English
Arabic
Chinese (Simplified)
French
German
Hindi
Japanese
Portuguese
Russian
Spanish

Top 10 for 2016

Stay tuned IRG will soon release it's new "Top 10" Information Security ideas for 2016.   Each of them have been chosen by our security analyst based on the following three factors:

  • ability to lower corporate risk
  • ability to lower overall IT cost
  • ability to increase employee productivity

There will be a special emphasis on the many aspect of cloud computing.

Welcome

Versatile Layout

Info Risk Group LLC would like to welcome you to our site.  Our consultants are constantly updating our services and skills as part of our effort to provide solutions to the latest concerns affecting our customers.  Please check back often or contact us now if you have any questions.

About Us

Multiple Module Styles

Since 2003 Info Risk Group consultants have been assisting companies implement effective solutions.  Our knowledgeable advisors have extensive industry and consulting experience.  We look forward to assisting you on your next IT project or assessment.

Security Assessments

Security Assessments Information security assessments benefit companies by focusing management on areas where reputation and strategic risk can be reduced.  Understanding risk requires the analysis of a wide range of information relevant to a particular company’s risk environment.   IRG’s holistic assessment methodologies are based on the years of experience our employees have working with large financial institutions and major accounting firms.  An annual security assessment should be cosidered  an essential metric of every companies ongoing security strategy.  Information Risk Group LLC has developed several services based on the needs and request of our customers:

All reviews are performed in an efficient and timely manner in order to minimize any impact to your company and its personnel.  As independent examiners of your company’s overall security strategy, IRG is in a position to offer impartial reporting on the effectiveness of a company’s information security implementation. 

Please contact one of our IS specialist to discuss which type of assessment is approprate for your company.

Customized Security Program Development

Starting from the beginning is a daunting task, but every journey begins with the first step.  IRG has developed a customizeable approach that will provide your company with a focused methodology for implementing a security program.  The first steps involve our information security specialist in coordination with your staff performing a quantitave and qualitative risk analysis using the following 6 steps:

  1. Gather data and assign monetary value to the information and technology assets of your company.
  2. Estimate the vulnerabilities and threats to those assets
  3. Evaluate the effectiveness of existing security controls and processes
  4. Derive the probability of impact and overalll loss potential per threat
  5. Interview management and senior technical personnel
  6. Develop recommendations to transfer, reduce, assign, or accept risk

The results of this evaluation will allow your company to control and manage risk based on data and analysis which more accurately reflect the risk and threats within your environment.  IRG can then aid your companies infomation security personnel in  recommending appropriate safeguards, countermeasures and actions. 

Please contact us with any questions you may have on this subject or any other service Information Risk Group offers.

Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Information Risk Group offering information security and risk management services to companies throughout the Americas.

Gramm Leach Bliley Act  (GLBA)

In recognition of the importance of protecting personal financial information, the GLBA was signed into law on November 12, 1999.    The act dictates that financial institutions must, under 15 USC 6801 Section 501, 505(b) and 507, establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, physical and technical safeguards.  GLBA further states that "it is the policy of the Congress (and now the United States) that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information."   These safeguards must be sufficient to:
  • insure the security and confidentiality of customer records and information;
  • protect against any anticipated threats or hazards to the security or integrity of such records; and
  • protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
These general compliance objectives have been further refined by financial institution regulatory agencies in subsequent guidelines.   Information Risk Group has developed specific work programs to assist financial institutions in achieving GLBA compliance per each agencies policies.  Please contact IRG if you have questions about what steps are required for your institution.

Compliance Dates

The effective date for implementing these guidelines is dependent upon which government agency is responsible for regulating your financial institution.  See the chart below for a further explanation:

Regulatory
Agency
Financial Institutions Regulates Implemetation
Compliance Date
Outsourced Technical
Services
Compliance Date
FDIC Primary federal regulator of state-chartered "nonmember" banks--commercial and savings banks that are not members of the Federal Reserve System. July 1, 2001 July 1, 2003
OTS Primary regulator of all federal and many state-chartered thrift institutions, which include savings banks and savings and loan associations. July 1, 2001 July 1, 2003
OCC Charters, regulates, and supervises all national banks. Also supervises the federal branches and agencies of foreign banks. July 1, 2001 July 1, 2003
FTC
  • Mortgage lender or broker
  • Check casher
  • Pay-day lender
  • Professional Tax Preparers, Tax Planners
  • Credit counseling service
  • Financial Advisors
  • Retailer that issues its own credit card
  • Personal Property or Real Estate Appraisers
  • Auto dealers that lease and/or finance
  • Collection Agency Services
  • Medical-services provider that establishes for a significant number of its patients long-term payment plans that involve interest charges
  • Government entities that provide financial products such as student loans or mortgages
May 23, 2003 May 23, 2006

