Managed Baseline Solution Services Package.

The Managed Baseline Solution (MBS) Services Package is crafted to achieve a rapid return on investment, minimize budget impact, minimize the implementation load on client technical staff constraints, and maximize the long term benefit of enterprise baseline management to the client. The package includes:

1. Enterprise IT Assessment

• Vulnerability Assessment
• Compliance Assessment
• Penetration Assessment
• Control Strategy Definition

2. Enterprise Managed Baseline Solution Implementation

• Layered Control Strategy Design and Template Building
• StatePointPlus Common Control Plane Implementation
• Managed Baseline Solution Startup and Training

3. Ongoing Managed Baseline Solution Technical Service

• Support for technical staff
• Control strategy updates in industry requirements
• Customized report development

The MBS Services Package provides a systematic needs analysis with client review, tailors a baseline control strategy to the client’s business needs including SOX, HIPAA, PCI, ISO, or other accountability basis, achieves full implementation and operation in days, provides all the technical support needed to assure the client leverages the power of their customized MBS to gain the earliest and greatest possible return on investment, and achieves all this with a convenient levelized cost that yields attractive client value.

The MBS Services Package is also a means for directly strengthening your enterprise security program, driving higher production reliability or driving lower business risk.

Enterprise IT Assessment Service

Every business contains an element of risk, ranging from issues of finance to production. With most business processes now underpinned by the enterprise IT operation, considerable mission jeopardy is now aggregated into the risk of IT technology.

Given the complexity of the enterprise IT environment serious vulnerabilities may exist, some of which may have already been exploited by unauthorized individuals. Groups or individuals such as hackers, competitors or even elements of foreign governments may be taking advantage of vulnerabilities that go left unchecked.

But there are also issues of accountability that result from government regulation that can create its own set of business risk issues. If organizations fail to follow recommended or required practices and a damaging security event occurs, businesses leave themselves open to legal action, loss of credibility and possibly business closure. The Enterprise IT Assessment not only identifies network and system weaknesses before a threat could penetrate your network, it also delineates baseline control measures to protect business processes in the future. This invaluable service includes:

· Vulnerability Assessment

Vulnerability assessment is a process of analyzing systems and networks and identifying any potential vulnerability, flaw or weakness that could leave it open to exploitation.

· Compliance Assessment

The Compliance Assessment is basically an audit of an enterprise carried out against an established set of industry or government criteria, e.g. SOX, HIPAA, PCI, ISO, etc. The client can also request assessment of other targeted enterprise needs, e.g. production reliability, IT support or security program enhancement. A compliance test may come in many different forms dependant on the nature and mission of the enterprise but basically can be broken down into several different types:

Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the company’s needs and lockdown requirements, thus providing adequate and robust controls to ensure that the confidentiality, integrity and availability of the system will not be affected in its normal day to day operation.

Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested demanded by the client.

Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place.

Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they telecommunications, intranets, extranet and internet etc., have been put in place, have been fully documented and correspond to the stated customer requirements.

· Penetration Assessment

A Vulnerability Test is an evaluation of the current state of network access security and its susceptibility to a successful attack by a malicious hacker or nefarious user. The process involves enumeration and scanning for any technical flaws or vulnerabilities. After such flaws are found, attempts are then made to penetrate inside the network and gain a foothold. Once this has been established, attempts are then made to utilize trusts and relationships to gain further ingress into the domain. All actions and results are documented in the assessment reports

· Control Strategy Definition

Control strategy definition identifies a layered set of control measures based on the information gleaned from the Vulnerability, Compliance and Penetration Assessments. These control measures provide the basis for the baseline control solution that is required to ensure that the network and systems are made compliant and consistent with enterprise requirements, and that they remain continuously monitored and controlled to that state. The Enterprise IT Assessment can optionally be used to move directly into the MBS Service Package once the baseline control solution is reviewed and accepted.

· Assessment Reports

Documentation of the results of the assessment is provided in three levels of detail:

Executive Summary: A non-technical report that summarizes the key issues and recommendations resulting from the Enterprise IT Assessment. This summary also addresses key aspects of the resulting baseline control strategy.

Technical Report: A detailed technical assessment of all test results including a categorization of the significance of individual results. This report identifies specific control elements of the proposed baseline control strategy as well.

Full Data Disclosure: All data collected during the IT assessment is provided in electronic form to support any further research of the results.

Enterprise Managed Baseline Solution Implementation Service

This service is the implementation of the BCC baseline control solution in the MBS Services Package using the control strategy definition that was developed and reviewed by client management at the conclusion of the Enterprise IT Assessment. Based on this definition, control and monitoring strategies are built and set in place across the enterprise. The implementation is planned collaboratively with the client’s technical staff and then fully executed as part of this service. During the initial baseline establishment, selected technical staff members are familiarized with the baseline control technology and the periodic tasks required to diagnose events and perform baseline control. Special note is made of control strategy notifications such as e-mail, cell phone and console alerts that can be activated when a condition changes. It is also identified where control strategy elements used response automation that automatically corrects an error and logs the change into a log, providing such information as to what happened, when it happened, what was done to correct the error and who made the correction.

