acr 2 solutions, inc the compliance opportunity • compliance is not security and security is not...
TRANSCRIPT
www.acr2solutions.com
ACR 2 Solutions, Inc.Simplifying Information Security
Compliance
June 2008
Company
Overview
www.acr2solutions.com
Corporate Overview• Founded in Nov. 2006; privately held• Developer of a family of unique compliance solutions
Address GLBA, FISMA and PCI NIST Compliant Automate Risk Management
Compliance
www.acr2solutions.com
Our Vision
To be a dominate player in the fast growing automated
risk management market
www.acr2solutions.com
www.acr2solutions.com
Information Security Automation“The U.S. Office of Management and Budget has required, in a memorandum to Federal CIOs, that
U.S. government systems "must use SCAP validated tools" for FDCC software acceptance testing and
continuous monitoring of systems.” http://nvd.nist.gov/tools.cfm
www.acr2solutions.com
Our Market
We support organizations regulated under:
• FISMA Federal Information and Security Management Act of 2002
• GLBA GrammLeachBliley Act of 1999• PCI DSS Payment Card Industry
Data Security Standard of 2006
www.acr2solutions.com
The Market Opportunity
Information Security Compliance Market:
FISMA Total about 2,000 locations – US only GLBA Total about 350,000 locations – US only PCI DSS Total in excess of 22,000,000
Worldwide
Total Market > 22,000,000 locations
www.acr2solutions.com
The Compliance Opportunity• Compliance is NOT Security and Security is NOT Compliance• ACR 2 Solutions is a Compliance Support company• Compliance is the next emphasis point in information security• Compliance will be enforced • Automated Compliance is the next “Wave” in high technology opportunity
1First Wave:
Personal Computers 2
Second Wave:
Networking / Internet 3
Third Wave:
Network Security 4
Forth Wave:
Regulatory Compliance
www.acr2solutions.com
The Compliance Process1. NIST
CompliantRisk Assessment
3. Install Safeguards and Collect Data from Scanners and UTM
devices
4. Revise Risk Assessment
5. Automated Compliance Report
to Management
2. NIST CompliantInformation Security
Plan
21. GLBA
22. PCI DSS
23. FISMA
www.acr2solutions.com
Introducing ….ACR2Basic Risk Assessment
Available in 2 versions Q2 2007:
• ACR2Basic Business Editionreports encrypted and auditable
• ACR2Basic MSP Editionreports headers can be modified
And in Q3 2007..
• ACR2Basic Enterprise Edition Dashboard manages multiple locations
www.acr2solutions.com
In Q3 and Q4 we introduced ACR2Basic Risk Assessment for PCI
Available in 3 versions Q4 2007
• Astaro Compliance Reporter for PCI Sold through National Distributor
Synnex box has “Powered by ACR2 Solutions”
• PCI Solutions ToolAvailable online from PCI SVAWebsite is branded by ACR2
• ACR2Basic Risk Assessment for PCI
www.acr2solutions.com
Developing Product Line Profile
• Automated input of Scanner and UTM data• Initially Astaro and ThreatGuard• Feb 2008 Fortinet, O2 Micro and Qualys• Late 2008 for additional UTM and IPS
• Automated reporting and alarming• Web based and platform based delivery• Enterprise versions for centralized
management of large numbers of sites
www.acr2solutions.com
ACR 2 Basic
11/07 Status – Shipping Product
Internet
ACR2Basic Server
Network to be Secured
Firewall
Router, Hub or Switch
``
`
MicroComputer
MicroComputerMicroComputer
www.acr2solutions.com
50 Network Enterprise
11/07 Status – Ready to Ship
External Network or Internet
Internet
Network to be Sec ured
Fi rewa ll
Route r, Hub o r Swi tc h
``
`
M ic roComputer
M i croCom puterM i c roComputer
ACR2Enterprise Server
ACR2Basic Server
SCAP RAAP ™ Appl ianc e
Network to be Secured
Fi rewa ll
