acr 2 solutions, inc the compliance opportunity • compliance is not security and security is not...

www.acr2solutions.com

ACR 2 Solutions, Inc.Simplifying Information Security

Compliance

June 2008

Company

Overview


Corporate Overview• Founded in Nov. 2006; privately held• Developer of a family of unique compliance solutions

Address GLBA, FISMA and PCI NIST Compliant Automate Risk Management

Compliance


Our Vision

To be a dominate player in the fast growing automated

risk management market


Information Security Automation“The U.S. Office of Management and Budget has required, in a memorandum to Federal CIOs, that

U.S. government systems "must use SCAP validated tools" for FDCC software acceptance testing and

continuous monitoring of systems.” http://nvd.nist.gov/tools.cfm

http://www.cio.gov/documents/FDCC_memo.pdf


Our Market

We support organizations regulated under:

• FISMA Federal Information and Security Management Act of 2002

• GLBA GrammLeachBliley Act of 1999• PCI DSS Payment Card Industry

Data Security Standard of 2006


The Market Opportunity

Information Security Compliance Market:

FISMA Total about 2,000 locations – US only GLBA Total about 350,000 locations – US only PCI DSS Total in excess of 22,000,000

Worldwide

Total Market > 22,000,000 locations


The Compliance Opportunity• Compliance is NOT Security and Security is NOT Compliance• ACR 2 Solutions is a Compliance Support company• Compliance is the next emphasis point in information security• Compliance will be enforced • Automated Compliance is the next “Wave” in high technology opportunity

1First Wave:

Personal Computers 2

Second Wave:

Networking / Internet 3

Third Wave:

Network Security 4

Forth Wave:

Regulatory Compliance


The Compliance Process1. NIST

CompliantRisk Assessment

3. Install Safeguards and Collect Data from Scanners and UTM

devices

4. Revise Risk Assessment

5. Automated Compliance Report

to Management

2. NIST CompliantInformation Security

Plan

21. GLBA

22. PCI DSS

23. FISMA


Introducing ….ACR2Basic Risk Assessment

Available in 2 versions Q2 2007:

• ACR2Basic Business Editionreports encrypted and auditable

• ACR2Basic MSP Editionreports headers can be modified

And in Q3 2007..

• ACR2Basic Enterprise Edition Dashboard manages multiple locations


In Q3 and Q4 we introduced ACR2Basic Risk Assessment for PCI

Available in 3 versions Q4 2007

• Astaro Compliance Reporter for PCI Sold through National Distributor

Synnex box has “Powered by ACR2 Solutions”

• PCI Solutions ToolAvailable online from PCI SVAWebsite is branded by ACR2

• ACR2Basic Risk Assessment for PCI


Developing Product Line Profile

• Automated input of Scanner and UTM data• Initially Astaro and ThreatGuard• Feb 2008 Fortinet, O2 Micro and Qualys• Late 2008 for additional UTM and IPS

• Automated reporting and alarming• Web based and platform based delivery• Enterprise versions for centralized

management of large numbers of sites


ACR 2 Basic

11/07 Status – Shipping Product

Internet

ACR2Basic Server

Network to be Secured

Firewall

Router, Hub or Switch

``

`

MicroComputer

MicroComputerMicroComputer


50 Network Enterprise

11/07 Status – Ready to Ship

External Network or Internet

Internet

Network to be Sec ured

Fi rewa ll

Route r, Hub o r Swi tc h

``

`

M ic roComputer

M i croCom puterM i c roComputer

ACR2Enterprise Server

ACR2Basic Server

SCAP RAAP ™ Appl ianc e


Fi rewa ll


``

`

M ic roComputer

M ic roComputerM ic roComputer

SCAP RAAP ™ App li ance


Firewa l l

Route r, Hub o r Switc h

``

`

M i c roComputer

M i c roComputerM ic roCom puter

SCAP RAAP ™ Appl ianc e


Fi rewa ll


``

`

M i c roComputer

M i c roComputerM ic roComputer

SCAP RAAP ™ App li anc e


Firewa l l


``

`

M i c roComputer

M i c roComputerM ic roComputer

SCAP RAAP ™ App li anc e


Firewa l l


``

`

M ic roComputer



Fi rewa ll

Router, Hub o r Switc h

``

`

M i c roComputer

M ic roComputerM i c roComputer


Fi rewa ll


``

`

M ic roComputer

M ic roComputerM i c roComputer


Firewal l

Router, Hub o r Switc h

``

`

M i c roComputer



2,500 Network Enterprise

11/07 Status – Scaleup Proposal Under Review


Internet


ACR2Basic Server


50,000 Network Enterprise

11/07 Status – Under Discussion with Potential Clients, Primarily PCI DSS










Externa l Network or In ternet

In ternet

ACR 2Bas ic Server


In ternet

ACR 2Bas ic Server


In ternet

ACR 2Bas ic Server


In ternet

ACR 2Bas ic Server

Ex ternal Network or In ternet

In ternet

ACR 2Bas ic Serv er

Ex terna l Network or Internet

Internet

ACR 2Bas ic Serv er

Ex terna l Network or Internet

Internet

ACR 2Bas ic Server

Ex terna l Network or In ternet

In ternet

ACR 2Bas ic Serv er

Ex terna l Network or In ternet

In ternet

ACR 2Bas ic Serv er


Enterprise Management SystemGUI Under development


OMB Mandated SCAPRAAP Process

11/07 Status – Patent Pending

Scanning Server(inside or outside )

CVE input (from NIST)XCCDF cklist

input (from NIST)

UTM data (scheduled HTML or

XML)

ACR2 Risk Assessment

Server (inside or outside)

Scan Report(HTML or XML)

UTM device (inside)

Risk Management Reports


SCAPRAAP Appliance

11/07 Status – Patent Pending


SCAPRAAP™Appliance

(pat. pending)


FirewallRouter, Hub

or Switch

``

`

MicroComputer

MicroComputerMicroComputer


Business Model

" ACR2 is a compliance software development/delivery company

" Products are Web Based additional content on CD

" Initial product launches leverage OEM and partnership relationships

" Vulnerability Scanning company ThreatGuard

" UTM company relationships and bundles, ie Astaro, Fortinet, etc.

