RISK MANAGEMENT
Copyright Š 2010-2016 Brier & Thorn, Inc. All Rights Reserved. Duplication in whole or in part is strictly prohibited without the prior written consent of Brier & Thorn, Inc.
TABLE OF CONTENTS OVERVIEW
04
Firm Profile
OUR PEOPLE The people and ethos behind the firm
06
THE FIRM The firm and collegial culture
08
SERVICES The Service Portfolio
11
Securing your ideas.
OVERVIEW Brier & Thorn is a leading provider of risk management services, including penetration testing, managed security services, incident response, forensics, and risk assessment services to the middle market. We guide our clients through complex risk management and information security challenges by applying our decade-old heritage 0f critical thinking and analytic rigor to solve our clients’ toughest information security problems.
“
“But that’s only part of the story, The rest of the story is about our people, our ethics, our values, our passion, and our unique way of doing things -- intangibles that can’t be financially measured or modeled but that truly make a difference.”
”
When companies ask us who our competitition is, we answer “we don’t know,” lest we reduce ourselves to a commodity by trying to out-do our competition by using unique or quirky special features like lower pricing to “stand out” from our contemporaries. When companies ask us how we’re different, we answer “because the work we do now is better than the work we did before. And the work we do tomorrow will be even better than the work we did today.” The enduring relationships we have with our clients and the thrill of the chase to do better and more innovative work is what matters most to us.
Alissa Valentina Knight Group CEO
5
“
6
Brier & Thorn has a distinctive, collegial culture that transcends organizational and geographic boundaries. Our consultants are down to earth, approachable, and have a passion for doing innovative client work.
�
OUR PEOPLE We always seek to deliver both immediate impact and growing advantage to our clients and our people. Brier & Thorn’s consulting practice has a global reach, providing multidisciplinary solutions to complex challenges and opportunities in Europe, the Americas, and Asia-Pacific. We counsel our clients on their key strategic issues, leveraging our deep industry expertise and using analytic rigor to help them make informed decisions more quickly and solve their toughest and most critical risk management problems. Companies come to us because they know we offer the knowledge, insight, and guidance they need to move forward in their industry with the knowledge that their position has been built unassailable. Our consultants deliver world-class and rigorous analysis, deep knowledge of their industries, and pragmatic solutions to produce practical, high-impact results. We believe we will be successful if our clients are successful. Solving the hardest problems requires the best people. We think that the best people will be drawn to the opportunity to work on the hardest problems. We build our firm around that belief. These two parts of our mission reinforce each other and make our firm strong and enduring.
7
LEADERSHIP
Dennis Moore Senior Partner
8
Alissa Knight Group Managing Partner
Marti Bockhold Senior Partner
Elizabeth Ramirez Junior Partner
Our Ethos Put the client’s interest ahead of our own This means we deliver more value than expected.
Tell the truth as we see it We stay independent and able to disagree, regardless of the popularity of our views or their effect on our fees. We have the courage to invent and champion unconventional solutions to problems. We do this to help build internal support, get to real issues, and reach practical recommendations.
Behave as professionals Uphold absolute integrity. Show respect to local custom and culture, as long as we don’t compromise our integrity. Keep our client information confidential We don’t reveal sensitive information. We don’t promote our own good work. We focus on making our clients successful.
People & Values Our people make us different— energetic about supporting and challenging our clients in equal measure. We’re passionate about making a measurable impact in all we do.
9
THE FIRM We operate as one firm. We maintain consistently high standards for service and people so that we can always bring the best team of minds from around the world—with the broadest range of industry and functional experience—to bear on every engagement. We come to better answers in teams than as individuals. So we do not compete against each other. Instead, we share a structured problem-solving approach, where all opinions and options are considered, researched, and analyzed carefully before recommendations are made,
10
We give each other tireless support. We are fiercely dedicated to developing and coaching one another and our clients. Ours is a firm of leaders who want the freedom to do what they think is right. We don’t fall asleep at the wheel where others do. This isn’t better demonstrated than at our Global Security Operations Center where we monitor the security infrastructure of many of the Global 500 to 5 organizations.
We advise global leaders on their most critical risk management issues across all industries and geographies. We’ve worked with the majority of Global 500, major regional and local organizations, telecommunications and utilities, nonprofits, life sciences, registered investment banks and advisers, retail, and manufacturing,
11
12
SERVICES Penetration Testing Brier & Thorn will evaluate the efficacy and adequacy of security safeguards and controls in your infrastructure and operations, as well as employee awareness. We evaluate your targeted assets (technical, human, and physical) and all means available to reach them. We also evaluate third parties associated with an asset’s operational procedures.
Incident Response Through years of experience in high stakes digital forensic investigations, our incident handlers and forensic analysts at Brier & Thorn know where to find critical electronic evidence, preserve and analyze it using today’s most sophisticated technology, forensic techniques and digital forensic software.
