Applied G2

You are here: Home » Service Offerings

Services

Fraud & Loss Prevention

E-mail Print PDF

Despite every effort sometimes data breaches and asset compromises occur.  Recognizing and accepting this scenario is the first step in developing a response plan to address this critical event and effectively respond to it.  Many organizations and careers IT professionals have learned the hard lessons of adopting an ostrich “head in the sand” policy that can result in stiff financial penalties and harsh legal realities when investigations and evidence is not handled properly. AppliedG2 recommends that as part of your approved and tested Business Continuity Plan that you include responding to a Data Breach, Denial of Service or Initiation of a Forensics Investigation as “declared incidents” your organization knows how to undertake in a controlled fashion.  If you find your organization in the midst of a compromise, we can still help with damage control and proper evidence handling utilizing our industry certified forensic investigators.

There are a few things we want all our client’s to remember related to their Incident Response plans:   
1)    Test them under real world conditions and not just in conference room role playing sessions.
2)    There are very specialized skills, tools and techniques that you must develop and maintain to properly support a forensics investigation.
3)    Utilizing the proper hardware & software tools to gather evidence must meet the scrutiny of the courts not your management if the case goes to trial.
4)    A combination of evidence is often the most convincing so consider both IT and physical security safeguards when responding to an incident.

We have trained professionals to help you respond to an incident, but believe it is more prudent to proactively assist your organization in preparing a comprehensive Incident Response plan.  We have been involved in some major cases involving data breaches and compromises of entire network infrastructures.  Mitigating damage, providing candid options to executive management and handling every piece of evidence as if it will end up in court are just a few of the lessons learned we bring to the plan development and testing process.  Consider AppliedG2 as your trusted partner to develop, maintain and most importantly TEST your Incident Reponses program.

AppliedG2 is available to provide support for response to isolated internal events that require a discrete response and proper evidence handling for administrative or litigation support.

Fraud & Loss Prevention

E-mail Print PDF

AppliedG2 can be contracted to establish, maintain and customize information security controls to provide cost effective fraud protection that is responsive to the confidentiality, integrity and availability needs for information or assets owned by or in a your custody. As Certified Fraud Examiners (CFEs) we know that despite sound system design, trusted implementation and good employee security awareness training that determined individuals can still steal from your business.


According to the latest Report to the Nation on Occupational Fraud (Source ACFE 2010) the typical organization loses 5% of its annual revenue to fraud. The reported median loss was $160,000 with over a quarter of the frauds involving losses over $1,000,000. In the majority of the cases, the activity went on for 18 months before being detected. Small organizations are disproportionately victimized by occupational fraud, typically lacking anti-fraud controls compared to their larger counterparts. 80% of the frauds were committed in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing. More than 85% of fraudsters had never been previously charged or convicted for fraud-related offenses.

The ACFE has some recommendations for reducing the likelihood and impact of fraudulent activities:

1) Don’t rely exclusively on external audits to detect fraud.

2) Educate employees on how to identify fraudulent activities and provide clear direction on how to report any suspicious activities (e.g. employee hotlines)

3) Utilize internal controls effectively, but also build in provisions to detect fraud when these controls are circumvented

AppliedG2 can assist in verifying that compensating controls, forensics and reporting mechanisms are properly implemented to reduce the likelihood of fraud losses. Simply having a very visible and proactive anti-fraud program will serve as a major deterrent to would be perpetrators. Remember the threat is typically originated with an insider, often with the assistance of outside parties.

Our ability to develop a blended response of IT and Physical compensating controls provides a unique advantage to our customers. At AppliedG2, we have taken the time to understand and document key processes for our clients in an effort to understand how fraudulent activities can go undetected and compensating controls can be bypassed. Simple administrative steps like proper segmentation of duties and access to physical devices are only the basics that must be enhanced to detect and deter fraudulent activities. Emerging technologies like geo fencing, RFID tags, discrete packaging and secure off-site storage solutions for CCTV video and security logs provide a greater array of protection than was even available to government agencies even a few years ago.

 

Goverance & Compliance

E-mail Print PDF

Regulatory compliance is tough to achieve and maintain for most organizations.  Regulations are frequently written in vague terms with only limited information on “what” must be done and in most cases even less guidance on “how” to actually demonstrate compliance.  The penalties and sanctions for non-compliance are often the only explicit sections of many government directives.  Government regulations at state and local levels may also make setting corporate wide policies a bit more tricky.  If you organization operates in more than one country you have to take local laws into consideration.


Three other major contributing factors make compliance a difficult task to achieve.  Industry regulations like the Payment Card Industry Data Security Standard (PCI-DSS) for customers that take payment via credit cards is just one of many cross industry regulators that introduce requirements in order to keep the orders and supplies flowing smoothly.  As the physical location of your data migrates from devices you own and control into SaaS (Software as a Service) and storage in “the cloud,” command and control over the users and legitimate business use of certain assets a bit more abstract.  The final aspect that you should consider related to your compliance program is how you contracts and administrative procedures need to evolve to clearly assign rules, responsibilities and accountability on the users and custodians of your data and other assets.


