Search this site:
Information Assurance and System Security Services
SphereCom recognizes the important role of information assurance and system security in protecting our nation's vital assets and critical infrastructures. As the world continues to increase its dependency on information technology, the threats posed to an organization's technology increases, thereby placing its entire mission at risk. Information technology systems and data are vulnerable to a wide variety of threats from environmental disruptions, unintentional human errors, equipment failures, and intentional attacks. As cyber attacks continue to grow in frequency and sophistication, organizations must focus on providing adequate information security and a program for managing security risks to their information systems.
Recognizing that security requirements are continually transforming in response to an ever changing environment, SphereCom monitors and participates in government security transformation initiatives. Since the inception of the National Information Assurance Partnership (NIAP), SphereCom has participated in forums such as the Network Security Framework Forum (NSFF), Information Assurance Technical Framework Forum (IATFF) and the Joint Wireless Working Group (JWWG). SphereCom also participates in other transformation initiatives, such as the Federal Consortium of Virtual Worlds and provides technical input on a variety of Joint Task Force (JTF) Transformation Initiative documents.
To assist customers in securing vital systems and information, SphereCom provides a comprehensive suite of information assurance and system security services, including:
Information Technology Security
Cloud Computing Security
Security Policy and Plan Development
Threat/Risk Analysis and Vulnerability Assessments
FISMA Security Control and INFOSEC Assessments
Security Architecture Evaluation and Development
Personnel Security
Security Awareness and Training
Communication Security
Physical Security
Continuity of Operations and Disaster Recovery
Certification and Accreditation Support
System Development Life Cycle (SDLC) Support
Capabilities:
Information Technology Security
SphereCom understands the importance of controlling access to sensitive electronic information so only those individuals with a legitimate need-to-know are allowed to access the information. SphereCom assists customers in maintaining the confidentiality, integrity, and availability of data through continuous update and review of systems and processes. As part of our information technology security services, SphereCom provides operational and analytical support of systems ranging from personal computers to worldwide telecommunications networks. These services include development, documentation, and implementation of security methodologies and safeguards, as well as on-going analysis of National-level information security initiatives, such as the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Act, Homeland Security Presidential Directives (HSPD), and other Federal security requirements.
Cloud computing is revolutionizing the information technology industry and the way that security is implemented. SphereCom is at the forefront of cloud computing security and is currently assisting cloud service providers in implementing and authorizing secure private and hybrid clouds for government agency users. SphereCom participates in the Cloud Security Alliance and is preparing cloud security artifacts for evaluation by the Federal Risk and Authorization Management Program (FedRAMP).
Security Policy and Plan Development
Security polices and associated system security plans are the cornerstone of an organization’s security program. SphereCom develops security policies and planning documents in accordance with industry/government directives (e.g., OMB Circular A-130, NIST Special Publications 800-18, 800-37 and 800-53) and Agency-level instructions (e.g., DoDI 8500.2, DOJ 2640.2 and DISA Instruction 630-230-19).
Threat/Risk Analysis and Vulnerability Assessments
An effective risk management program requires a thorough assessment of the threats to a particular information system, as well as the vulnerabilities of the system to those threats. SphereCom provides customers with a comprehensive analysis of naturally occurring and man-made threats to information systems, using authoritative sources such as the USGS, FEMA, FBI, NCS, DoD, and various intelligence sources. These assessments are used to identify mitigation procedures and system modifications to close known vulnerabilities, thereby enabling the information system to operate at an acceptable level of risk.
FISMA Security Control and INFOSEC Assessments
To determine the security posture of an organization and its information systems and data, SphereCom conducts Information Security (INFOSEC) and security control assessments in accordance with recognized procedures and guidelines such as NIST SP 800-53A and the National Security Agency (NSA) INFOSEC Assessment Methodology (IAM). SphereCom also assists government organizations in conducting assessments and preparing FISMA submissions in accordance with NIST and OMB guidelines.
Security Architecture Evaluation and Development
SphereCom provides life-cycle design, development, and evaluation of end-to-end system security architectures, from requirements definition through final systems implementation. Areas of emphasis include firewall security, router security, secure protocol implementations, cyber (Internet/Intranet) security, strong authentication techniques, and system and network monitoring and control.
Obtaining trustworthy personnel to operate and maintain critical information systems is of vital importance to the security posture of an organization. SphereCom assists customers in developing personnel security programs that address security screening policies, personnel identification procedures, industrial security requirements, and security awareness training programs.
Security Awareness and Training
Security awareness and training is a vital component of any personnel security program. SphereCom develops a wide variety of security awareness and training curriculum, including general awareness training, information system specific training, and security training for technical and developer personnel. SphereCom has authored numerous security awareness papers and advisories for National-level symposiums and publications, covering topics such as the electronic intrusion threat, intrusion detection and response, security of commercial IT systems, and certification and accreditation.
SphereCom has designed and evaluated systems that employ various Communications Security (COMSEC) control mechanisms including, but not limited to, FIPS 140-2 validated encryption, Type 1 encryption, Public Key Infrastructure (PKI), Internet Protocol Security (IPSEC), TEMPEST emanation security, and Red/Black installation criteria.
SphereCom performs extensive analysis and design of physical security control systems including automated and manual entry control systems, facility monitoring equipment, intrusion detection systems, access control procedures, and other mechanisms designed to protect physical infrastructures. SphereCom has conducted physical security inspections for data centers, network operations centers (NOC), and security operations centers (SOC) throughout the world.
Continuity of Operations and Disaster Recovery
To ensure the availability of an organization’s mission critical functions, SphereCom prepares contingency plans and procedures, incident response plans, disaster recovery plans, and business impact assessments for major information systems, data centers, and worldwide telecommunication networks. The focus of these plans and procedures is to ensure continuity of operations and secure backup/recovery. SphereCom also prepares specialized continuity of operations plans (COOP) in accordance with specific agency guidelines.
Certification and Accreditation Support
SphereCom develops complete certification and accreditation (C&A) packages and validates the security posture of systems and organizations as part of the C&A activities. These packages include details of all system components and operations, and are prepared in accordance with NIST Special Publication 800-37, DoD Instruction 8510.01 (DIACAP), and other agency-specific certification criteria. C&A documentation prepared by SphereCom includes, but is not limited to, system security plans, system security authorization agreements, configuration management plans, security training plans, security test and evaluation plans, security assessment reports, and risk assessment reports.
System Development Life Cycle (SDLC) Support
SphereCom assists government agencies in developing Risk Management Frameworks (RMF) as required by the 2010 release of NIST SP 800-37, Rev 1. During this process, all six steps of the RMF are addressed including the design, development, and/or implementation of continuous monitoring solutions.