Service Overview

Security Standards and Compliance Consulting

Aligning Information Security with Business and Operational Objectives

Overview
As the global financial crisis stabilizes and those
affected governments, industries, consumers
take stock, talk is increasingly focused on how
to prevent such a crisis from happening again.
And without question, a flood of wellintentioned regulations which increase corporate
transparency and risk management are expected
to appear which will further complicate
compliance with current, overlapping controls.
In fact, about 80% of today s global IT-relevant
regulations share control goals and directives.
Business as usual needs to be reconsidered in
the context of the complexity, overlap and the
heightened scruitiny expected as this flood of
new regulations is unleashed. Frameworks and
approaches for IT best practices such as ISO
27001 and 27002 can offer guidance but will
require that organizations actually implement
them and that they map appropriately to new
regulations.

In addition, an Information Risk Management approach

helps prioritize security investments. It focuses on the
information critical to key business initiatives, prioritizing
security investments based on the amount of risk
associated with the data and related activities relative to
the potential business reward, and ensuring repeatability.
Here, organizations often turn to frameworks like ISO 27002
and the PCI Data Security Standard.
The coming regulations are unavoidable. The strategic IT
leader will look at them as an opportunity to reform a
broken system for assessing and tracking compliance. The
goal must be to construct a sustainable model for assessing
and communicating compliance across a wide, changing,
and increasing set of regulations.

Aligning Security Standards and

Compliance for Business Acceleration
Formulating a strategy layered upon a clear view of business
goals, risk, and compliance drivers is a critical factor for
companies to successfully ride the wave of new regulations.
And to accomplish this, organizations are seeking
specialized expertise, repeatable best practices, and
insights on emerging risk which can help them realize
competitive advantages and a strong security posture.
The RSA Security Practice of EMC Consulting speeds
innovation with expertise to address security requirements
in an industry and business context to protect and maximize
the value of information, identities and infrastructure.

EMC Consulting

Risks

Endpoint

Network

Applications

Databases

Storage

Loss/theft

Eavesdropping

Unauthorized
access/activity

Unauthorized
access/activity

Unavailability

Unavailability

Unauthorized
access/activity
Media loss/theft

Device takeover

Intercept
Unavailability

Fraud

Leakage

Leakage

Leakage

Corruption

Corruption
Unavailability

EMCSolution

EMCSolution

EMCSolution

EMCSolution

EMCSolution

Information Risk Assessment Service

Strong authentication

Strong authentication

Strong authentication

Digital rights
management

Consumer security
Data-in-flight security
Web access
management
Compliance

Web access
management
Compliance
Translation security

Strong authentication
Encryption and key
management
Web access
management
Translation security
Content management

Secure storage
Media security
Media encryption
Compliance

We take a comprehensive approach to information risk

management, with services to address key business and
technical requirements.

security management program, while insuring that

employees and contractors are aware of their
responsibilities to protect valuable information.

We leverage the security leadership of RSA and the global

business, infrastructure and application consultancies of
EMC Consulting, in developing innovative, informed, and
forward looking programs for our customers.

The documents developed in scope are the Information

Security Policy, and the Information Security Policy
Objectives and Controls set of documents (also may
be called Information Security Standards documents:

By leveraging industry standard control frameworks such as

ISO or CSF, best practices, and proven methodologies and
established project and process management techniques,
we can also leverage your security investment across a
number of standards and regulations such as PCI DSS,
COBIT, HIPAA, HITECH, EU Data Directive, SOX, GLBA,
BASEL II and NERC.

ISO 27002 (or appropriate) based policies

Consulting Services
Security Policy Development: Information Security Policy
forms the basis for an organization's entire information
security program.
This service develops and establishes appropriate polices
that are aligned with the objectives of an overall information

Service Overview

Portfolio of security policies from desktop to data

center addressing governance, compliance, and risk
management
Supporting standards and guidelines which facilitate
policy implementation and enforcement
Use of best practices for policy formatting and
change management
Classification for Information Security: This service
identifies and classifies levels of criticality and sensitivity
for an organizations information assets. It is ideally suited
to an organization that is reviewing their overall security
strategy or that understands security must support the
business requirements of the organization.

The major benefit of this offering is that organizations are

enabled to apply security controls appropriately according
to sensitivity and criticality of information assets. Once
the information classification has been established, the
security controls for each level of information are defined;
resources can be directed at protecting the assets with the
highest value to the business first.
This service addresses the following areas:
Sets standards across the organization for the required
protection of information assets
Apply security controls appropriately according to
sensitivity and criticality of information assets
Define appropriate security controls for each level of
information
Direct resources at protecting assets based on business
value
Information Risk Assessment: This service Assessment is
based on the ISO 27002 standard and emcompasses an
overall assessment of governance, policy, data protection,
authentication, access and other business and technical

infrastructure security controls mapped to established

best practices.
This service considers the following:
Vulnerability: Where is my organization exposed to
information risk?
Threats: What threats can exploit these vulnerabilities?
Likelihood: How likely is it a particular type of threat
will occur, especially when compared to other threats?
Countermeasures / Controls: How effective is that
we have done to protect against the threats and
vulnerabilities?
Do we need to do more and if so, what should we do?
Materiality: What will be the impact of a security breach
to my organization?
Policy Driven Management: This service establishes the
overall framework for driving policy management by
evaluating all of the companys GRC business processes,
including associated processing audit and global sourcing
processes, and identifying timelines and dependencies for
business processes which will be implemented within the

Service Overview

RSA Archer framework.

About EMC Consulting

The scope of this service includes:

EMC Consulting enables the full realization of the

inherent power of information. We create complete
information environments that are reliable, efficient, and
secure. The result is information that reveals its potential.
With EMC Consulting, people and organizations can bring
the power of information to lifeinformation that illuminates
whats possible and that can move the world forward.

A holistic view of your processes

A Solution Architecture that depicts proposed solution
based upon Archer and related applications and data
integration plans
An implementation approach outlining the sequence
of activities and dependencies
Establishes processes for routine audit

Summary
Let the experts in security consulting assist you in moving
your security posture to the next level and gain a sustainable
competitive advantage. The RSA Security Practice of EMC
Consulting is a global leader, offering comprehensive
services that are tailored to your specific requirement.

www.rsa.com

EMC, RSA, RSA Security and the RSA logo are registered trademarks or
trademarks EMC Corporation in the U.S. and/or other countries. All other
trademarks mentioned herein are the properties of their respective owners.

SC SOV 0510

About RSA
RSA, The Security Division of EMC, is the expert in
information-centric security, enabling the protection of
information throughout its lifecycle. RSA enables
customers to cost-effectively secure critical information
assets and online identities wherever they live and at
every step of the way, and manage security information
and events to ease the burden of compliance.
For more information, please visit www.RSA.com and
www.EMC.com.