Route r, Hub o r Swi tc h
``
`
M ic roComputer
M ic roComputerM ic roComputer
SCAP RAAP ™ App li ance
Network to be Sec ured
Firewa l l
Route r, Hub o r Switc h
``
`
M i c roComputer
M i c roComputerM ic roCom puter
SCAP RAAP ™ Appl ianc e
Network to be Sec ured
Fi rewa ll
Route r, Hub o r Swi tc h
``
`
M i c roComputer
M i c roComputerM ic roComputer
SCAP RAAP ™ App li anc e
Network to be Sec ured
Firewa l l
Route r, Hub o r Switc h
``
`
M i c roComputer
M i c roComputerM ic roComputer
SCAP RAAP ™ App li anc e
Network to be Sec ured
Firewa l l
Route r, Hub o r Switc h
``
`
M ic roComputer
M ic roComputerM ic roComputer
Network to be Secured
Fi rewa ll
Router, Hub o r Switc h
``
`
M i c roComputer
M ic roComputerM i c roComputer
Network to be Sec ured
Fi rewa ll
Route r, Hub o r Swi tc h
``
`
M ic roComputer
M ic roComputerM i c roComputer
Network to be Secured
Firewal l
Router, Hub o r Switc h
``
`
M i c roComputer
M ic roComputerM ic roComputer
www.acr2solutions.com
2,500 Network Enterprise
11/07 Status – Scaleup Proposal Under Review
External Network or Internet
Internet
ACR2Enterprise Server
ACR2Basic Server
www.acr2solutions.com
50,000 Network Enterprise
11/07 Status – Under Discussion with Potential Clients, Primarily PCI DSS
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
ACR2Enterprise Server
Externa l Network or In ternet
In ternet
ACR 2Bas ic Server
Externa l Network or In ternet
In ternet
ACR 2Bas ic Server
Externa l Network or In ternet
In ternet
ACR 2Bas ic Server
Externa l Network or In ternet
In ternet
ACR 2Bas ic Server
Ex ternal Network or In ternet
In ternet
ACR 2Bas ic Serv er
Ex terna l Network or Internet
Internet
ACR 2Bas ic Serv er
Ex terna l Network or Internet
Internet
ACR 2Bas ic Server
Ex terna l Network or In ternet
In ternet
ACR 2Bas ic Serv er
Ex terna l Network or In ternet
In ternet
ACR 2Bas ic Serv er
www.acr2solutions.com
Enterprise Management SystemGUI Under development
www.acr2solutions.com
OMB Mandated SCAPRAAP Process
11/07 Status – Patent Pending
Scanning Server(inside or outside )
CVE input (from NIST)XCCDF cklist
input (from NIST)
UTM data (scheduled HTML or
XML)
ACR2 Risk Assessment
Server (inside or outside)
Scan Report(HTML or XML)
UTM device (inside)
Risk Management Reports
www.acr2solutions.com
SCAPRAAP Appliance
11/07 Status – Patent Pending
External Network or Internet
SCAPRAAP™Appliance
(pat. pending)
Network to be Secured
FirewallRouter, Hub
or Switch
``
`
MicroComputer
MicroComputerMicroComputer
www.acr2solutions.com
Business Model
" ACR2 is a compliance software development/delivery company
" Products are Web Based additional content on CD
" Initial product launches leverage OEM and partnership relationships
" Vulnerability Scanning company ThreatGuard
" UTM company relationships and bundles, ie Astaro, Fortinet, etc.
" GSA vendors re: SCAP and OVAL automation required by the
Office of Management and Business ( OMB )
www.acr2solutions.com
Business Model (cont.)
" Northern expansion for new product development" Negotiations in Potsdam N.Y.
" Upon obtaining significant funding:" Branded product launch
" SCAPRAAP Appliance bundle
www.acr2solutions.com
Accomplishments and Milestones
• February 2007 Robert Peterson and ACR2 invited to join the PCI SSC by Seana Pitt, PCI SSC Chairman. • March 2007 – Robert Peterson 4 days training of security professionals the 2007 cybercrime conference. • April 2007 ACR2 joins the PCI Security Vendors Council ( PCI SVA), a trade group formed in response to the PCI DSS to meet the PCI DSS requirements.• May 2007 Minnesota is first state to make PCI DSS requirements mandatory by state law.