After gathering intelligence and profiling the targets and approach vectors, our Red Team creates profiles of your threat communities in order to more accurately simulate them during our test attack. Once threat modeling is complete, we conduct in-depth research to search for system, procedure, and personnel vulnerabilities, actively exploiting them through demonstrated proof of concept.
Electronic evidence is at once both volatile and difficult to completely destroy. Routine business processes and deliberate attempts by unqualified personnel to examine electronic files jeopardize the integrity of the very evidence they seek to preserve, which makes it imperative to preserve the data as quickly as possible. We will respond to computer security data breaches and mitigate any damage that might have occurred.
After we have mapped out vulnerabilities, we launch an attack that simulates a real adversary. Typically, we use multiple attack vectors to demonstrate how a compromise would occur. The attack is not limited to the “first layer” of assets and continues to leverage compromised assets and elements until the core of the organization, or predefined limits, are reached.
Because computer security incidents can occur at any time, our digital forensic professionals are available to respond 24 hours a day, 7 days a week to any user, company or government organization. We collect and analyze data from computers, networks and mobile devices, utilizing proven law enforcement evidence handling procedures, preserving the data for preparation of litigation in court of law.
Vulnerability Management Through Brier & Thorn’s RedInk cloud platform, clients are provided a unified view of their company’s risk profile, wrapping vulnerability management and enterprise risk management capabilities in a unified software as a service (SaaS) web application. Managed Services From Brier & Thorn’s Global Security Operations Center (GSOC), we will deploy the technology to monitor your networks, keeping up-to-date asset and application catalogues, notify you of vulnerabilities affecting your infrastructure, monitor and tune your network intrusion detection systems, host intrusion detection systems, and actively defend your enterprise against sophisticated threats targeting your network.
Brier & Thorn has a successful proven track record with assisting clients in responding to some of the highest profile incidents over the past decade involving theft of intellectual property and payment card data. Our investigators at Brier & Thorn have experience with assisting clients in remediating cyber security threats, getting them back on track while preventing similar incidents from occurring again.
13
RISK MANAGEMENT Organizations have adopted a number of information security controls. However, without an Information Security Management System (ISMS), controls tend to be somewhat disjointed, having been implemented often as point solutions to specific solutions or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security managed independently of IT or Information Security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization. An Information Security Management System (ISMS) is a set of policies concerned with information security management or IT related risks. The governing principle behind the development of an ISMS is to design, implement, and maintain a coherent set of policies, processes, and systems to manage risks to information assets, thus ensuring acceptable levels of information security risk.
14
ISMS Development Brier & Thorn will provide ISO program development in support of creating required documentation, processes, and procedures required for ISO 27001 certification.
The ISO program development services will be conducted using the following methods: (1) Activities led by a trained ISO 27001 Lead Auditor; (2) Creation of required policies and documentation of the organization’s ISMS; (3) Creation of the Statement of Applicability (SOA); (4) Creation of internal audit and risk assessment procedures; (5) Execution of an Internal Audit of the organization’s ISMS and documentation of Corrective Action Reports; (6) Execution of a formal risk assessment of the organization’s ISMS and documentation of Preventative Action Reports; and (7) Creation of the management summary of internal audits.
Audit Support Brier & Thorn will provide ISO Audit Support services for the client during the performance of the formal ISO 27001 Audit process by an ISO 27001 certification authority. The ISO Audit Support services will be conducted using the following methods: (1) Onsite effort by an ISO 27001 trained lead auditor during both stage 1 and stage 2 audit activities; (2) Coordination of contract, project, and performance management of Third Party ISO registrar; and (3) “Audit day” support and defense of ISO 27001 prepared documentation as needed.
15
EUROPE
LATIN AMERICA
U.S.
Stuttgart Brier & Thorn Germany, GmbH Brier & Thorn Germany, GmbH Königstraße 10C 70173 Stuttgart, Germany Main: +44 20 3318 6696 sales@brierandthorn.de
Mexico City Brier & Thorn Mexico, S.A.P.I. de C.V. Mexico City Reforma – New York Life Building Torre New York Life Piso 26 Paseo de la Reforma 342 Col. Juárez Mexico City, C.P 06600 sales@brierandthorn.com.mx
San Diego Brier & Thorn, Inc. 1855 1st Avenue, Suite 103 San Diego, CA 92101 Main: +1 858 381 4977 sales@brierandthorn.com www.brierandthorn.com
London Brier & Thorn UK Limited London Kensington Olympia Crown House 72 Hammersmith Rd. Hammersmith, London UK W148th sales@brierandthorn.co.uk
Milwaukee Brier & Thorn, Inc. W175N 11081 Stonewood Drive Suite 102 Germantown, WI 53022 Main: +1 262 476 0614 sales@brierandthorn.com www.brierandthorn.com