Compliance is certainly one of many considerations for implementing a comprehensive security program.   AppliedG2 can be part of your team to weigh in on the best way to implement the ever elusive “how” to achieve the right balance of investment and risk reduction to meet the matrix of compliance demands your organization has to balance.


Here are some plain language explanations of just some of the most common regulations that impact many of the industries our clients represent:

 

PCI-DSS The major credit card issuing companies (e.g. Visa, MasterCard, Amex, etc..) got together to provide a unified set of security standards for handling sensitive information needed to complete transactions. It is a multi-tiered program for the institutions that take and process credit card information.  It provides a graduated set of minimum standards security standards based on the number of annual transactions processed by an organization. There are three main parts to the program.
1)    The Standard itself found at  http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
2)    The People who are qualified to certify an organizations as being PCI compliant are called QSA (Qualified Security Assessors)
3)    The tools that have been approved to inspect an organization’s system for compliance to the standards are known as ASV (Approved Scanning Vendors)


SOX – The Sarbanes-Oxley (SOX) Act of 2002 was originally drafted to try to reestablish confidence for individual and institutional investors after a number of corporate scandals involving account irregularities. The Act addresses issues such as auditor independence, corporate governance and specific financial disclosure requirements. It added significant penalties for violations and made it clear that senior executives had to understand be accountable for accurate financial reporting to the public.

 

GLBA – The Gramm-Leach Bliley Act placed specific responsibility for protecting personal financial information and limiting the disclosure of this information to other institutions.  It regulated the privacy of Personally Identifiable Information (PII) to non-affiliated third parties.

 

HIPAA – The Health Insurance & Accountability Act (HIPAA) was originally designed to streamline reporting, reduce administrative cost and enhance fraud detection associated with healthcare.  It also brought to the forefront the need to protect Protected Health Information (PHI) aka Personally Identifiable Information (PII) which is information that can be used to personally link a specific healthcare related activity to you as an individual.  It has been updated with a complemented piece of legislation know as the HITECH Act that outlined specific PII protection requirements and disclosure requirements if a healthcare provider mishandled your PII.

 


FERPA – The Family Educational Rights and Privacy Act was put in place to protect the privacy, accuracy and access of student records.  It applies to all schools that receive funds under an applicable program of the U.S. Dept of Education.

 

FERC/NERC - The Federal Energy Regulatory Commission (FERC) is supported by an enforcement agency known at North American Electric Reliability Corporation (NERC).  Regional entities across the country are responsible for maintaining the reliability of many of the USA’s critical utility components and grids. The Energy Policy Act of 2005 provides the backbone for the current standards designed to ensure that the country’s infrastructure remains viable and resilient against man-made & natural disasters.

Compliance Strategy

E-mail Print PDF

The flexibility required of an organization’s processes, talent and infrastructure to support a specific growth strategy often is characterized by high intensity, short duration projects that are not always accurately matched to the skills of existing full time employees. Specialized skills combined with an objective view of steps that need to be completed to accelerate a growth transitions can often be more cost effectively handled by external subject matter experts.

Each type of growth strategy introduces challenges for employees, evolving business processes, IT & Security infrastructures as they relate to risk management, regulatory compliance and corporate governance mandates. Members of the AppliedG2 team have spent the last two decades helping clients understanding the relationship of these elements so they can safely design the supporting infrastructure to achieve the financial returns expected.  Determining the value of an organizations data & physical assets, the amount of protection provided by the current operating environment and being able to provide cost effective solutions to address any capability gaps in organizational, policy, procedure or technical compensating controls has proven valuable to our clients.


Whether it is a Private Equity or Venture Capital company or a government agency asked to expand their services to improve lives of their constituents, every organization has data and assets they need to protect from misuse, theft or unauthorized disclosure.  Public perceptions of the risk & cost of identity theft, unauthorized disclosure of confidential information, loss of investor confidence or damage to brand equity are “front of mind” with business leaders with significant financial, reputation and client retention consequences for any breach of trust.   Meeting the minimum requirements of the confusing array of government, industry and international regulations should be seen as the low water mark when it comes to asset security and privacy standards.  Your stakeholders, employees and partners deserve a higher standard of “due care” than simply implementing the most basic protection you were told you MUST do by an external entity.

Executive participation and end user education are the cornerstones for securing any business.  Setting the tone from the top is cliché but there is no substitute for senior level sponsorship to lead by example and to remind all employees that protecting digital and physical assets is a on-going requirement and not a once a year rubber stamp event.  If there is something in the business environment that poses a threat, introduces vulnerability or increases risk of fraud then be proactive and set a policy to clearly communicate expectations to limit the organization’s exposure to acceptable levels.  Setting standards and creating repeatable procedures reinforces the practical application of adherence to policy and regulatory requirements.

