click to edit master subtitle style company overview, products and sample reports january 2007

www.acr2.orgClick to edit Master subtitle style

www.acr2solutions.com

Company Overview,Productsand SampleReports

January 2007



Corporate Background

• Founded in Nov. 2006

- Headquartered in Lilburn, GA

- Sales and Marketing office in Buford, GA

• Unique compliance solution

- Addresses GLBA, HIPAA, FISMA and PCI markets

- Traceable and Compliant with NIST protocols

- Risk scores automatically updated using network data, new safeguards, Intrusion and Anti-virus data



Introducing ….

ACR2Basic - Risk Assessment

Available in 2 versions January 2007:• ACR2Basic - Business Edition

reports encrypted and auditable• ACR2Basic - MSP Edition

reports headers can be modified

And in Q1 2007..• ACR2Basic - Enterprise Edition

For managing multiple locationsShips with 10 site licenses



The Compliance Process



Automated Compliance Reporting

• Information Security involves reducing the risk of loss

or theft of protected information

• Perfect Information Security would require infinite resources

• Compliance involves providing enough security to meet the “standard of care”

• Compliance is perfectly possible – and required!




• How does an organization determine a “reasonably foreseeable” risk?

• Or a “material change”?

• “reasonably foreseeable risks” under Federal law are defined by the

National Institutes of Standards and Technology (NIST)

• The NIST standards are freely available…



They are also complex and extensive

FIPS 140-2 SP 800-53 SP 800-37 SP 800-53A SP 800-73 SP 800-95FIPS 180-2 SP 800-20 SP 800-38A SP 800-54 SP 800-76-1 SP 800-96FIPS 186-2 SP 800-21-1 SP 800-38B SP 800-55 SP 800-77 SP 800-97FIPS 188 SP 800-22 SP 800-38C SP 800-56A SP 800-78 SP 800-98FIPS 190 SP 800-23 SP 800-38D SP 800-57 SP 800-79 SP 800-100FIPS 197 SP 800-24 SP 800-40 SP 800-58 SP 800-81 SP 800-101FIPS 198 SP 800-25 SP 800-41 SP 800-59 SP 800-82FIPS 199 SP 800-26 SP 800-42 SP 800-60 SP 800-83FIPS 200 SP 800-27 SP 800-43 SP 800-61 SP 800-84FIPS 201-1 SP 800-28 SP 800-44 SP 800-63 SP 800-85A

SP 800-12 SP 800-29 SP 800-45A SP 800-64 SP 800-85BSP 800-13 SP 800-30 SP 800-46 SP 800-65 SP 800-86SP 800-14 SP 800-31 SP 800-47 SP 800-66 SP 800-87SP 800-15 SP 800-32 SP 800-48 SP 800-67 SP 800-88SP 800-16 SP 800-33 SP 800-49 SP 800-68 SP 800-89SP 800-17 SP 800-34 SP 800-50 SP 800-69 SP 800-90SP 800-18 SP 800-35 SP 800-51 SP 800-70 SP 800-92SP 800-19 SP 800-36 SP 800-52 SP 800-72 SP 800-94




• There is a better way.

• 79% of Americans use Turbo-Tax™ to deal with IRS regulations, which are long and complex

• ACR2 is a Turbo-Tax™ style simplification of the NIST protocols to deal with information security regulations, which are also long and complex




• Risk Score - is determined by multiplying the probability of event by the impact of the event

• Risk Scores range from 1 to 100, with 50-100 High, 10-50 Medium and scores <10 considered Low.

• For risks labeled High, corrective action must be taken "as soon as possible" (NIST 800-30).




• For Medium Risks, correction must be within a "reasonable amount of time", while Low risks may be merely observed.

• How do organizations achieve acceptably Low Risk?

• NIST definition of “Low Risk” means that “controls are in place to prevent…the vulnerability from being exercised”

•What controls are needed to achieve acceptably “Low Risk?”