Managed Baseline Solution Technical Service

Managed Baseline Solution Technical Service is the ongoing support component of the MBS Service Package and is designed based on the client’s specific needs. This service is first and foremost a means of assuring that the client is deriving the maximum benefit from the installed baseline control solution. Expert support is made available to in-house technical staff to help make the initial transition to the visibility and control capabilities of enterprise baseline management. This same expertise is then made available on a continuing basis to support expansion of the scope of the baseline control strategy in either control space or networks and systems.

This service can also be used as a source of independent review regarding baseline control practices over time or even as an off-site backup alert for critical or sensitive areas.

The MBS Technical Service can also provide expertise and manpower for baseline control projects that design, build or update control strategies efficiently without consuming technical staff effort. This can also apply to the design and customization of reporting to better fit the specific communication needs of the organization.

A highly valued element of MBS Technical Service is the continual provision of control strategy updates relating to regulatory changes, security changes, technology changes and operational vulnerabilities that can literally be plugged into the installed baseline control solution.

Perhaps the most prized virtue of MBS Technical Service is that is comes at no additional cost as part of the MBS Service Package.

ShadowForce Security Baseline Service

This is a high security service offering that is part of the Managed Baseline Solution Service Package. This function can be implemented when there is a need to “lock down” a computer or a group of computers.

A command can be sent from our control console that prevents unwanted or not allowed communications to be made to the internet, your network or any selected computer. With this service, a system can be monitored for key logging, use of removable devices, recording of mouse clicks, web sites visitations, printer actions and report on all user activity. This offering also provides for a full stealth or “cloaked“ installation of the Managed Baseline Solution.

StatePointPlus Technology Application Service

StatePointPlus technology is the control hub of the baseline control solution. Utilizing StatePointPlus allows for the control, monitoring and remediation of all template conditions on a computer and network. StatePointPlus is a fully integrated suite of patented software products that provides organizations with a scaleable proactive monitoring, reporting and compliance control solution. StatePointPlus pinpoints and rectifies unauthorized alterations in systems and data across the enterprise, minimizing support costs, maximizing production, while enforcing IT compliance requirements and minimizing audit preparation. It will report on inconsistencies and unexplained changes in configuration in today’s increasingly complex network environment.

The BCC MBS Service Package is designed to most effectively develop and implement control strategies using StatePointPlus technology. In circumstances where the MBS Service Package would not be applicable, as can be the case in some classified applications, this StatePointPlus Technology Application Service can be tailored to meet these special constraints.

StatePointPlus Administration Training and Certification

This certification covers the daily, weekly and monthly duties of administrating StatePointPlus. It also covers the industry knowledge which is required to effectively diagnose and respond to security, compliance, network and systems issues that one typically encounters in the configuration change dynamics of an enterprise.

Enterprise Baseline Management Professional Training and Certification

This certification is designed for the industry professional who is not normally involved in the day to day administration of StatePointPlus. Its focus is on how the total control solution of the MBS Service Package can better help organizations maximize the business impact of using our total offering. The examination covers application possibilities for managed baseline solutions in the areas of security, compliance, network and systems

Baseline Management Solution Engineering Training and Certification

This certification is a senior level certification and requires a thorough knowledge of the BCC baseline control solution methodology and StatePointPlus technology, as well as practical experience managing networks, systems, compliance, and security issues. In addition to the requirements for a Certified StatePointPlus Administrator, these individuals will be called upon to design and develop complete strategies based on an assessment or evaluation of client requirements using systematic control strategy design techniques and principles.

Baseline Management Instructor Training and Certification

This certification was developed to assure the highest level of product, network and systems training is maintained for support personnel. These certified trainers have the ability to train support personnel on all aspects of StatePointPlus technology and BCC baseline management services.

Regulatory Watch Service

This unique service offered by BCC is designed to decrease the need for clients to have an individual on staff to monitor what’s new with respect to regulatory compliance. BCC will alert clients to changes that may impact businesses in their particular industry. If the client has an installed BCC baseline control solution, BCC will provide an updated control strategy that can be plugged into the existing baseline control solution, keeping your active compliance control in step with regulatory or audit practice changes. This service is included in the MBS Service Package.

Vulnerability Watch Service

This is a highly valued service designed to give you up-to-date information on vulnerabilities that may affect your enterprise network. BCC currently monitors over 100 sites that report on vulnerabilities related to your operating system, software and hardware daily. The Vulnerability Watch Service helps you prevent your systems from being at risk because of lack of knowledge. BCC alerts designated client personnel by e-mail of emerging vulnerability issues that may impact their IT environment. If the BCC team of security experts believes the vulnerability to be a threat, affected clients will receive a package with an updated vulnerability strategy and associated recommendations as fast as we can get it to you. This service is included in the MBS Service Package.