w . c ib er . c o m | ©2009

AchieveCIBER Global Security Practice helps you achieve

your security goals!

p a g e 14 | w w w . c ib er . c o m | ©2009

ACHIEVE

• Application security

• Security technology process integration

• Independent validation & verification

• Security policy & procedure development

• Remediation of security deficiencies

• Security training & knowledge transfer

• Disaster recovery/business continuity planning

• Security incident planning

• Identity theft management & protection

• Third party risk management

• Compliance validation

p a g e 15 | w w w . c ib er . c o m | ©2009

Strategy for Effective Security Designs

• Integrate security with development life cycle to design in security and reduce overall risk

• Maintain independence of security oversight to allow an unbiased perspective and consistent standards

• Provide business owners with reliable assurance evidence and risk analysis to enable their risk acceptance decisions

• Provide evidence of compliance with security and privacy regulations

p a g e 16 | w w w . c ib er . c o m | ©2009

Designing Security Into Applications

• Timely and relevant security input at each stage of application development

• Reference: NIST Special Publication 800-64, “Security Considerations in the System Development Life Cycle”

p a g e 17 | w w w . c ib er . c o m | ©2009

Designing Security Into Applications

• Design– Analyze potential attacks/risks

– Focus areas of greatest risk

– Specify security features

– Focus on prevention of unauthorized access –

detection as secondary objective

• Build– Mandate secure coding practices

• Test– Security assurance testing before acceptance

• Monitor– Monitor logs

– Validate security posture during operations

– Evaluate security impact of changes

p a g e 18 | w w w . c ib er . c o m | ©2009

MaintainCIBER Global Security Practice helps you maintain

your security posture!

p a g e 19 | w w w . c ib er . c o m | ©2009

MAINTAIN

• Real-time 24X7 event monitoring

• Security device management

• Vulnerability management

• Incident investigation, response & recovery

• Event correlation

• Compliance reporting

p a g e 20 | w w w . c ib er . c o m | ©2009

Information Security Outsourcing

• Providing managed security services for over 7 years

– Large scale reach

– Global device management

– Enterprise service agreements

• World-class Security Information Management (SIM) technology

• Customer-focused hands on approach

– 24x7 staffed security operation

center

– Dedicated delivery team

– Compliance oriented reporting

• Core focus & commitment to managed security services

• Proven track record - 100% customer retention

p a g e 21 | w w w . c ib er . c o m | ©2009

Information Security Outsourcing

Service Offerings

• Security Program Documentation

• Demonstrates Proof-of-Controls to Management and Auditors

• Compliance reporting supporting regulations and control frameworks

such as PCI DSS , Sarbanes-Oxley (SOX), FISMA, HIPAA ,

GLBA , ISO/IEC 27002:2005 , NIST 800-53

• 24x7 Event & Report Access via Customer Portal

• Monthly / Quarterly Service & Report Review

• System, internal and external audit support

• Secure build and configuration management support

Security Services

Security Information and Event Management

Firewall &

Intrustion Detection /

Prevention

Anti-VirusCompliance

Management

Incident Response

&

Investigation

Vulnerability & Patch

ManagementApplication Risk

Management

• Security framework: Leverage a well understood, documented

and enforceable security posture

• Robust security infrastructure: Use “defense in depth” concepts

based on latest technology

• Dedicated security operations: Experienced, trained security

operations personnel and proven processes

• Provide proof of controls: Provide evidence of vigilant monitoring

and compliance mapped to regulatory and audit requirements

Security Philosophy

Security Compliance Management

“Among the many dynamics shaping the U.S. managed security services market today, growing security complexity, the evolving pace of today's technology, and stringent compliance mandates are driving demand and spending for managed security services.” -- Irida Xheneti, U.S. Managed Security Services 2008–2012 Forecast and Analysis, IDC, Aug 2008.

Security Maturity for Your Business

p a g e 22 | w w w . c ib er . c o m | ©2009

During the next five years, Gartner Dataquest expects that worldwide revenues from IT outsourcing will grow from $161.7 billion in 2002 to $232.1 billion in 2007, a CAGR of 7.5% per year.

What is Application Outsourcing?

• When an IT services provider assumes responsibility for the management of all or part of an application portfolio to help the client meet key business objectives.

– Package or custom-developed,

new or legacy systems

– Performance goals and service

level metrics

– Multi-year contracts with monthly

fixed fees

Network and Infrastructure Outsourcing

Full

IT O

uts

ou

rcin

g

Application Outsourcing

QA Testing Outsourcing

Help Desk/Call Center Outsourcing

p a g e 23 | w w w . c ib er . c o m | ©2009

CIBER Security Clients

p a g e 24 | w w w . c ib er . c o m | ©2009

Sample of Satisfied Security Clients

CIBER Security serves a variety of clients in all sectors, Federal, State and Local Government, and Commercial, to reach their goals.

American Express● Atlas Oil ● Bank of America ● Bellco ● CitiGroup ● Citizens Bank ●

CoBank ● Collin County ● Coors ● County of San Francisco ● FAA ● FBI ● FDIC ● First

Data Corporation ● Ford Motor Company ● IFF ● Hanger Orthopedic ● Marin County ●

NASA ● NSA ● NSF ● OTS ● State of Colorado ● State of Iowa ● State of Kansas ● State

of Missouri ● State of New Jersey ● State of North Carolina ● State of Missouri ●

UniGroup ● US Army Reserves ● University of Colorado

p a g e 25 | w w w . c ib er . c o m | ©2009

CIBER Experience – Service Provider

Problem

• As a leading provider of products and small business services, this client is faced with challenges to grow and re-shape its business, and is held to very high security standards by its Financial Institution clients.

Solution

• CIBER is providing a wide range of security operations services including, but not limited to complete security operations, asset database development, identity management, log aggregation and the implementation of an intrusion detection system.

Benefit

• By transitioning security activities to CIBER, the client can focus on their core business functions and leverage CIBER to increase the effective maturity level of their security operation.

p a g e 26 | w w w . c ib er . c o m | ©2009

CIBER Experience - Large East Coast Bank

Application Assessment Reviews

Problem

• Client has 90+ internal applications of unknown security status

• Needs a risk assessment methodology to perform uniform comprehensive security evaluation of all applications to highlight risk areas and prioritize security spending

Solution

• CIBER proposed definition of a custom qualitative risk methodology and prototype assessments of two key applications

• Follow on work includes support for performance of risk assessments for remaining applications

Benefit

• CIBER was able to determine the security posture of the applications and work with the application owners to ensure that a satisfactory level of security was maintained minimizing the potential for breaches.

p a g e 27 | w w w . c ib er . c o m | ©2009

CIBER Experience - Amica Mutual Insurance

Company Security Assessment

Problem

• Amica had completed security enhancements and was looking for an assessment to validate the work.

Solution

• Discovery

• With no information other than the company name, CIBER performed an external vulnerability assessment.

• External and Internal Vulnerability Assessment

• CIBER performed a port scan and external /internal vulnerability scan.

• Manual Validation

• CIBER validated open ports, the existence of vulnerable files, vulnerable versions, etc., initially through technical tools and processes.

Benefits

• CIBER was able to identify areas for improvement that benefited Amica's security program.