RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President St, Suite 2300 Baltimore, MD 21202 Telephone: 410-340-3560 Email: rolsen@northstargroupllc.com Website: www.northstargroupllc.com
Table of Contents Introduction... 3 Background... 3 Contact Information... 4 Service Offering... 4 2
Introduction North Star Group, LLC as a vendor under GSA Schedule 70, takes this opportunity to submit our response to the Department of Management Services Request for Information (RFI) for Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. Our goal is to provide information regarding our skills, knowledge and experience in support of the scope of work that includes Cyber Security support services focused primarily on: 1. Pre-Incident Services 2. Post-Incident Services We have assisted organizations of all sizes and from various industries in assessing and improving their cyber security posture. This proposal will outline North Star Group LLC s prior experiences and how they pertain to the current scope of work. Background North Star Group LLC, founded in 2006, is a veteran-owned professional services firm offering Cyber Security, Project Management, Systems Engineering, Acquisition Management, Enterprise Architecture, Training, Aviation Sciences and Outreach Communications. With a proven track record of leadership, thoroughness and satisfaction, North Star Group assists commercial and U.S. Government clients in meeting their mission while reducing expenses. North Star Group s wholly-owned subsidiary, Comprehensive Applied Security Solutions (COMPASS), develops and implements managed cyber security solutions that enable clients to: Identify and significantly minimize the vulnerability of their IT infrastructure Cost-effectively allocate cyber security-related resources Ensure that staff members are properly educated and trained in cyber security best practices and crisis management Having performed vulnerability scans and penetration tests on over 15,000 nodes, North Star Group has developed a methodology that requires minimal client support, keeping time and resources as a top priority. With client size ranging from 75-12,000 employees, North Star Group has experience working with different organization cultures and tailors their approach to employee training accordingly. 3
North Star Group consulting expertise encompasses the full program management lifecycle from strategic planning to tactical execution, including process and control, process efficiencies and turn-key solutions North Star Group is ISO 9001-2008 compliant and maintains a DCAA compliant cost accounting system, two important qualifications recognized by many U.S. federal agencies. North Star Group is an award winning company recognized on the Inc. 500 list of fastest growing private companies in consecutive years of 2011, 2012 and 2013, along with being recognized by Smart CEO Magazine as one of the 100 best run companies in 2012 and 2013. Our address is: Baltimore Office: 250 South President St, Suite 2300 Baltimore, MD 21202 Washington D.C. Office 801 Pennsylvania Ave NW Suite 700A Washington, DC 20004 Contact Information Primary Contact: Mr. Robert Olsen Chief Executive Officer North Star Group, LLC Mobile: (410) 340-3560 E-Mail: rolsen@northstargroupllc.com Alternate Contact: Mr. Michael Shveda Chief Strategy Officer North Star Group, LLC Mobile: (443) 742-7454 E-Mail: mshveda@northstargroupllc.com Service Offerings 4
Pre-Incident Services: I. IT SECURITY ASSESSMENT Network Vulnerability Scanning Using industry best practices and leading software, COMPASS performs vulnerability scans on the client s network in 2 phases. The first phase, Host Discovery, scans the specified IP block(s) and identifies all active devices. The second phase, Vulnerability Scanning, scans each active device within the specified IP block(s) and identifies the known vulnerabilities. These vulnerabilities can include everything from patch update management to remote access exploits. External Penetration Testing COMPASS scans the client s external facing properties (i.e. web applications, proxy servers, etc.) for known vulnerabilities. Using known exploits for the identified vulnerabilities, our technicians actively attempt to breach the client network. Internal Network Penetration Testing COMPASS uses known exploits for the identified vulnerabilities (generated from the Network Vulnerability Scanning Phase) to penetrate the client s network. Through industry best practices and leading software, our technicians mimic a bad actor/hacker and actively attempt to breach the network. II. POLICY AND PROCEDURE ASSESSMENT COMPASS has defined thirty-six operational areas consisting of 1315 elements that collectively define an organization s overall security posture. Using this pre-defined structure as a standard, we evaluate the client s existing documentation to complete a policy gap analysis and identify weakness within the business unit. The policies we assess include but are not limited to: Incident Response Policy Password management Policy Network management Policy Access Control Management Policy Asset Management Policy 5
III. EMPLOYEE AWARENESS ASSESSMENT Employee Survey To measure the effectiveness of training and knowledge on policies and procedures for information technology, we issue an online scenario-based questionnaire to the client s employees. The survey is made up of 2 parts; cyber security best practices, and client policies. Social Engineering (Phishing) Exercise One of the most common forms of social engineering is a phishing attack. To demonstrate the importance of educating employees of phishing threats, COMPASS employs a mock-phishing exercise to see how employees would react in a real life scenario. The mock-phishing email is customized to fit the client s specifications and mailed to a sample of employees. Data on who clicked the link within the email is generated and provided to the client. This portion of the assessment is also used to test the client s email server and its ability to detect a phishing email. IV. EMPLOYEE TRAINING Employees give way to data breaches every day through common errors in judgment. Onsite and remote education is the best and most cost effective way to inform network users on best practices regarding securing sensitive data. This is why it is integral that organizations incorporate employee awareness training into their cyber security action plan. By educating employees on cyber security best practices, trends, policies, and procedures, organizations can significantly reduce their vulnerability to a data breach. COMPASS utilizes a variety of methods and channels to educate the policyholder s employees: Monthly Cyber Newsletter- COMPASS creates targeted monthly content on current cyber topics, blog posts, and tips that keep security a relevant topic within the organization. Webinars- COMPASS can host webinars on cyber security trends to give employees a chance to ask questions and hear firsthand the importance of keeping data secure. These are intended to be interactive sessions that empower employees with the information necessary to support the organization s goal of securing data. Onsite Training- COMPASS can provide face-to-face security awareness training on security best practices and company policies and procedures. These are intended to be interactive sessions that empower employees with the information necessary to support the organization s goal of securing data. 6
These methods can be used individually or in combination to effectively keep employees educated on cyber security best practices, pitfalls, and policies. COMPASS will work with Allied World policyholders to determine the best and most cost efficient way to educate their employees. COMPASS training staff will discuss the preferred frequency, methods, and goals for the organization s cyber security education and develop an organizational training plan that cost effectively meets the policyholder s requirements. I. EXECUTIVE REPORT DELIVERABLES The executive report provides an outline of the assessment findings. The report is broken out into 3 sections (Technical, Policies, and Employee Awareness). 1. IT Assessment Report a. Using the data found in the IT Security Assessment, COMPASS provides a prioritized list of the exploitable vulnerabilities that were found within the network. This allows the client to focus on the higher risk vulnerabilities first, and then move to the other findings. 2. Policy Assessment Report a. Using the data found in the policy gap analysis, COMPASS creates a chart that outlines the number of elements missing within each of the 36 policies. b. As an additional resource, COMPASS attaches a policy guide that specifies what each of the client s policies should include. This allows the client to write their own policy(s) if they choose to do so internally. 3. Employee Awareness Report a. The data from the employee survey is collected and summarized to define the average score, the completion rate, and the areas that the client should focus on the most when educating their employees. b. The phishing exercise results show the number of clicks that resulted from the phishing test along with a list of which email addresses clicked the link. This is not meant as a disciplinary action, but as a starting point to getting the client s employees educated on potential cyber threats. 7
II. TECHNICAL REPORTS The Technical Report provides the client s technical team further information on the identified vulnerabilities from the IT Assessment. This includes a list of exploited vulnerabilities, a description of each, and suggestions on how to remediate. The size of the report is custom to each engagement and is determined by the number of vulnerabilities identified. Reports that are includes include but are not limited to: Wellness Report Vulnerability Report Vulnerability Validation Report Host Based Activity Report Host Report III. RAW DATA SCANS To ensure COMPASS is giving the client all of the resources needed for remediation, a disc is provided with the raw data scan results. This can consist of over 50,000+ pages of vulnerability reports and allows the client insight into every vulnerability (critical, high, medium, and low priority) so that they may identify and remediate all gaps. IV. EMPLOYEE TRAINING ROADMAP COMPASS provides an employee training roadmap based on the findings of the employee awareness assessment. The type and frequency of training is custom to the organization s industry, size, and culture. This can include but is not limited to: Webinars Seminars Employee Newsletters Dry Runs Post-Incident Services: I. INVESTIGATION/CLEAN-UP North Star Group s security engineers and analysts can provide forensic analysis in the event of a security incident that results is exposure of sensitive, protected data. Our analysts will use a collection of tools to determine the root cause of the incident, the scope of the data impacted, and the likelihood 8
that the hackers are continuing to infiltrate the network. NSG s analysts can assist State agencies with documenting the current state so that in the event of a data breach the infrastructure can be returned to its pre-incident level. II. INCIDENT RESPONSE North Star Group s security engineers and analysts can provide guidance in the event of an incident that encompasses not just technical guidance but also public relations, employee communications, and stakeholder (client) communications as appropriate. NSG personnel can also interact and advise with the State agency s legal and compliance teams to ensure that an integrated and comprehensive approach is taken. III. MITIGATION PLANS One of the key components to robust and effective information security defense is developing incident response and mitigation plans before they are needed. NSG analysts can assist State Agency staff with developing incident response plans that cover all functional areas to include forensic analysis, public relations, internal communications, legal, insurance and any other relevant functional areas and departments. 9