Control Development Objectives

  • Assess operational and technical capacity

  • Align program operations and output to control objectives

  • Document program operations and procedures

  • Train management and staff to program requirements

Control Development Venn Diagram

Contact Us

Seattle, Washington:
150 Nickerson Street
Suite 106
Seattle, WA 98109
Phone: 206-352-6028
Fax: 206-633-0235
Louisville, Colorado:
361 Centennial Parkway,
Suite 150
Louisville, CO 80027
Phone: 303-554-6333
Fax: 303-554-7555

Recent Coalfire News

Coalfire Labs
Coalfire Receives IOMA Award
Website Launch
 

Control Development

Implementing successful information security control programs can be a difficult proposition for many organizations. Operational investment in security and audit staff may be limited. The full scope and impact of control programs may not be well understood. And above all, designing effective control programs may seem like threading a needle through compliance requirements- complicating and prolonging security deliverables.
Our Control Development services are designed to help organizations implement control programs that are both appropriate to the organization and effective at meeting control requirements. Our control programs are architected against your risk, compliance and business requirements to ensure adherence to program objectives and sustainability of operations.
Coalfire’s Control Development services scale from strategic security governance programs to tactical security “point” programs in order to service your full security program development needs.

IT Security Governance
Formal information security functions are vital risk management instruments that continually evaluate the ever-changing threats, vulnerability, and risks to organizational assets. As such, information security functions must play a highly visible, cross-functional role within organizational management. Our IT Security Governance development program helps identify the IT security resources, operations, reporting structures, and program responsibilities needed by the organization to:
  • Manage security as an effective, proactive process;
  • Maintain consistent security operations, assessments, and reporting;
  • Build appropriate roles and responsibilities for security oversight and management;
  • Establish accountability for organizational information, assets, and controls

Policy Development
Information security policies represent one of the most powerful risk management controls that an organization can deploy. Policies establish leadership’s positions on key control issues throughout the organization and provide clear security and control instructions to management and staff. Our Policy Development service creates a set of information security policies that are derived from your risk and compliance control programs-ensuring proper alignment of security control objectives and policy requirements.

Business Continuity Planning
Business Continuity Planning (BCP) is a critical security requirement for any organization that needs to minimize the impact of business or IT service disruption. Coalfire’s BCP service is structured to help organizations understand:
  • The realistic threats to business availability;
  • The critical business information, operations, and IT services that enable the business;
  • Multiple scenarios for restoring service continuity, based on the severity of service disruption;
  • Critical controls required to enable the rapid restoration of data, IT service, and communications;
  • Processes needed for regular BCP testing and adjustment.

Incident Response Planning
It happens every week: A company loses a set of backup tapes. An outsider socially engineers company information from an employee. An employee finds suspicious software running on a back office PC. A laptop is stolen from a senior manager’s car.
Information security events will happen to every organization. How the organization defines, escalates, addresses and ultimately resolves these events is important in preserving:
  • The privacy of your customer and employee information;
  • Company credibility, reputation, and image;
  • The integrity of your business information.
Our Incident Response Planning service delivers a full set of policies and procedures that are designed to help your organization treat information security incidents- including event escalation, containment, eradication, communication, and post-mortem.

Security Development Lifecycle (SDL)
SDL processes are an important overlay to any systems development lifecycle (SDLC) responsible for building sensitive applications. Our SDL control development program helps document and implement information security and risk management controls within your company’s existing SDLC process; controls such as:
  • Identification of common code vulnerabilities;
  • Assessing requirements for application authentication and authorization;
  • Identification of sensitive application and business information;
  • Identifying and assessing boundaries of “trust” between programs, components, and services.

Vulnerability Management
Coalfire managed vulnerability services provide detailed assessments of system, application, and network vulnerabilities present within your company’s internal environment. These assessments not only provide essential information on emerging system security issues, but also provide verification checks for system configuration and patching processes. In addition, our Vulnerability Management development program will help your organization implement consistent workflow and processes within your IT operations for escalating and resolving system vulnerability- ensuring repeatability and reliability of control.

Configuration Management
Maintaining strong control over the configuration of data, applications, systems, and networks provides many benefits for information technology security and governance. At its core, configuration management allows an organization to focus on acceptable operating standards- standards that control change, access, monitoring, and use. Most best-practice and regulatory compliance frameworks, including FISMA/ NIST 800-53, PCI, and ISO 27002, embed strong controls for a security-hardened system configuration.
Coalfire can help your organization develop a strong configuration management program that is closely aligned with the Information Technology Infrastructure Library (ITIL) standards; including identification of assets and Configuration Items (CIs), use of Change Management Databases (CMDBs) and integration with organizational change management. In addition, our Configuration Management control program helps organizations align system configurations to system and network hardening guidance provided by the National Security Administration (NSA), Center for Internet Security (CIS), and SysAdmin, Audit, Network, Security (SANS) Institute.

Logging & Monitoring Planning
Your detective controls require solid event management processes in order to be effective. While many tools on the market allow for efficient and timely consolidation of event logs, many organizations have a hard time understanding the scope of events and logs that should be incorporated into event management tools- while others fail to incorporate central logging tools into incident response and management processes.
Coalfire’s Logging and Monitoring Planning program helps organizations understand the risk and compliance-based control requirements for event management- including the scope of applications, systems, and network devices that require close monitoring. Our service also helps organizations identify required tools, operational processes, and services necessary to closely monitor important security events and incidents.

Intrusion Detection & Prevention
Public-facing assets and enterprise networks are under constant surveillance and attack from outsiders. Capturing, monitoring, and blocking these attacks are critical toward ensuring the availability, integrity, and confidentiality of organization assets. Coalfire’s Intrusion Detection and Prevention development program helps organizations understand the scope of networks, applications, databases, and business assets that require protection- and the tools required to implement that protection. Our Intrusion Detection and Prevention control program helps organizations:
  • Engineer the processes, operations, and tools required to identify attacks on networks, applications, databases, and other assets;
  • Implement a consistent approach to event and incident management (particularly when paired with Coalfire’s Incident Response Planning and Logging and Monitoring Planning programs);
  • Understand the applicability and necessity of intrusion detection and prevention tools to specific network and system-based assets.

For more information on Coalfire's control development, please contact: