BullsEye Selected as a Master Contractor for Maryland Montgomery College’s Multi-Year IT Contract

Fulton, Maryland – July 11, 2018 – BullsEye Computing Solutions was selected by Montgomery College of Maryland as a Master Contractor for a five-year IT contract.

Under this IDIQ contract, BullsEye and its subcontractors will provide IT staffing and project-based services to the college and its affiliates in six (6) functional areas:

  1. IT Management
  2. IT System Management
  3. Information System Security
  4. Web & Internet Systems
  5. Application Support & Software Engineering
  6. Data Analytics & Reporting

BullsEye specializes in empowering technology and human resources to help customers achieve process efficiency and deliver high-profile, mission critical projects. The firm has 20 years of experience fulfilling business and IT needs of commercial and public organizations throughout the world. For more information, contact Elizabeth Hess at (410) 480-9443.

BullsEye plans to leverage Global Shield IS as a partner firm to bring unique Information Security and Compliance experience to enhance expertise in their respective focus areas.

Global Shield Information Services (GSIS) specializes in IT auditing for highly regulated government and commercial organizations. It supports public accounting firms with IT Risk Management Capabilities and performs IT financial and security audits and information assurance.  For more information, contact Doguhan Avsar at (202) 656-4099, or visit https://globalshieldis.com/.

Three Steps to Improving Logical Access

3-29-2015

One of the most important IT control areas to consider for any small, medium or large-scale organization is logical access to resources such as applications and databases. Logical access is the process by which a user or object is identified, authenticated and/or authorized to an application, system, database or another object[1]. Every organization must implement logical access in order to protect valuable data and resources, both internally and externally. Logical access to information prevents this data from being accessed by employees or external threats that might present a risk to the organization. This also ensures that the right resources are being accessed on a need-to-know basis, based on each individual’s role within the organization.

If an organization chooses to ignore implementing logical access controls, it runs the risk of losing proprietary data to the outside world, which could pose a threat to the organization. If you run a search on logical access breaches you will find thousands of recent examples of data that was extracted for malicious purposes by both employees of organizations and outside threats such as hacking groups. The following three steps will enable an organization to implement logical access and provide a basic framework to protecting its data.

Step 1: Identify gaps and risks regarding logical access

The first step must be to assess what types of controls are in place currently to protect organizational data, “what do we currently have”. From there, an evaluation must be directed to find out what types of controls are missing, “what do we need”. In regards to the missing controls, calculating the risk, impact and likelihood is a necessary part of this evaluation. Other criteria to consider are:

  • Documenting a system inventory of all applications, databases, interfaces and systems within your organization.
  • Excessive Privilege: What does each employee have access to? Are controls in place to ensure each employee has access to only what he or she needs to perform daily job duties? An example of excessive privilege would be if Sandra in Accounting had full access to the Human Resources system.
  • Are the Access Control policy and procedures built off of a framework? Examples of frameworks are COSO, COBIT and NIST.

Step 2: Develop access control policy and procedures

The second step must be to develop an access control policy and procedures that adhere to the new policy. The policy will dictate an organizational wide process to implementing the access controls. Although developing a new policy can be a daunting task, the NIST, COSO and COBIT frameworks offer a great deal of information including templates to developing your access control policy and procedures.

Once the policy and procedures are outlined and developed, they must be updated, revised and tested for any errors and omissions. All members of the organization must be involved in the development process to make sure that every department’s opinions and concerns are taken into consideration. For example, if you leave the development of the policy strictly to IT management, it might restrict too much access for anyone to conduct his or her daily duties. On the other hand, if HR develops the policy, it might be too lenient and not address any threats appropriately.

Step 3: Continuously monitor and update with any changes

As the world evolves, so will its existing threats, vulnerabilities and risks. Therefore, the last step of improving logical access consists of continually monitoring and updating the implemented policy and procedures as necessary. In addition, reviews of access controls should be conducted on a periodic basis as deemed necessary by the organizational, or as dictated by policy. This will ensure that all changes to the organization are considered and implemented into the access policy.

To close, access controls are necessary and an integral part of any organization, no matter what its size. Every organization must implement logical access in order to protect its data and resources from internal and external threats. The steps above are general and will help you get started. Each organization will have to tailor these steps as necessary. Each organization will also add or remove steps that do not present a risk at the time. In addition, implementing these steps will not guarantee that you will pass an IT audit. For assistance in understanding the requirements of an IT Audit or for help getting optimal results, please contact us. As always, if you or someone you know needs assistance in understanding or implementing a new access control policy, please do not hesitate to contact us at [email protected].

————————

[1] This is not to be confused with physical access, which can also accomplish the same means, however not through the use of software alone.

