Citadel Information Group, Inc. PROVIDING OUR CLIENTS INFORMATION PEACE OF MIND ® Securing Intellectual Property and Complying with Federal Laws & Regulations The President of a mortgage brokerage was concerned about the theft of sales leads by employees. He was also concerned about the firm's ability to protect consumer personal financial information in compliance with Federal laws and regulations. After an assessment, which included a social engineering attack that succeeded in obtaining user passwords, we developed a plan to secure the firm's sensitive information. We worked with executive management to develop and implement information security policies for the firm, worked with the firm's Director of Training to implement an information security training and awareness program, and worked with the IT Manager to secure the technology infrastructure. The firm now has greater control of their sales leads and is in compliance with Federal laws and regulations. Information Security as Competitive Advantage We were contacted by a professional services firm because a prospective client of the firm required that they have a robust information security program. Recognizing that all of the firm's clients were demanding their vendors to secure sensitive information, we assisted the firm incorporate the protection of critical information assets into their business development strategy. We worked with the client to implement administrative, technical and physical controls to secure critical information in their possession. We implemented information security policies, trained employees, secured their technology infrastructure, encrypted sensitive data, improved IT management capabilities, developed a business continuity plan and incident response procedures, helped procure a physical access control and identification system, and implemented a 3rd-party information security management program. As a result of our work the client won the new business from their prospective client and is now an industry leader in information security. Getting an IT Department Under Control The CFO of a wholesale distributor was concerned that the company's IT department was not being well managed. After an assessment confirmed the CFO's suspicions, the CFO, COO, and company President made the decision to terminate the IT manager. Fearing the possibility of sabotage by the IT manager, we prepared and implemented a plan to keep the IT manager from remotely accessing critical information systems after his termination. Over the weekend following termination, we changed all passwords and made sure systems would be capable of supporting the business needs when work resumed the following Monday. Over the next two months we rebuilt all critical systems with the result that users had better access to critical information systems than they had before. During this period we also worked with the company's new IT manager to ensure a smooth return to regular operations. Identifying the Need to Replace an IT Vendor A professional services firm had a computer incident that left their network down for several days. Just prior to the incident, the firm's IT vendor had terminated the technician responsible for managing the firm's IT network. We were asked if we could establish that it was the former technician who had caused the incident. Our analysis established that the incident was caused by someone with password access into the network. We established as well that the firm's firewall had been improperly configured to allow administrative access from outside the firm. We further established that the IT vendor had not changed passwords after terminating the technician nor had the vendor notified the firm of the technician's termination. Making matters worse, the IT vendor had failed to configure the firm's IT systems to adequately audit security-relevant events. As a result of the absence of audit logs it was not possible to establish that the technician had caused the incident. Our report, however, made it clear to the firm that they had been significantly underserved by their IT vendor and supported their decision to replace the vendor. Disaster Recovery Planning A global information services provider with data centers in the US and Europe needed a disaster recovery plan to ensure its ability to serve customers in accordance with their service level agreements. We reviewed the two data centers, the provider's management structures, and required service level agreements, and developed a disaster recovery plan that includes procedures for declaring a disaster, escalation and failover, and return to normal operations. The Disaster Recovery Plan met the terms of their service level agreements while minimizing costs to the company. eCommerce Security Assessment A global specialty retailer was upgrading their eCommerce site and moving it to a new data center. Our information security assessment of the new site uncovered several critical vulnerabilities that exposed personal customer information, as well as one vulnerability that would have allowed a cyber criminal to take control of the retailer's web site. We also uncovered several weaknesses in the data center's information security posture that had been missed by the large consulting firm that had recently conducted a SAS 70 audit. Provided with our analysis, the retailer strengthened the information security controls of their web site and negotiated security improvements in the data center. Project Management Capability Improvement The IT Director of a large not-for-profit was having trouble managing their extensive project development portfolio. An analysis of the issues indicated that the root cause was an ad hoc project initiation process. We conducted a series of meetings with the IT Director, his staff, and the user community with the result that project initiation is now well-defined and the IT Department is more successful at meeting project schedules and budgets. Theft of Intellectual Property Litigation Support A large company had several employees leave to start a competitive company. As it became apparent that the employees had taken the company's sales and distribution information, we were retained to gather computer evidence and conduct forensic analysis. We established that the former employees had colluded in the theft of intellectual property and provided evidence to support the company's legal efforts against the former employees.   Industries Served Manufacturing & Distribution Professional Services Financial Services Manufacturing, Distribution & Logistics Development, Construction & Real Estate Aerospace & High Technology Media and Education eBusiness Healthcare The Government Sector The Not-for-Profit Community   We have provided information security services to the White House, the National Security Agency, Air Force Space Command, and more than 150 middle-market companies. To protect the confidentiality of our clients, we do not publicly identify private-sector and not-for-profit clients by name.