Security Management of the IT Network / Infrastructure

Overview

Citadel supports our clients by working collaboratively with in-house or out-sourced IT to ensure that the IT network is being managed in accordance with sound information security practices and procedures such as the ISO 27000 family, the National Institute of Standards Information Security Management Framework, the Center for Internet Security’s 20 controls, the Payment Card Industry’s Data Security Standard, as well as HIPAA HITECH, GLB and other applicable Federal and State laws and regulations.

IT Network / Infrastructure Security: What We Cover

1. Design and Build a Secure IT Infrastructure
   1. Secure system architecture
   2. Secure device configuration
   3. Endpoint protection
   4. Logging and review
   5. Network Intrusion Protection / Detection; SIEM
   6. Mobile device management
   7. Cloud security management
   8. Application security, including websites & applications containing sensitive information
2. Maintain a Secure IT Infrastructure
   1. Vendor management
   2. Vulnerability and patch management
   3. Ongoing system maintenance
   4. Change control
   5. Additional security management
3. System Access Management
   1. Account management
   2. Access control to the corporate network
   3. Remote access control
   4. Administrative access control
4. Secure Input / Output
   1. Email security
   2. Spam management
   3. Digital loss prevention
5. Back Up, Information Continuity, Incident Response and Internal Investigations
   1. Backup and recovery
   2. Information Continuity
   3. Incident response and investigation
6. Other Standards
   1. Encryption
   2. IT infrastructure documentation
   3. Other infrastructure standards
   4. Information security training and education of IT staff

IT Security Management Assessment

Citadel’s IT Security Management Assessment is designed to

1. Identify and document risk-based information security management weaknesses in the management of the IT network
2. Identify and document current security vulnerabilities in client’s IT network, prioritized by the criticality of vulnerabilities
3. Provide the client with prioritized specific IT security management recommendations for improving the security of client’s information
4. Support aligning IT management with the organization’s information security needs

Network Security Management Review: Citadel meets with IT management to

1. Identify and document IT management’s general information security management practices
2. Document any gaps between IT management’s information security management practices and the standards in our Information Security Policies and Standards
3. Support evolution of an information security culture in IT based on formal information security management standards

Point-in-Time Security Internal and External Vulnerability Review of the IT Network Infrastructure:  Citadel conducts a vulnerability scan of the client’s internal IT network. We also conduct an external vulnerability scan of the client’s external IP addresses. [1]

Review Findings & Recommendations with Executive and IT Management: Citadel meets with senior executives and, at management’s discretion, IT management to review the results of our security management review and vulnerability review of the IT network, including prioritized recommendations for improvement.

Background Information & Additional Resources

SecureTheVillage: Managing Security of the IT Infrastructure

[1] Citadel uses the Nessus Vulnerability Scanner by Tenable for our vulnerability scanning. The Nessus scanner is designed to assess against the entire national vulnerability database known as the Common Vulnerabilities and Exposures (CVE) maintained by the MITRE Corporation, a Federally Chartered R&D Center. In addition, the Nessus Scanner includes plug-ins for several other information security management technical standards such as the Center for Internet Security’s 20 controls and the Payment Card Industry’s Data Security Standard.