" GSA vendors re: SCAP and OVAL automation required by the

Office of Management and Business ( OMB )


Business Model (cont.)

" Northern expansion for new product development" Negotiations in Potsdam N.Y.

" Upon obtaining significant funding:" Branded product launch

" SCAPRAAP Appliance bundle


Accomplishments and Milestones

• February 2007 Robert Peterson and ACR2 invited to join the PCI SSC by Seana Pitt, PCI SSC Chairman. • March 2007 – Robert Peterson 4 days training of security professionals the 2007 cybercrime conference. • April 2007 ACR2 joins the PCI Security Vendors Council ( PCI SVA), a trade group formed in response to the PCI DSS to meet the PCI DSS requirements.• May 2007 Minnesota is first state to make PCI DSS requirements mandatory by state law.



• June 2007 Robert Peterson elected chair of the PCI SVA Solutions Committee, one of four PCI SVA committees• June 2007 Aberdeen Group reports that 48% of PCI merchants are not in compliance and 49% have yet to do a risk assessment.• July 2007 ACR2 selected as contractor to be primary gatekeeper between PCI SVA and Payment Card Industry. Three year contract signed 7/26 after unanimous committee approval. Product deployed at www.PCiSolutionsTool.info

../../../../Users/Jack/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/KM1LDHKB/www.PCiSolutionsTool.info



• June 1 – Office of Management and Budget releases Memorandum M0718, “Implementation of Commonly Accepted Security Configurations.”• July 2007 Robert Peterson to seek PCI SSC input into PCI SVA risk assessment program.• August 2007 ACR2 signs first major contract with significant UTM vendor Astaro to supply PCI and other information security compliance solutions into retail channel, including national distribution.


Accomplishments and Milestones• September 2007 PCI SSC has option to begin $5,000/month fines of noncompliant companies.• September 2007 The PCI SVA sponsors trips by Robert Peterson (PCI SVA Solutions Chair) to Toronto meeting• Astaro Compliance Reporter named CRN’s “14 Hot Products from “Xchange 07”• Feb 08 – OMB gives Federal agency extension on SCAP requirements to April• Feb 08 – Risk Reporter for Fortinet and other ACR2 products added to the GSA Schedule• April – ACR2 begins focused outbound Sales efforts.


CompetitionCurrent products" None with our feature set:

Web based expert system sold as a service (SaaS) delivering NIST

" None are offering “TurboTax ™” simplicity approach to meet Risk Assessment

requirements

" There are 2 existing software packages with some of our functionality.

" Modulo – highly complex program to assessment using ISO 17799" Pricing starts at $30,000.

• Telos – uses military DITSCAP protocols to create risk assessments.

•Pricing starts at $7,500. to $85,000 per location


Management and AdvisorsManagement" Jack Kolk, CISSP CEO, President, cofounder and technology industry veteran" Robert Peterson, PE COB, CTO, cofounder and compliance expert " Don Arsenault Investor, advisor and successful entrepreneur" Wayne Norris, MBA CFO " Karen Reynolds, CPA Comptroller and industry veteran" Terry Cochran, CPP Contractor and independent security consultant

Strategic Partners and Advisors" Greg Resnick, MBA Advisor and successful entrepreneur" Peter Forstroom, Macquarium –COO Advisor and Strategic Partner" Michael Ryan – North Bay Associates


Membership, Partnerships and Proposals

• Memberships:• PCI SVA – Robert Peterson is Chair of Solutions committee• PCI SSC

• Partnerships:• Astaro • Macquarium Intelligent Communications• ThreatGuard

• Proposals ACR 2 has several large proposal and quotes to:• Large resellers• Large security companies


Summary" ACR2 products “TurboTax™” information security compliance" We have NIST and PCI DSS regulatory guidance pseudo expert systems " Currently offering 3 products for GLBA, FISMA and PCI" Preparing to ship PCI DSS specific versions" We have additional products and industry specific versions in development" We have OEM deals, strategic alliances and ACR2 branded solutions" Our new flagship product in development has a patent pending." Our current offerings are the right products now Extremely timely

" OMB requires SCAP and FDCC compatibility Feb 1 2008" PCI PCI DSS 1.1 standard was just released in Sept 2006" ACR 2 leads the PCI SVA Solutions Committee


ACR 2 Solutions, Inc.( Automated Compliance Reporting )

Thank you for your time!


Using the ACR2 Basic Reports• The following slides display truncated partial screens of examples of the 4

reports the system generates

• You receive them a few minutes after selecting “submit” as an email once data is reviewed and submitted for calculation and processing

• The reports are converted into PDF’s, and locked appropriate to the version that you have purchased

• The encrypted, locked reports are sent to the email on file, where they can be opened by the password used for the initial risk assessment data entry


Using the ACR2 Basic Reports cont.

• The following 2 slides show extracted references from the included CD

• After you have received your reports, the risk scores can be traced back to the Original source by the associated risk category


Automated Compliance Reporting

How Much is Your Time Worth?

acr 2 solutions, inc the compliance opportunity • compliance is not security and security is not...

Documents