Citadel delivers Information Peace of Mind® to clients in a wide-range of industries.
- Accounting and Business Management
- eCommerce
- Financial Services
- Health Care
- Importer / Distributor
- Insurance Brokerages
- IT Vendors / MSPs
- Law
- Leasing
- Manufacturers (high-tech and low-tech)
- Media, Entertainment and Gaming
- Nonprofits
- Personal Service Companies
- Private Schools and Universities
- Real Estate
- Retail
Information Security Management—Getting Started: A mid-size law firm needed to protect sensitive client information but didn’t know where to start. With our Getting Started Program we provided them our Information Security Policies and Standards, worked with them to establish senior leadership/management, provided awareness training to staff, reviewed their IT security management practices and procedures, scanned their IT network for security vulnerabilities, and provided the client with a prioritized set of recommendations for moving forward. Following completion of the Getting Started Program they transitioned to our vCISO service.
virtual-Chief Information Security Officer (vCISO): A nonprofit client needing to protect sensitive PII has retained us to serve as their virtual-Chief Information Security Officer. After implementing our Getting Started Program, we meet monthly with the client’s Chief Financial Officer, its IT vendor, and its website applications developer to manage the client’s information security needs. We work closely with IT and the website application developer to ensure the technology infrastructure is managed in accordance with IT security management standards, we conduct periodic security reviews and assessments , and we provide provide staff awareness training.
virtual-Chief Information Security Officer (vCISO): In response to competitive opportunities, an IT Vendor / MSP wanted to improve its information security management capabilities. We implemented our Getting Started Program and continue to provide vCISO services. As a result of our work with the client, the client’s IT management services business is growing and its profit margins are rising.
virtual-Chief Information Security Officer (vCISO): A retail client needing to protect sensitive PII has retained us to serve as their virtual-Chief Information Security Officer. We meet quarterly with the client and its IT vendor to manage the client’s information security needs. We work closely with IT to ensure the technology infrastructure is managed in accordance with IT security management standards, including the Payment Card Industry’s Data Security Standard, we conduct periodic security assessments and reviews, and we provide provide staff awareness training.
Information Security Compliance Support—HIPAA: A mid-size nonprofit came to Citadel to help them meet HIPAA HITECH security requirements of its clients. We implemented our Getting Started Program and provide vCISO services in support of their continuing need to be HIPAA HITECH compliant.
Information Security Compliance Support—HIPAA: A mid-size law firm came to Citadel to help them meet HIPAA HITECH security requirements of its clients. We implemented our Getting Started Program and provide vCISO services in support of their continuing need to be HIPAA HITECH compliant.
Information Security Compliance Support—NIST 800-171: A small aerospace manufacturer needed to meet NIST 800-171 DFARS requirements. We got them started on the information security basics with our Getting Started Program, provided a “gap analysis” to identify NIST 800-171 shortfalls, and then worked with them and their IT vendor to close those gaps in a commercially reasonable way. We provide vCISO services in support of their continuing need to be NIST 800-171 compliant.
Information Security Compliance Support—PCI DSS: A growing eBanking business asked Citadel to help them comply with the Payment Card Industry’s Data Security Standard. We worked with the client to prepare for their formal compliance assessment. We implemented information security policies, strengthened operational management practices, analyzed their IT network against the Data Security Standard, conducted network-based vulnerability assessments and social engineering attacks, provided staff awareness training, developed incident response and business continuity plans, implemented improved change management procedures, and provided guidance on better integrating security into their software development life-cycle. We met with the assessors during the company’s formal assessment, working with the auditors to ensure the client passed their PCI DSS audit.
Information Security Compliance Support—NY State Financial Regulations: A mid-size insurance brokerage was required to comply with the New York State Department of Financial Services cybersecurity regulations. We implemented our Getting Started Program and worked with the client to meet the New York State cybersecurity regulations.
Information Security Compliance Support: A mid-size law firm was undergoing information security audits by its clients. We got them started on the information security basics with our Getting Started Program and implemented incident response and business continuity plans as the auditors (and basic security practices) required. We then worked with the client’s auditors to fulfill compliance requests in commercially reasonable ways. We continue to provide vCISO services in support of their ongoing information security management and consulting needs.
Information Security Awareness Training: A financial services client needed to make sure its staff were well trained against phishing and other forms of social engineering. We conducted several information security staff awareness sessions along with Phishing Defense Training in the form of simulated phishing attacks.
Information Security M&A Support: As a professional services client acquired smaller firms in its market, they retained Citadel to provide information security management support. We conducted an IT security management assessment of the acquired companies and worked with the our client’s IT management and the acquired company’s IT vendor to bring the security management of the acquired company’s IT network into compliance with our client’s Information Security Policies and Standards. We also provided staff awareness training to the acquired company.
Incident Response Support: Following the successful attack on a law firm’s email system we initiated our Incident Response Plan, working with the client and the IT vendor to quickly respond to – and recover from – the incident. We had IT staff force a password change on all email use, had the firm implement Multi Factor Authentication (which had been an earlier recommendation of ours), brought in a computer forensics and investigation firm to ascertain the extent of the attack, introduced the client to an appropriate cyber attorney, and quickly brought the situation under sufficient control so that client staff could get back to work. We also took the intrusion as an opportunity to remind staff of the critical importance of being very cautious with email.