www.acr2solutions.com
Accomplishments and Milestones
• June 2007 Robert Peterson elected chair of the PCI SVA Solutions Committee, one of four PCI SVA committees• June 2007 Aberdeen Group reports that 48% of PCI merchants are not in compliance and 49% have yet to do a risk assessment.• July 2007 ACR2 selected as contractor to be primary gatekeeper between PCI SVA and Payment Card Industry. Three year contract signed 7/26 after unanimous committee approval. Product deployed at www.PCiSolutionsTool.info
www.acr2solutions.com
Accomplishments and Milestones
• June 1 – Office of Management and Budget releases Memorandum M0718, “Implementation of Commonly Accepted Security Configurations.”• July 2007 Robert Peterson to seek PCI SSC input into PCI SVA risk assessment program.• August 2007 ACR2 signs first major contract with significant UTM vendor Astaro to supply PCI and other information security compliance solutions into retail channel, including national distribution.
www.acr2solutions.com
Accomplishments and Milestones• September 2007 PCI SSC has option to begin $5,000/month fines of noncompliant companies.• September 2007 The PCI SVA sponsors trips by Robert Peterson (PCI SVA Solutions Chair) to Toronto meeting• Astaro Compliance Reporter named CRN’s “14 Hot Products from “Xchange 07”• Feb 08 – OMB gives Federal agency extension on SCAP requirements to April• Feb 08 – Risk Reporter for Fortinet and other ACR2 products added to the GSA Schedule• April – ACR2 begins focused outbound Sales efforts.
www.acr2solutions.com
CompetitionCurrent products" None with our feature set:
Web based expert system sold as a service (SaaS) delivering NIST
" None are offering “TurboTax ™” simplicity approach to meet Risk Assessment
requirements
" There are 2 existing software packages with some of our functionality.
" Modulo – highly complex program to assessment using ISO 17799" Pricing starts at $30,000.
• Telos – uses military DITSCAP protocols to create risk assessments.
•Pricing starts at $7,500. to $85,000 per location
www.acr2solutions.com
Management and AdvisorsManagement" Jack Kolk, CISSP CEO, President, cofounder and technology industry veteran" Robert Peterson, PE COB, CTO, cofounder and compliance expert " Don Arsenault Investor, advisor and successful entrepreneur" Wayne Norris, MBA CFO " Karen Reynolds, CPA Comptroller and industry veteran" Terry Cochran, CPP Contractor and independent security consultant
Strategic Partners and Advisors" Greg Resnick, MBA Advisor and successful entrepreneur" Peter Forstroom, Macquarium –COO Advisor and Strategic Partner" Michael Ryan – North Bay Associates
www.acr2solutions.com
Membership, Partnerships and Proposals
• Memberships:• PCI SVA – Robert Peterson is Chair of Solutions committee• PCI SSC
• Partnerships:• Astaro • Macquarium Intelligent Communications• ThreatGuard
• Proposals ACR 2 has several large proposal and quotes to:• Large resellers• Large security companies
www.acr2solutions.com
Summary" ACR2 products “TurboTax™” information security compliance" We have NIST and PCI DSS regulatory guidance pseudo expert systems " Currently offering 3 products for GLBA, FISMA and PCI" Preparing to ship PCI DSS specific versions" We have additional products and industry specific versions in development" We have OEM deals, strategic alliances and ACR2 branded solutions" Our new flagship product in development has a patent pending." Our current offerings are the right products now Extremely timely
" OMB requires SCAP and FDCC compatibility Feb 1 2008" PCI PCI DSS 1.1 standard was just released in Sept 2006" ACR 2 leads the PCI SVA Solutions Committee
www.acr2solutions.com
ACR 2 Solutions, Inc.( Automated Compliance Reporting )
Thank you for your time!
www.acr2solutions.com
Using the ACR2 Basic Reports• The following slides display truncated partial screens of examples of the 4
reports the system generates
• You receive them a few minutes after selecting “submit” as an email once data is reviewed and submitted for calculation and processing
• The reports are converted into PDF’s, and locked appropriate to the version that you have purchased
• The encrypted, locked reports are sent to the email on file, where they can be opened by the password used for the initial risk assessment data entry
www.acr2solutions.com
www.acr2solutions.com
www.acr2solutions.com
www.acr2solutions.com
www.acr2solutions.com
Using the ACR2 Basic Reports cont.
• The following 2 slides show extracted references from the included CD
• After you have received your reports, the risk scores can be traced back to the Original source by the associated risk category
www.acr2solutions.com
www.acr2solutions.com
www.acr2solutions.com
www.acr2solutions.com
Automated Compliance Reporting
How Much is Your Time Worth?