We Make It Simple to Know You’re Secure and Prove You’re Compliant
Our mission is to simplify the complexities of security information management:
- Focus on the core group of security assessment services you need
- Take the time to understand your business and then optimize our approach for your unique situation
- Deliver reports and guidance that are easily understood and acted on by both management and technical personnel
- Base your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System after we leave
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
An Introduction To Pivot Point Security
1.
2. Our mission is to simplify the complexities of security
information management:
Focus on the core group of security assessment services you need
Take the time to understand your business and then optimize our approach for
your unique situation
Deliver reports and guidance that are easily understood and acted on by both
management and technical personnel
Base your assessment and recommendations on trusted, “open” (non-
proprietary, non-vendor specific) guidance to simplify the process of
operating and maintaining your Information Security Management System
after we leave
3. 10+ Years purely focused on Information Assurance
• Information Security Management System Assessment (35%)
Design Reviews/Gap Assessments /ISO27001/ Compliance
Testing
Experienced with dozens of standards/frameworks
• Penetration Testing/Ethical Hacking (40%)
Network/Application/Database/Physical/Social Engineering
• Security Information Event Management (25%)
• Regional Focus/National Reach
4. Experience
• Hundreds of Security Assessment engagements
• Personnel Security Experience (12+ years on average ~ 6 years as a team)
• Education & Certification (all major certifications relevant to our focus)
Results
• Focus on communicating results in an understandable/actionable manner
• Demonstrable body of success
Integrity
• Commitment to doing what is right
• Pride in our work product
• Respect for our “extended” team
• Independence (we sell no products)
Intent
• Focus on mutual benefit
• Straight Talk -- Always
5. City of New York: Verizon Wireless
• Financial Services Depository Trust & Clearing
• Taxi and Limousine Commission Corporation (DTCC)
• City Time
• Electronic Justice Project
Bank of New York
Savient Pharmaceuticals
Wyndham Worldwide
County of Sussex (NJ)
Oklahoma Gas & Electric
Pennsylvania Power & Light
Barnes & Noble National Student
Time Warner Cable Clearinghouse
Bristol Myers Squibb Woodbridge Township (NJ)
NJ Motor Vehicle Commission Banco Estado of Chile
Philadelphia Parking Authority Target
7. Information Technology/Security professionals that
became auditors (not accountants)
Highly experienced – average 12+ years
Highly certified – ISO 27001, CISA, CISSP, CEH,
CHFI, MCSE, CCNA, OCP, etc.
Core team has been together ~ 6 years
Consistent commitment to excellence –
we are passionate about what we do
8. Concerns: Protect Critical Data
• Passenger Credit Card Data
• Passenger, Drivers, & Owners Privacy
• Advertising, Entertainment, & PSA Feed
Key Challenges
• Highly Complex Solutions
In-Cab Architecture
Wireless & GPS Architecture
Multiple Data Centers Taxicab Security Presentation
http://s.pvtpt.com/TaxicabSecurity
Web Applications to service TLC, Drivers, Owners
• A “moving” target (13K of them)
• 4 Unique Vendor Solutions
• Accountability
9. for leading US Electrical Utility Company
“The problem wasn’t a lack of guidance, rather it was an overabundance of guidance.”
-John Verry, Principal Consultant
Over 20 Standards to Consider
Testing of Hard to Secure Distributed Environments
Radio Networks
Smart Meters
In-Home Devices
Command Response
SCADA Systems
Electrical Utilities: Information Security Blackout
http://s.pvtpt.com/InfoSecBlackout
11. Burlington County Bridge Commission (NJ)
• Concerns: Segregation and Protection from EZ-Pass Systems
• Vulnerability Assessments / Network Architecture Assessments
NYC Financial Information Services Agency (FISA)
• Concerns: Security of Personally Identifiable Information (PII) of NYC’s
400k Employees
• eHire: Implementation of PeopleSoft Recruiting Software Across all NYC
Agencies
NYC Department of Finance (DOF)
• Concerns: Security of an $8 Billion eCommerce Application with Payment
Card Industry (PCI) Compliance
• NYCSERVE: Online Payment System
12. Sussex County (NJ)
• Concerns: Managing Personally Identifiable Information (PII) and HIPAA
Regulations for New Jersey Consumer Affairs
• Vulnerability Assessments / Penetration Testing
• ISO 27001 Gap Analysis & Implementation Leading to ISO 27001
Certification
Woodbridge Township & Board of Education (NJ)
• Concerns: Collapsing Network Infrastructure and Protecting from
Malicious Individuals
Education
Law Enforcement
Taxes
Etc.
• Incident Response / Vulnerability Assessments / Penetration Testing
13. Testing of Hard to Secure Distributed Environments
Radio Networks
Smart Meters
In-Home Devices
Command Response
SCADA Systems
14. New Jersey Based
New Jersey SBE Type 2
Backdrop Services Contracts
• NY State OGS
• NJ Administrative Office of the Courts
• WSCA (Western States Contracting Alliance)
90% of Projects $6-30k, Falling Under Direct Purchasing Authority (DPA)