Finally, most security solutions sold as packages or SaaS offerings are simply tools that when properly implemented can enforce the policy and standards set by data owners and asset managers. Consider these elements when setting you budget and priorities for the upcoming fiscal year related to protecting your most important digital and physical assets:


Security products are only as good at the developers that write them…
Can only be as persistently available to support you as the architecture you built them upon…
Will carry the integrity of the firms & citizens that manufactured them….
Can only be correctly configured & consistently deployed as effectively as possible by….
The people you trained, certified, pay and trust to vigilantly maintain them.

Partners in Business

E-mail Print PDF

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam rhoncus tempor nulla, et consequat nisl ornare consectetur. Etiam imperdiet, risus sed tristique auctor, quam augue sagittis ante, sed porta magna nisl pulvinar est. Vestibulum mollis tristique sapien nec scelerisque. Maecenas ornare, enim sagittis molestie vestibulum, orci tellus congue est, a molestie risus orci at tellus. Ut non justo nec nibh fermentum sollicitudin ut et diam. Cras euismod arcu lacinia dolor facilisis ac consequat odio bibendum. Vestibulum vel dolor ac leo porta egestas. Nam volutpat egestas lorem, in aliquam ante malesuada id. Mauris ut magna a eros semper euismod et sit amet odio. Mauris risus quam, tristique eu volutpat ac, cursus a quam. Aenean imperdiet, felis pulvinar dapibus sollicitudin, libero lorem viverra dui, a malesuada arcu tellus vel nulla. Aliquam erat volutpat. Ut congue viverra ligula nec auctor.

 

Donec at nulla nisi. Nunc ultrices, diam ut imperdiet hendrerit, dui libero egestas justo, at mollis nunc mi a arcu. Morbi vel purus a elit vehicula adipiscing. Curabitur nunc augue, sodales cursus dapibus in, semper sit amet sapien. Ut at risus magna, ut eleifend nisl. Duis sit amet ante augue, nec aliquam libero. Quisque ac dolor aliquet risus blandit pellentesque in et dolor. Vivamus vel lectus eget sapien vulputate accumsan. Morbi et dolor augue, ut viverra dolor. Etiam ante nisi, laoreet ut volutpat at, sagittis ut massa. Fusce sagittis quam et nulla auctor eleifend. Nullam id metus tortor. Aliquam molestie leo non lorem adipiscing mollis laoreet augue posuere. Pellentesque gravida ligula et felis feugiat blandit. Pellentesque aliquam viverra mi, eu tempor metus volutpat congue. Quisque blandit lectus et nisi convallis dignissim. Suspendisse tempus, purus eget scelerisque pharetra, tortor diam ultrices metus, et laoreet ipsum lorem at tortor. Pellentesque rutrum posuere condimentum. Curabitur mattis rutrum molestie. Nunc malesuada fringilla arcu ut congue.

Pellentesque lacinia ullamcorper sagittis. Phasellus a libero ut lorem malesuada pharetra quis nec quam. Curabitur eget sapien quam, non ornare risus. Nunc in metus a sem malesuada sagittis et at urna. Pellentesque ac consectetur purus. Aliquam vel elementum augue. Fusce suscipit risus nec odio dictum volutpat. Quisque ullamcorper, quam id feugiat venenatis, neque ante fermentum tortor, quis ultrices velit erat in ligula. Donec eleifend viverra magna, vitae tristique nulla pretium in. Suspendisse in justo diam. Quisque in porta enim. Praesent eget diam nisl. Maecenas vulputate nisl at ligula convallis et hendrerit eros euismod. Quisque erat nibh, vestibulum et volutpat non, tincidunt et eros. Vivamus blandit justo quis velit bibendum nec facilisis eros auctor. Ut iaculis mattis velit, sit amet mollis neque scelerisque in. Maecenas in eros pharetra eros consequat venenatis. Nunc scelerisque vehicula volutpat.

Vivamus eget purus at urna mattis lobortis vitae in diam. Suspendisse ut est sed odio suscipit condimentum ac ac libero. Nam est nulla, tristique iaculis ultricies quis, sodales ut quam. Cras euismod nunc eget eros elementum posuere. Quisque a quam diam, ac aliquam velit. Proin sem eros, tempus a convallis id, consectetur vel ipsum. Sed ullamcorper ipsum ac tellus aliquam imperdiet facilisis mi semper. Vivamus rhoncus augue a ligula luctus posuere. Nulla mattis ligula sed enim rutrum hendrerit. Suspendisse euismod sodales sollicitudin. Duis eu lectus ante. Suspendisse nec sem vitae urna venenatis adipiscing. Donec at metus tellus, quis dignissim magna. Donec neque felis, vehicula non pellentesque sit amet, tincidunt eu metus. Vivamus sapien velit, imperdiet vel aliquam et, pellentesque sed nibh. Integer consectetur ante imperdiet magna dignissim ut pharetra felis interdum. Etiam tincidunt, metus in dapibus volutpat, risus metus ornare enim, ac tristique metus urna eget tortor.

Page 3 of 4