Recommended Security Controls for Federal Information Systems

Ron Ross, Stu Katzke, Arnold Johnson

Marianne Swanson, Gary Stoneburner, George Rogers, Annabelle Lee

Special Publication 800-53



NIST 800-53 includes citations of these additional protocols

FIPS 140-2 SP 800-53 SP 800-37 SP 800-53A SP 800-73 SP 800-95FIPS 180-2 SP 800-20 SP 800-38A SP 800-54 SP 800-76-1 SP 800-96FIPS 186-2 SP 800-21-1 SP 800-38B SP 800-55 SP 800-77 SP 800-97FIPS 188 SP 800-22 SP 800-38C SP 800-56A SP 800-78 SP 800-98FIPS 190 SP 800-23 SP 800-38D SP 800-57 SP 800-79 SP 800-100FIPS 197 SP 800-24 SP 800-40 SP 800-58 SP 800-81 SP 800-101FIPS 198 SP 800-25 SP 800-41 SP 800-59 SP 800-82FIPS 199 SP 800-26 SP 800-42 SP 800-60 SP 800-83FIPS 200 SP 800-27 SP 800-43 SP 800-61 SP 800-84FIPS 201-1 SP 800-28 SP 800-44 SP 800-63 SP 800-85A

SP 800-12 SP 800-29 SP 800-45A SP 800-64 SP 800-85BSP 800-13 SP 800-30 SP 800-46 SP 800-65 SP 800-86SP 800-14 SP 800-31 SP 800-47 SP 800-66 SP 800-87SP 800-15 SP 800-32 SP 800-48 SP 800-67 SP 800-88SP 800-16 SP 800-33 SP 800-49 SP 800-68 SP 800-89SP 800-17 SP 800-34 SP 800-50 SP 800-69 SP 800-90SP 800-18 SP 800-35 SP 800-51 SP 800-70 SP 800-92SP 800-19 SP 800-36 SP 800-52 SP 800-72 SP 800-94




is Much Easier

• To Initiate the “Turbo-Tax™” approach to compliance, just browse to:




Using the ACR2 Basic Reports

The first three ACR2 reports are1. The Safeguards Status Report – a summary of

the current system status vs NIST standards2. The Automated Baseline Report – 30 threat

source/vulnerability pairs scored from 1-1003. The Risk Assessment Chart – same data as the

Baseline, scored as red/yellow/green



Using the ACR2 Basic Reports - cont.

Detailed information on each safeguard is available from the NIST



Using the ACR2 Basic Reports - cont.

• the Deficiency Report lists the missing or underperforming safeguards relative to each risk.

• This allows creation of a remediation plan that addresses the high risk elements first, as required by the NIST protocols

• Each of the 30 risks is assessed separately



ACR 2 reduces over 90 NIST protocols to a simple “Turbo-Tax™” style question and

answer format. The ACR 2 reports can be updated on demand whenever new data

becomes available



One Compliance Option is to Read, Understand and Apply the NIST Protocols

FIPS 140-2 SP 800-18 SP 800-33 SP 800-47 SP 800-64 SP 800-84FIPS 180-2 SP 800-19 SP 800-34 SP 800-48 SP 800-65 SP 800-85AFIPS 186-2 SP 800-53 SP 800-35 SP 800-49 SP 800-66 SP 800-85BFIPS 188 SP 800-20 SP 800-36 SP 800-50 SP 800-67 SP 800-86FIPS 190 SP 800-21-1 SP 800-37 SP 800-51 SP 800-68 SP 800-87FIPS 197 SP 800-22 SP 800-38A SP 800-52 SP 800-69 SP 800-88FIPS 198 SP 800-23 SP 800-38B SP 800-53A SP 800-70 SP 800-89FIPS 199 SP 800-24 SP 800-38C SP 800-54 SP 800-72 SP 800-90FIPS 200 SP 800-25 SP 800-38D SP 800-55 SP 800-73 SP 800-92FIPS 201-1 SP 800-26 SP 800-40 SP 800-56A SP 800-76-1 SP 800-94

SP 800-12 SP 800-27 SP 800-41 SP 800-57 SP 800-77 SP 800-95SP 800-13 SP 800-28 SP 800-42 SP 800-58 SP 800-78 SP 800-96SP 800-14 SP 800-29 SP 800-43 SP 800-59 SP 800-79 SP 800-97SP 800-15 SP 800-30 SP 800-44 SP 800-60 SP 800-81 SP 800-98SP 800-16 SP 800-31 SP 800-45A SP 800-61 SP 800-82 SP 800-100SP 800-17 SP 800-32 SP 800-46 SP 800-63 SP 800-83 SP 800-101



The Better Option is to Use Automated Compliance Reporting

How Much is Your Time Worth?

click to edit master subtitle style company overview, products and sample reports january 2007

Documents

master subtitle style

complex slide

compliance process slide

available slide

extensive slide

turbotax style simplification

nist protocols risk

risk of loss