Incident Response Support: Citadel was contacted by a mid-size nonprofit after an employee inadvertently disclosed sensitive information about its members. We investigated the disclosure, assisting our client limit the damage from the disclosure. We provided staff with information security awareness training to reduce the likelihood of a similar disclosure in the future. Following an assessment we conducted of their IT network, we worked with them to implement improved network security technology. When our security vulnerability assessment of a new management information system under development surfaced several extremely critical vulnerabilities we assisted our client in working with its vendor to correct the problems.
Information Security Emergency Management Support: When the CISO at a mid-size entertainment company went on emergency disability, he recommended us to the CIO as a temporary replacement. During our 6-month tenure we not only kept the security department running, we made significant progress on the company’s Splunk SIEM initiative.
Information Security Staffing Support: A financial services firm hired us to develop a job description for the new role of Information Security Director. We worked with management, risk, and IT to develop a job profile for the Information Security Director that reflected (i) emerging requirements in the financial services industry and (ii) the financial institution’s unique culture.
IT / Information Security Strategy: A mid-size nonprofit client with an ambitious 5-year strategic plan asked us to develop a combined IT and information security strategy to meet that plan. After a thorough assessment of its current IT and information security strengths, weaknesses, capabilities, and limitations, we worked with the client to develop an achievable IT / information security strategy based on (i) modern IT management frameworks COBIT and ITIL, (ii) the NIST cybersecurity framework, and (iii) successful change and adaptation strategies.
Secure Application Development: A mid-size financial services firm ran its business on a custom-built Management Information System containing Personally Identifiable Information (PII) which it needed to protect. We worked with the system developer to incorporate information security development standards into their system development activities. We trained development staff in Microsoft’s Secure Development Lifecycle and provided application security development support as system developers integrated security into the maintained system.
Saving Money: A mid-size nonprofit client needed a major network overhaul to bring its PCI compliance up to requirements. Their IT and phone vendors gave them a proposal for $2,000,000. After reviewing proposals, we reduced the cost to 600,000.
Saving Money: The IT vendor for a mid-size law firm recommended they spend $60,000 for a backup solution. We said ‘no way’ and got the cost down to $30,000. This same vendor proposed spending money on additional memory. We looked at the client’s data storage needs and discovered the additional storage space wasn’t necessary.
Saving Money: A mid-size accounting firm client was looking at a $30,000 proposal from its IT vendor for a new firewall. We showed the IT vendor how to reconfigure their old firewall. Client savings: $30,000.
Saving Money: A large media company with a combination of online and offline business units needed to a strategy to comply with the Payment Card Industry’s Data Security Standard. Citadel conducted a planning workshop for the client at which we identified a low-cost strategy for achieving PCI compliance. As a result they were able to lower their costs for compliance by approximately 90%.
Adverse Termination: After providing a small accounting firm our Getting Started Program and working with their IT vendor to improve security management of the client’s IT network, it became clear that the IT vendor was not up to the task and a change would have to be made. We introduced the client to several IT vendors capable of meeting the client’s IT and information security needs. We then worked with the client to make sure (i) the departing IT vendor would have no access into the IT network and (ii) the client had all system passwords and full access to cloud accounts. We made sure that backups were available, current, and up-to-date. And we worked with the client to ensure a smooth transition to the new IT vendor.
Adverse Termination: After conducting an IT security management assessment for a mid-size manufacturing client, the client decided to outsource its IT. We worked with the client to make sure (i) the departing IT manager would have no access into the IT network and (ii) the client had all system passwords and full access to cloud accounts. We made sure that backups were available, current, and up-to-date. We introduced the client to several capable IT vendors / MSPs and worked with the client to ensure a smooth transition to the new IT vendor.
IT Management: Following the Adverse Termination of its IT manager, a mid-size accounting firm retained us to manage its IT operations. We implemented formal practices and procedures, worked with the client to hire and retain needed IT staff, and trained new staff in the firm’s IT management.
Information Security Support During an FTC Investigation: After a mid-size retailer inadvertently disclosed sensitive employee information, Citadel investigated the disclosure, analyzed the extent of the damage and provided recommendations for improving cybersecurity management in light of the disclosure. Two years later the Federal Trade Commission began an investigation of the circumstances of the disclosure together with our client’s cybersecurity management controls at the time of the disclosure. We provided extensive support, assisting our client to develop and implement strategy. We assisted it document its security controls at the time of the incident, assisted them put in place a time-line of additional controls implemented since the disclosure and worked with them to develop a cybersecurity management program moving forward. We documented that our client had acted properly and that the disclosure had in fact been inadvertent. When the FTC still wanted our client to sign a cease and desist order we demonstrated that the technical facts did not support the FTC’s hypothesis about how the hypothesis occurred, after which the FTC closed the case in our client’s favor.