Delivering Information Peace of Mind^®

A mid-size business wanting to protect the sensitive information of its clients: A mid-tier CPA firm wanted Information Peace of Mind ®, knowing it was appropriately protecting its sensitive client information. They retained Citadel to test their IT systems, implement information security policies, strengthen the security of their technology infrastructure and provide awareness training for its staff. Our information security work surfaced opportunities for (i) improving management of the IT infrastructure and (ii) improving user satisfaction with IT and we now provide support for this. We continue working with this client to implement improved information security processes and procedures.

A small business needing to meet the cyber security requirements of a key customer: A small market research firm came to Citadel to help them meet HIPAA HITECH security requirements of a customer. We worked with the client to develop appropriate information security policies and standards, changed their use of Dropbox and other technology to meet security standards, developed a needed incident response plan and provided all employees with awareness training. Having met the security requirements of its customer, our client was able to keep this important customer.

A mid-size not-for-profit needing to protect the sensitive information of others: A not-for-profit needed to protect its sensitive information and the sensitive information of its constituents. They retained Citadel to implement information security policies, provide best-practice security guidelines for their IT infrastructure and provide awareness training for their staff. We continue working with this client to implement improved information security practices, providing both strategic and tactical cyber security management support.

A mid-sized business concerned about its IT management: A mid-sized importer/distributor was concerned about the how well their IT infrastructure was being managed. Management concerned increased when the IT manager balked at Citadel conducting a network security assessment. After several attempts to work cooperatively with the IT manager failed, management decided that the time had come for the IT manager to find his next opportunity. We assisted the company securely dismiss the IT manager, making sure that the former employee could no longer access company computer systems, its web site and its ISP. We worked with the company following the dismissal to ensure a smooth transition to a new IT manager.

A large business needing PCI compliance: A large business having a combination of online and offline business units needed to develop a strategy to comply with the payment card industry’s Data Security Standard. Citadel conducted a planning workshop for the client at which we identified a low-cost strategy for achieving PCI compliance. The result was a surprisingly affordable strategy for PCI compliance.

A small business wanting to protect the sensitive information of its clients: A small CPA firm, concerned about the rise in cyber crime and identity theft retained Citadel to test their systems, implement information security policies and provide awareness training for its staff. We continue to provide management support and guidance to the firm, providing the client with the Information Peace of Mind ® of knowing it is appropriately protecting its client’s sensitive information.

A mid-size business undergoing a cyber security investigation by the FTC: After a mid-size retailer inadvertently disclosed sensitive employee information, Citadel investigated the disclosure, analyzed the extent of the damage and provided recommendations for improving cyber security management in light of the disclosure. Two years later the Federal Trade Commission, acting under its cyber security charter, began an investigation of the circumstances of the disclosure together with our client’s cyber security management controls at the time of the disclosure. We provided extensive support, assisting our client to develop and implement strategy. We assisted it document its security controls at the time of the incident, assisted them put in place a time-line of additional controls implemented since the disclosure and worked with them to develop a cyber security management program moving forward. We documented that our client had acted properly and that the disclosure had in fact been inadvertent. When the FTC still wanted our client to sign a cease and desist order we demonstrated that the technical facts did not support the FTC’s hypothesis about how the hypothesis occurred, after which the FTC closed the case in our client’s favor.

A not-for-profit required to protect the sensitive information of its clients: A mid-size not-for-profit needed to protect client information in accordance with HIPAA HITECH laws and regulations. It also wanted to protect its own sensitive information, including the security of its online banking. Citadel conducted our unique Information Security Management Quick Look Review SM, during which we provided management with a greater awareness of their cyber security management needs and recommended several free and low-cost security improvements. Armed with this information, the organization has taken pro-active steps to better secure its information.

A small business victimized by online bank fraud: A small business was the victim of online bank fraud. After their bank refused to reimburse them, Citadel assisted the company’s owner to find an attorney to handle a lawsuit against the bank. We developed a case strategy with the attorney and helped to prepare the discovery request. We are preparing to review and analyze the results of discovery and expect to argue that the bank’s security procedures failed to be commercially reasonable and that the bank failed to act in good faith in accepting the fraudulent transactions.

A mid-size not-for-profit wanting to protect its members’ information: Citadel was contacted by a mid-size not-for-profit after an employee inadvertently disclosed sensitive information about its members. We investigated the disclosure, assisting our client to limit the damage from the disclosure. We provided staff with information security awareness training to reduce the likelihood of a similar disclosure in the future. Following an assessment we conducted of their IT network, we worked with them to implement improved network security technology. When our security vulnerability assessment of a new management information system under development surfaced several extremely critical vulnerabilities we assisted our client in working with its vendor to correct the problems. We continue providing cyber security and IT management support to this client.

A growing eBanking business needing cyber security compliance: A growing eBanking business asked Citadel to help them comply with the payment card industry’s Data Security Standard. We helped them prepare for their formal compliance assessment by working with them to implement information security policies, strengthening operational management practices, analyzing their IT network against the Data Security Standard, conducting network-based vulnerability assessments and social engineering attacks, providing staff awareness training, developing business continuity and incident response plans, implementing improved change management procedures and providing guidance on better integrating security into their software development life-cycle. We also met with the assessors during the company’s formal assessment.

A large business needing international cyber security compliance: A subsidiary of a large aerospace business came to Citadel with a problem. Their parent company had told them they needed to comply with the international cyber security standards ISO 27001, 02. We reviewed their current cyber security posture against ISO 27002, met with senior management to gain a deeper understanding of competitive cyber security pressures and opportunities, strengthened the alliance between information security technical management and senior management, including the General Manager of worldwide sales, provided technology management training in ISO 27001 and assisted them develop a plan to achieve ISO 27001, 02 compliance. The client is implementing the plan and is on track for ISO compliance.

A large business victimized by online bank fraud: A large business was the victim of online bank fraud. They sued their bank after the bank refused to reimburse them for the loss. Citadel was retained by the company’s attorney with whom we developed the case strategy. We helped prepare the discovery request and reviewed the results of discovery. Our review and analysis of the results of discovery identified several significant errors on the part of the bank in handling the fraudulent transactions, concluding that the banks security procedures in handling the fraudulent transactions were not commercially reasonable. Armed with our report, the attorney settled the law suit.

A small cloud vendor wanting assurance that it was protecting customer information: A small cloud vendor retained Citadel because it wanted a strategic understanding of what it needed to do to properly protect its customers’ information. We worked to develop information security policies, identifying the security management responsibilities that our client could meet while ‘carving out’ the security needs that our client’s customers would need to be responsible for.