INFORMATION SYSTEM SECURITY

Commerical
Federal Government and Contractors

Commercial

QoS customizes Information Security Program reviews, development and updates specific to an organization’s need. Everyone should exercise good cyber hygiene in the management of information systems; however, a large-scale approach may not be suitable to small scale company with a modest InfoSec team. Using a tailored approach allows organizations to maintain compliance, leverage comprehensive security practices and avoid unnecessary overhead.

Our tailored approach to aiding organizations in developing and improving their overall information security system management is scalable. Our consultants are knowledgeable across a variety of industries, including, but not limited to, financial, technological, healthcare, education, software and managed services. We leverage our experience, in conjunction with industry standard methodologies to deliver world-class services. The Commercial Information System Security services include:

Identifying all regulatory requirements (current and potential) based on business functions and targeted endeavors.
Identifying overall risk tolerance.
Identifying/evaluating key roles, responsibilities, and information types.
Identifying critical systems and functions.
Defining/evaluating system boundaries (allows for proper allocation of company resources).

Once we’ve determined the information being processed, stored, and transmitted by the system or program, QoS will determine an appropriate initial set of security controls based on the risk level and compliance requirements. The following phase includes:

Defining/evaluating security control policies and guidelines using an established superset of security controls – organizations with multiple regulatory bodies often have overlapping requirements.
Analyzing current efforts of continuous monitoring.
Defining internal / external auditing requirements.
Documenting a corrective action plan.
Assist with the identification of resources and technologies required for remediation efforts.

Federal Government and Contractors

QoS is intimately familiar with the associated Assessment & Authentication (A&A) process – sometimes still referred to as Certification and Accreditation (C&A) – and the relevant standards, frameworks, and regulations that organizations should employ, such as:

FISMA
Risk Management Framework (RMF)
NIST SP 800-171 / Cybersecurity Maturity Model Certification (CMMC)
FedRAMP
DIACAP / DOD RMF
NIST SP 800-37
NIST SP 800-53
NIST SP 800-115
DCID 6/3

Ever since the A&A process was initially defined (FISMA, DOD RMF, DIACAP, etc.), QoS has been providing support and services to many of our Government and commercial clients. QoS has the experience (DoD, Civil, Intelligence, Commercial) and expertise to support your organization, department, or agency in gaining formal system approval/authority to operate at the appropriate security level. Stemming from a comprehensive risk management framework, QoS’ tactical approach allows us to:

Articulate security controls in a System Security Plan (SSP) and/or System Security Authorization Agreement (SSAA) for a given Major Application (MA) or General Support System (GSS).
Define system boundaries; draft Interconnection Agreements; establish security categorizations (FIPS 199).
Assess the effectiveness of in-place security controls with a thorough Security Test and Evaluation (ST&E) or Security Assessment and produce a respective Security Assessment Report (SAR) to make certain the necessary controls are implemented and fully operational.
Manage and remediate uncovered vulnerabilities through continuous monitoring and a Plan of Action and Milestones (POA&M).
Interface and produce documentation for the Certification Agent (CA) and Designated Approval Authority (DAA).

As a client of QoS, a security assessment for your organization, department, or agency will be conducted by a team of experienced security engineers with strong backgrounds in cybersecurity, compliance, and specific systems experience. Employing the RMF A&A process as a baseline, we will collaborate with your associated security team, system owners, and department leads to thoroughly assess your IT environment while maintaining a strong line of communication. While providing associated ongoing walkthrough briefings for key stakeholders, QoS will initialize the process through:

Identifying security categorization resources.
Defining/evaluating the overall security categorization.
Identifying/evaluating key roles, responsibilities, and information types.
Defining impact values and their application.
Describing confidentiality security categorization factors.
Defining/evaluating system boundaries.
Drafting a security plan or evaluating an existing security plan.

Once we’ve determined the information being processed, stored, and transmitted by the system or program, QoS will determine an appropriate initial set of security controls based on the security categorization or conduct an analysis of existing security controls through:

Defining/evaluating security control policies and guidelines.
Identifying/evaluating hybrid, system-specific, and common controls.
Describing the purpose of security overlays and tailoring them to the IT environment.
Analyzing current efforts of continuous monitoring.

Through the selection or evaluation of relevant security controls and safeguards based on mission/business impact, risk to operations and assets, and personnel, QoS will then determine the control documentation requirements, develop or review control-related artifacts, and reference the processes for applying industry best practices to reduce the overall level of risk. Following the implementation process, we will assess the security controls to ensure they were implemented correctly, operate as intended, and successfully meet the system or program security requirements. Our base testing process includes:

Development, review, or approval of a security assessment plan.
Assessing controls based on the finalized security assessment plan.
Identifying security assessment results.
Explanation of how to conduct remediation activities.

Concerning roles and responsibilities of key stakeholders, as they relate to the completion, submission, and approval of authorization packages, QoS will collaborate with you to:

Prepare a Plans of Action and Milestones (POA&M).
Assemble and submit a security authorization package.
Recognize and describe the overall risk based on artifacts submitted.
Define key resources to make a risk acceptance decision.

As maintaining an effective security posture and accreditation status is of critical importance, QoS will conclude the security assessment with a deliverable package and a final briefing that overviews:

The importance of documenting system changes.
The recognition of a need for ongoing assessment, risk determination, and remediation.
How assessor results can be used.
A required frequency for reassessment.
The necessity of status reporting.
The information system removal and disposal process.