(To conform third-party
service contracts entered into before July 24, 2002)
FRB Primary federal regulator for state-chartered banks that are members of the Federal Reserve System, as well as for all bank and financial holding companies and certain operations of foreign banking organizations. July 1, 2001 July 1, 2003
NCUA Charters and supervises federal credit unions and insures the deposits in all federal and many state-chartered credit unions. July 1, 2001 July 1, 2003
State
Banks
Supervise state-chartered banks, savings institutions, and credit unions. July 1, 2001 July 1, 2003
State Insurance Authorities Insurance companies are regulated at the state level. varies by state varies by state



How can Information Risk Group assist your company in complying with these guidelines?

Regardless of size all financial institution must take specific actions to comply with GLBA.  The steps that must be taken vary slightly by regulating agency; however, each agency has based its guidelines around a common set of information security principles.

Each financial institution must develop a written information security plan that includes:
  1. designate one or more employees to coordinate the safeguards
  2. identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
  3. design and implement a safeguards program, and regularly monitor and test it
  4. select appropriate service providers and contract with them to implement safeguards
  5. evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.
Information Risk Group has developed several specific offerings to aid financial institutions in complying with the requirements of  GLBA.  Our methodologies are based on years of experience as technical auditors with large financial firms and the major accounting agencies.   IRG reviews are performed in an efficient and timely manner in order to minimize any impact from our assessment on your company and its personnel.  Our present offerings with respect to GLBA are as follows:

Contact IRG today for further information on how we can help you comply with GLBA.

Info Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Offering information security and risk management services to companies throughout the Americas.

Health Insurance Portability and Accountability Act  (HIPAA)

In 1996 Congress passed HIPAA to improve the efficiency and effectiveness of the health care system.  In response to this regulation, the U.S. Department of Health and Human Services ("DHHS") issued several new regulatory standards which apply to all covered entities.  This act mandates the adoption of a number of specific guidelines.  IRG has developed assessment services to aid covered entities in complying with the privacy and security regulations authorized by this act.

The "Privacy Rule"

The Privacy Rule sets standards for how protected health information (PHI) should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information.  The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.   "Individually identifiable health information" is information, including demographic data, that relates to:
  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
For the most part, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information, that is held or maintained by covered entities or their business associates acting for the covered entity.

HIPAA Privacy - Compliance Dates

All required privacy compliance steps must be met by the compliance date set forth by HHS in the final modifications to the privacy rule.  The following table dictates the compliance dates from which the "privacy rule' must be implemented:

Covered Entities
Compliance Date
Health Care Providers April 14, 2003
Medium & Large Health Plans
(Revenue of $5,000,001 or greater )
April 14, 2003
Small Health Plans
(Revenue of  $5,000,000 or less)
April 14, 2006
Health Care Clearinghouses April 14, 2003

How can Info Risk Group assist you with HIPAA privacy compliance?

IRG has developed several offerings with respect to the HIPAA "privacy rule":
  • Privacy Notice content, implementation and documentation reviews
  • The information security safeguards required to protected health information as established in 45 CFR 164.530.
  • General privacy rule compliance and administration.
Contact IRG today for further information on how we can help your institution with HIPAA compliance.


The "Security Rule"

The security rule provides a set of standards that define administrative, physical, and technical safeguards mandated by DHHS to protect the confidentiality, integrity, and availability of electronic protected health information. The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.  These standards require measures to be taken to secure this information while in the custody of entities covered by HIPAA as well as in transit between covered entities and from covered entities to others.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security
Number).  In an effort to standardize HIPAA security rule compliance for all covered entities, DHHS has issued 45 CFR parts 160, 162 and 164.  The CFR describes a list of safeguards separated into three categories:

Administrative Safeguards
Physical Safeguards
Technical Safeguards
  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Business Associate Contracts and Other Arrangement.
  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls
  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security


HIPAA Security - Compliance Dates

All implementation specifications and standards must be met by the compliance date forth by DHHS in its final security rule.  According to 45 CFR part 164.318,  the following table dictates the compliance dates from which the security standards must be implemented:


Covered Entities
Compliance Date
Health Care Providers April 20, 2005
Medium & Large Health Plans
(Revenue of $5,000,001 or greater )
April 20, 2005
Small Health Plans
(Revenue of  $5,000,000 or less)
April 20, 2006
Health Care Clearinghouses April 20, 2005

How can Information Risk Group assist you with HIPAA security compliance?