Configuration Management: Why You Should Care, No Matter Your Size

12-30-2014

As technology advances and more companies turn to computer software to digitally process their data, a great deal of those companies overlook a very critical business process known as Configuration Management[1]. At a high level, Configuration Management (CM)[2] is the process of managing and tracking all changes within an entity, be it an individual server or an entire organization. It can quickly become a complex and labor intensive process, however implementing the basic fundamentals matter most. The official definition as stated by the National Institute of Standards and Technology (NIST)[3] is as follows:

Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.

Over the course of the past ten years, we have observed companies, large and small overlook this process as a whole or mismanage the process by not segregating duties through several individuals, inherently introducing significant risk to the organization. As a result, lack of proper CM has resulted in non-functional software, data errors, system downtime, compromise of data and even financial fraud within an organization.

To minimize these costly risks it is important to incorporate a CM process to properly manage changes within your organization. Luckily, this process can be tailored to your organization depending on size and capabilities. NIST has a significantly detailed publication titled NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems which covers CM in large, complex environments along with the controls to periodically check that the process is working as it should in a separate publication titled NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations[4]. In addition, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers a less detailed, financially focused framework[5] for managing a CM process.

However, if you do not have time to go through the processes mentioned above in great detail, or feel like your organization has not reached the level of where you would need to implement such a large effort to manage a small amount of changes to your IT environment, the following three steps could help start in developing your own CM process[6]:

  1. Identify any risks and gaps in the current process for implementing and managing changes. Several factors to consider are as follows:
    • Does your organization currently have a CM process?
    • Understand the basics of the CM flow (documented in NIST 800-128 and COSO)
    • Identify and accept or mitigate your risks before beginning to develop your new CM process. Such examples are as follows:
      • Does your organization currently have only one individual who is responsible for creating and implementing all changes within your IT environment? If so, this is a risk and will need to be mitigated. Examples we have seen in the past include separating duties and having a supervisor approve all changes before they are implemented into the production environment. In addition, changes included enforcement of separation, such as removing administrative access for programmers or implementers of changes.
      • Do you track all changes? If so, are they consolidated and reviewed on a periodic basis?
      • Do you keep backups of software or code before implementing new changes?
      • Do you have separate test and development environments for your software in order to test changes before implementing them into production?
      • Do you have a patch management process? Is your patch management process documented?
  1. Develop your new process:
    • Develop a tailored draft CM process from the fundamentals mentioned in in NIST 800-128 and COSO, the process should cover the CM controls in COSO and/or NIST 800-53, rev 4.
    • Discuss your new draft CM process with all appropriate divisions, management and stakeholders involved in your business. Additional tailoring might be required based on management’s guidance and recommendations.
    • Test the process from start to finish
    • After successful testing, implement your newfound CM process and make the entire organization aware of the changes.
  2. Continually monitor your process as you grow:
    • Conduct patch management on your IT infrastructure.
    • Conduct periodic vulnerability assessments on your IT infrastructure.
    • Periodically review all changes for completeness and adherence to the CM process that you helped develop. This will help catch errors and also ensure that staff are following the new CM process.
    • Revisit your CM process and periodically check for updated guidance from NIST or COSO. Make any changes or updates as necessary to improve the process.

The steps above are general and will help you get started. Each organization will have to tailor these steps based on internal policies and procedures. Each organization will also add or remove steps that do not present a risk at the time. In addition, implementing these steps will not guarantee that you will pass an IT audit. They only serve as guidance for starting the development of a CM process. For assistance in understanding the requirements of an IT Audit or for help getting optimal results, please contact us.

All organizations must implement some form of CM to manage changes to their systems and applications in order to reduce the risks mentioned above. Implementing an effective and efficient CM process will reduce[7] risks such as financial fraud, compromise of confidential data, non-functional software, data errors and costs associated with user downtime that come with implementing newer software and technology within your organization. As always, if you or someone you know needs assistance in understanding or implementing a new CM process, please do not hesitate to contact us at [email protected].

————————

[1] For the purposes of this article, we will use the term Configuration Management.

[2] We are referring to the IT Configuration Management process as opposed to the engineering Configuration or Change Management process.

[3] NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011.

[4] NIST SP 800-53, rev.4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

[5] COSO, The 2013 COSO Framework & SOX Compliance, One Approach To An Effective Transition, June 2013.

[6] Before making any changes and/or implementing any processes into your organization, always consult with your IT Security and IT Audit departments.

[7] Although implementing a CM process will reduce certain risks, it does not eliminate them. Many other factors come into play when considering the threats of today’s world coupled with the vulnerabilities of today’s technology.