We Make It Simple to Know You’re Secure and Prove You’re Compliant Our mission is to simplify the complexities of security information management: - Focus on the core group of security assessment services you need - Take the time to understand your business and then optimize our approach for your unique situation - Deliver reports and guidance that are easily understood and acted on by both management and technical personnel - Base your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System after we leave

2. Our mission is to simplify the complexities of security
information management:
 Focus on the core group of security assessment services you need
 Take the time to understand your business and then optimize our approach for
your unique situation
 Deliver reports and guidance that are easily understood and acted on by both
management and technical personnel
 Base your assessment and recommendations on trusted, “open” (non-
proprietary, non-vendor specific) guidance to simplify the process of
operating and maintaining your Information Security Management System
after we leave

3.  10+ Years purely focused on Information Assurance
• Information Security Management System Assessment (35%)
 Design Reviews/Gap Assessments /ISO27001/ Compliance
Testing
 Experienced with dozens of standards/frameworks
• Penetration Testing/Ethical Hacking (40%)
 Network/Application/Database/Physical/Social Engineering
• Security Information Event Management (25%)
• Regional Focus/National Reach

4. Experience
• Hundreds of Security Assessment engagements
• Personnel Security Experience (12+ years on average ~ 6 years as a team)
• Education & Certification (all major certifications relevant to our focus)
Results
• Focus on communicating results in an understandable/actionable manner
• Demonstrable body of success
Integrity
• Commitment to doing what is right
• Pride in our work product
• Respect for our “extended” team
• Independence (we sell no products)
Intent
• Focus on mutual benefit
• Straight Talk -- Always

5.  City of New York:  Verizon Wireless
• Financial Services  Depository Trust & Clearing
• Taxi and Limousine Commission Corporation (DTCC)
• City Time
• Electronic Justice Project
 Bank of New York
 Savient Pharmaceuticals
 Wyndham Worldwide
 County of Sussex (NJ)
 Oklahoma Gas & Electric
 Pennsylvania Power & Light
 Barnes & Noble  National Student
 Time Warner Cable Clearinghouse
 Bristol Myers Squibb  Woodbridge Township (NJ)
 NJ Motor Vehicle Commission  Banco Estado of Chile
 Philadelphia Parking Authority  Target

6.  System Certification &  Incident Response
Accreditation (NIST 800-37) • Forensics
 PCI Compliance  Security Assessments
 Sarbanes Oxley • Vulnerability Assessments
• Penetration Testing
 Identity Theft  Internal / External
 Third Party Attestation  Application
 Physical Penetration
• ISO 27001/27002
• Social Engineering
• BITS
• SAS70  Design Reviews
• HIPAA • Application
 Code Review
 Risk Assessment • Network
• Database
• Systems

7.  Information Technology/Security professionals that
became auditors (not accountants)
 Highly experienced – average 12+ years
 Highly certified – ISO 27001, CISA, CISSP, CEH,
CHFI, MCSE, CCNA, OCP, etc.
 Core team has been together ~ 6 years
Consistent commitment to excellence –
we are passionate about what we do

8.  Concerns: Protect Critical Data
• Passenger Credit Card Data
• Passenger, Drivers, & Owners Privacy
• Advertising, Entertainment, & PSA Feed
 Key Challenges
• Highly Complex Solutions
 In-Cab Architecture
 Wireless & GPS Architecture
 Multiple Data Centers Taxicab Security Presentation
http://s.pvtpt.com/TaxicabSecurity
 Web Applications to service TLC, Drivers, Owners
• A “moving” target (13K of them)
• 4 Unique Vendor Solutions
• Accountability

9. for leading US Electrical Utility Company
“The problem wasn’t a lack of guidance, rather it was an overabundance of guidance.”
-John Verry, Principal Consultant
 Over 20 Standards to Consider
 Testing of Hard to Secure Distributed Environments
 Radio Networks
 Smart Meters
 In-Home Devices
 Command Response
 SCADA Systems
Electrical Utilities: Information Security Blackout
http://s.pvtpt.com/InfoSecBlackout

10.  Major PA Electrical Utility
• SIEM Solution Implementation (Novell Sentinel)
 Major Regional Transmission Organization (RTO)
• Network, Application & Physical Vulnerability Assessments / Penetration
Testing
• WLAN Assessments

11.  Burlington County Bridge Commission (NJ)
• Concerns: Segregation and Protection from EZ-Pass Systems
• Vulnerability Assessments / Network Architecture Assessments
 NYC Financial Information Services Agency (FISA)
• Concerns: Security of Personally Identifiable Information (PII) of NYC’s
400k Employees
• eHire: Implementation of PeopleSoft Recruiting Software Across all NYC
Agencies
 NYC Department of Finance (DOF)
• Concerns: Security of an $8 Billion eCommerce Application with Payment
Card Industry (PCI) Compliance
• NYCSERVE: Online Payment System

12.  Sussex County (NJ)
• Concerns: Managing Personally Identifiable Information (PII) and HIPAA
Regulations for New Jersey Consumer Affairs
• Vulnerability Assessments / Penetration Testing
• ISO 27001 Gap Analysis & Implementation Leading to ISO 27001
Certification
 Woodbridge Township & Board of Education (NJ)
• Concerns: Collapsing Network Infrastructure and Protecting from
Malicious Individuals
 Education
 Law Enforcement
 Taxes
 Etc.
• Incident Response / Vulnerability Assessments / Penetration Testing

13.  Testing of Hard to Secure Distributed Environments
 Radio Networks
 Smart Meters
 In-Home Devices
 Command Response
 SCADA Systems

14.  New Jersey Based
 New Jersey SBE Type 2
 Backdrop Services Contracts
• NY State OGS
• NJ Administrative Office of the Courts
• WSCA (Western States Contracting Alliance)
 90% of Projects $6-30k, Falling Under Direct Purchasing Authority (DPA)