The public sector is an interesting, important and really tough market to work with. You can verify this by asking your vendors how they feel about working in “SLED”: State, Local and Educational. They’ll talk about thin and biennial budgets, government procurement rules and political and labor overlays.
And yet, we picked this market preferentially. Why? Because we have kids. Because clean water, emergency management, and communication systems for public safety are far more important than credit cards. Yes, the public sector holds personally identifiable information, health records and cardholder data and those are important as security drivers (no one wants to be “above the fold”), but the real exposures are the ones that can result in loss of life if disrupted.
So our challenge is to come up with security services that are focused on the right things, provide demonstrable value, and help with moving the conversation forward about securing the critical assets that are managed by the public sector—while addressing the difficulties in projecting the need for security to elected officials and executives.
So here are three packages that do just that. These are meant to assist with establishing a security baseline and budget priorities, identifying low-hanging fruit for quick wins, and addressing compliance requirements that apply to HIPAA, CJIS, and PCI. And while pricing depends on scope, these are normally below the threshold for competitive procurement.
This is against standards of practice and regulatory requirements that apply to your organization. The assessment is crafted to address exactly the issues on which you need to elevate attention. If you’re having a problem with payment systems that store cardholder data, we put PCI issues in scope. If you’re concerned about the storage of health data, we integrate HIPAA issues into the assessment. The deliverable is a driver for budget requests and prioritization, and establishes a baseline against which you can show progress over time.
Using our custom packet-capture platform, we’ll pull traffic from your network onto an encrypted drive for a period of 3-5 days. This comes back to the MKH&A lab, and is run through our OSMOSIS threat identification platform, and interesting findings investigated by an MKH&A analyst. The analysis will identify compromised assets in your network, attacks in progress, data exfiltration events, and network device configuration issues. This information can be used to identify control deficiencies, the need for user education, and the value of monitoring.
Awareness training is a component of nearly every security regulatory regime, because users are your biggest exposure. While there’s no firewall for stupidity, users can—and should—be periodically exposed to messaging that helps to bring their “radar up” to avoid disclosing credentials, biting on malware, or failing to report odd occurrences. Our training is directed at 3 populations: users, administrators, and executives and includes attestation management so you can prove to auditors that you’re meeting the requirement.