Test & Evaluation

Today’s data center is besieged on all sides. Increasing customer demands, aging equipment and the increase in the upkeep is enough to give any data center administrator an ulcer. Add to this the growing threat of security breaches and its corresponding liability. There is a growing need for organizations to be fully prepared for such an onslaught.

Security certification and accreditation are important activities that support an organizations risk management process. Information Technology Company, LLC can provide you with an extensive offering of Security Test & Evaluation (ST&E) services that supports the Certification and Accreditation (C&A) effort. These services offer a comprehensive assessment of the management, operational, and technical security controls in an information system to determine correct implementation, intended operating procedures and a desired outcome.

Exposure Analysis

ITC aims to provide a thorough assessment of the entire system’s susceptibility to security attacks and indentify the organization’s ability to defend, respond, and to combat the threat. ITC uses an in depth process to fully ascertain whether threats are realistic and if existing security measure can adequately address them.

Network Analysis – This procedure pertains to data collection with respect to the IT system processes and the physical layout of the environment. This provides a detailed examination of servers, clients, routers, firewalls, switches, network topography, operating systems and versions and all applications and versions.

System Security Plan (SSP) Review- This process offers ITC a clear understanding of the organization’s risk mitigation ability.

Accreditation Process Planning- ITC will review its testing procedures with the organization to determine accreditation boundaries and system components subject to analysis. System components are mapped to the prescribed testing tools and methodologies.

Accreditation operates on the basis of white box testing (full knowledge) where the evaluation is subject to a more structured and formal approach. The test acquires an in-depth knowledge of the construction of the system by examining the required security functions and tracing the security functionality to lower levels of design or implementation. In addition, depending on the assurance level, the testers will examine how guidance is given to administrators and users, how the system is developed, and how vulnerable the system is to attack. White box testing may take longer than black box testing but more confidence can be placed in the final result.

Exposure Identification – ITC uses a large collection of validated software tools and scripts to accomplish the detection of potential vulnerabilities. These core components of the service offering are performed from internal client network segments to review identified hosts, applications, databases and telecommunications.

Exposure Analysis and Review- The results of the procedure are documented and reported to the organization. This report will include identified vulnerabilities at the completion of initial testing. ITC provides a vulnerability matrix to identify potential security risks. ITC will provide a remediation list to the customer to mitigate easily corrected vulnerabilities. Those vulnerabilities that cannot be corrected will be submitted in the Risk Assessment Report.

Risk Assessment Report- When security testing activities are completed, ITC will identify findings or discrepancies that will denote a possible effect on the overall system security baseline. These findings will be categorized with the following risk ratings:

High — a security-related vulnerability that poses a potentially high impact on the system security baseline, which must be fixed within the specified time period mandated by the Certification Authority (CA).

Medium — a security-related vulnerability that poses a potentially medium effect on the system security baseline, which should be fixed within the specified time period mandated by the CA.

Low — a security-related vulnerability that poses a potentially low effect on the system security baseline, which should be fixed within the specified time period mandated by the CA. If technical or programming constraints prohibit vulnerability resolution, the Designated Approving Authority (DAA) responsible for the Information System may elect to accept the risk posed by a low-rated vulnerability.

Proven Success

ITC excels in providing information security testing and Enterprise Risk Management (ERM) services. The company brings experience and expertise in enabling Federal Agencies with relevant FISMA and Certification and Accreditation (C&A) services.

Built on ITC’s long relationship providing audit support with the Government Accountability Office (GAO) the company combines technology, proven methodologies, and experience to help its customers reduce risk and achieve maximum security. ITC recently performed successful FISMA audits of the National Transportation and Safety Board (NTSB).

Our greatest strength lies with our team of industry certified and Department of Defense (DoD) security clearance personnel. Each one carries extensive ST&E, C&A and Independent Verification and Validation (IV&V) experience and will work to assist each agency to achieve total security risk mitigation.

The ITC engineering staff currently hold Department of Defense Top Secret clearances (TS-SSBI) and the ITC office maintains a DoD Top Secret Facility Clearance, NATO Secret Clearance and COMSEC Secret Clearance

Turn your legacy into a legend.™