IRG has developed several offerings with respect to the HIPAA "security rule":
  • Perform "Gap Analysis" against a companies presently implemented Information Security Program.
  • Develop a complete HIPAA security compliance program for your company based on:
    • The size, complexity, and capabilities of the covered entity.
    • The covered entity’s technical infrastructure, hardware, and software security capabilities.
    • The costs of security measures.
    • The probability and criticality of potential risks to electronic protected health information.
  • Fill in portions of your companies HIPAA compliance program with respect to the safeguards identified in the above matrix.  Often companies don't have experience in all of the safeguards required by HIPAA Security.



Contact IRG today for further information regarding HIPAA privacy and security compliance.

Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Offering information security and risk management services to companies throughout the Americas.

Information Security Policy and Standard Reviews

Once a security assessment has been performed the next step is to evaluate your companies present Policies and Standards.  It is important
  • Policy and Standard Review of the Network, System or Application.
    • User and Group Management
    • Backup and Restore Policy
    • Change Policy
    • Disaster Recovery Policy
    • Intrusion Detection Policy
    • Audit Log Policy
    • Documentation
  • Technical Security Review
    • Network, System and Application controls
    • User and Administrative Controls
    • Authentication and Authorization
    • Auditing Controls
    • Access controls
While Info Risk Group is willing to look only at the technical controls of a specific application or system;  we encourage our customers to always review the security of the entire system in conjunction with the application.  The application and system are bound together each directly affecting the security of the overall system.

Outlined below is a partial list of products Info Risk Group is prepared to assess:
  • Operating Systems
    • Windows NT 4, XP, 2000, Vista, 7
    • UNIX - Solaris, AIX, HPUX, Linux
    • Netware / Open Enterprise Server
    • i5/OS (OS/400)
  • Databases
    • Oracle
    • DB2
    • Sybase
    • Microsoft SQL Server
    • MySQL
  • Web Servers
    • IIS
    • Apache
  • Virtualization
    • VMWare
    • Zen
  • Networks
    • Cisco
    • Juniper
    • 3com
    • HP
    • General Design of DMZ, Extranet and Internet Connectivity
  • Firewalls
    • Cisco PIX
    • Raptor
    • Baracuda
    • Checkpoint
  • IDS
    • ISS
    • Snort
  • Directory Services
    • Microsoft ADS
    • Novell eDirectory
    • x509 - PKI


Please contact us if you have any questions on this or any other service we offer.

Info Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Ethical Hacking

What is an ethical hacker?

An ethical or "white hat" hacker is an excellent way to analyze your systems vulnerabilities from the outside.  Companies are electronically attacked daily.  One only need read the technology headlines on any major web site to see how serious this issue has become in our computer reliant world.  And the hacking attempts don't just come from the outside.  It is estimated by the CSI/FBI that 60% of all computer crime attempts are committed by internal employees.  For this reason all of your systems need to be as secure as those you place on the Internet.  

How does Information Risk Group perform its analysis?

Info Risk Group proprietary Attack and Penetration Methodology (APM) is designed to provide maximum results with minimum system impact.  Working closely with the your staff, our security team attempts controlled penetrations of your networks and other points of access.  Controlled penetrations are designed to  due no harm to your systems.  If at any time either IRG believes that a system or network may be placed in an unstable state, IRG will request specific permission to continue before moving forward with the attack from the customer.  This ensures maximum uptime for your systems and prevents outages that may affect your companies customers.

The following 4 steps outline how IRG performs this service.
  • Identify and Confirm - Systems to be assessed to ensure we are working solely with the systems outlined in the contract.
  • Externally Assess each system through a "footprint" analysis.
  • Attempt targeted penetration and intrusion on discovered networks, systems and applications.
  • Verify and report on all findings

What results can you expect?

Info Risk Group staff remains in contact with the customer throughout the entire engagement.  In the event a serious misconfiguration or vulnerability is discovered it will be immediately reported to the customer for remediation.   All findings are verified to the best of our ability to prevent "false positive" reporting.  IRG also rates each finding on two levels: ease of repair and difficulty to perform exploit.  This allows you to concentrate on which problems you can fix given your resources.

Please contact us with any questions you may have on this subject or any other service Info Risk Group offers.

Info Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Offering Information Security and Risk Management services to companies throughout the Americas.

What customers think . . .

We needed a basic website that fully complied with the Florida Bar's recent regulations.   Now, we have a site that complies with Florida Bar Rule 4-7.2, and we are able to seemlessly provide our customers with testimonials and past results.  Info Risk Group was able to get us up in running in less then two days for a reasonable cost.  Thanks IRG.

Andrews Law Group

JSN Epic template designed by JoomlaShine.com