Peritus Security
Partners...

...
Our Approach

Peritus, meaning "skilled" or "expert" in Latin defines the level of knowledge and service that Peritus Security brings to every project. Peritus Security is a privately held provider of information security services that strives to meet the many security needs of today's businesses. Peritus has developed a strong reputation for bringing enterprise level security to the small and medium sized business without sacrificing the quality of the product. In a world where small businesses are being targeted in greater numbers than ever before, Peritus applies a common sense approach and the use of best practices to help you be compliant but more importantly –secure!

Information Security for:
Businesses of all Kinds

...

Businesses are constantly facing internal and external threats that risk the security and integrity of critical data, regulated data and that of your employees and clients. All industries are bound by some form of data privacy regulation such as: State Data Privacy laws, GLBA, SOX, HIPAA-HITECH, and PCI-DSS to name a few. Many hold executives and board members civilly or criminally liable.

A constant stream of high profile breaches has cost companies and consumers billions of dollars. Fines, lost revenue and consumer confidence, credit monitoring for years are just some of the costs, not to mention the costs for victimized consumers piecing their financial lives back together. Businesses are starting to see the true costs associated with the breach of sensitive or customer data. No one technical control (Firewall or Anti-Malware) will make your systems and data secure. People are usually the weakest link in the securing of your business and it is essential that they be controlled and educated to the threats facing every business. At the heart of any successful information security program is a framework based on best practices, Peritus uses ISO 27001-002 standards.

Learn More

Information Security for:
Credit Unions

...

The Credit Union industry represents a unique challenge for Information Security specialists. With a seemingly endless list of Information Security compliance requirements; the NCUA, FFEIC, Federal and State Regulators focusing on IT Security compliance - it is critical that your institution has a holistic approach to Information Security. Compliance requirements have become especially problematic for small credit unions. Peritus has developed a unique and highly effective approach to Information Security Compliance that utilizes the ISO 27001 framework as the basis for your Information Security Program and is used as the cornerstone for our thorough, yet cost effective, suite of services which includes: Auditing, Assessments, Penetration Testing and ISMS consulting.

Peritus Security is in a unique position to assist credit unions with their compliance driven information security needs. Whether it is GLBA, FFEIC or any of the other requirements handed down by the governing bodies, Peritus is an expert in the credit union information security and compliance space. Contact us today and see the Peritus difference for yourself!

Learn More

About ...

Our mission is to help organizations of all sizes to become more secure through the use of a practical and effective methodology that can be scaled to organizations of all sizes and in any industry. Our methods do not simply seek compliance for the sake of compliance but rather to create an end result that leads to a stronger and more sustainable security posture.

Founded in 2007, Peritus began working with small credit unions with Information Security Risk Assessments, Audits and Penetration testing. In 2008 and 2009, Peritus became very active in the hearings related to Massachusetts Data Privacy Regulation MA 201CMR17 at which time we began building Information Security Management Systems (ISMS) based on ISO27001 Security Framework. It was during this phase that we refined our methodology for compliance with most major regulatory requirements. Through the use of Best Practice frameworks such as ISO, Peritus seeks to help client’s gain compliance by building Security Programs that foster security centric culture in businesses and organizations of all sizes and within any number of Industries.

Our team of experienced professionals are well versed in major regulations affecting most sectors including: financial, healthcare, education, manufacturing and distribution, retail, defense and more. Whether we are working with large financial clients, municipalities or a small retail shop, our team takes pride in our ability to speak at a level our clients can understand while providing them with actionable information and recommendations.

The team is made up of individuals with many years of experience in both the technology sector and information security sector. All compliance assessments and audits are reviewed and signed by certified professionals who carry credentials such as CISSP, CISA, CISSP-ISSAP, CEH, CGEIT.

The Peritus Advantage

Peritus is very competitive with other security consultancies with our rates frequently beating out the competition by 30% or more. Based in Western Massachusetts and within 2 hours of all major cities in the Northeast (Boston, New York, Albany); Peritus has a fraction of the overhead of our competition in the major markets which allows us to bring greater value to every project at a very attractive price point.

Developing Strong, Long-term Relationships

Peritus works hard to earn the confidence and trust of our clients by consistently acting in their best interest and providing maximum value. Peritus works very closely with the client and their technology provider to thoroughly evaluate your information security posture and to build a program that creates greater security for your systems, data and ultimately your customers and employees.

This relationship is critical to overcoming the position of many business leaders that continue to view Information Security as purely a regulatory requirement and thus an expense that they reluctantly accept purely to establish compliance with a regulatory requirement. Through education and an understanding of the many threats that exist today, information security can be viewed as a critical business function of today’s businesses. Peritus works closely with our client’s to build Information Security Management Systems that meet compliance requirements but more importantly build a solid foundation for information security resulting in a strong security posture.

...

Information Security for: Businesses

If you are in business, you need to protect your business. Insurance will not protect you from data theft.


The Peritus Approach

Using iso27001 as a best practices framework creates an information security compliance umbrella that is easier to implement, repeatable and recognized by auditors and their governing bodies worldwide.

Today’s businesses are faced with an endless list of Cyber-Threats both internal and external. As a result, government and industry regulation related to data privacy has exploded effecting businesses of all sizes. In-fact virtually every business is bound by some form of data privacy regulation. In addition to the regulatory risks, there is growing concern over the skyrocketing frequency of malware and ransomware infections. Either way, smart business leaders are scrambling to get in front of these risks before they become the next headline. Risks extend beyond the extortion or remediation costs that accompany these infections or regulatory fines. There are even greater risks to one’s reputation and the trust of their customers.

Choosing the right partners and products to protect your data assets is certainly important but of equal or greater importance is having an Information Security Management System (ISMS) that is based on a best practices framework and taking a holistic approach to information security. It is essential that businesses have sound policies, procedures and controls that are clearly defined, enforceable and articulated to employees and vendors.

Cyber Security is a way of life for the modern business and failure to take the necessary steps can cripple a business’s ability to do business or survive a breach. By using the Peritus approach, Best Practice (ISO27001) acts as an umbrella that ensures first and foremost that your assets are safe and secondly, that regulation specific needs are identified and addressed.

Peritus’ Services Include:

...

Information Security for: Credit Unions

The Credit Union industry is heavily regulated and represents a unique challenge for Information Security specialists. With a seemingly endless list of Information Security compliance requirements and the NCUA, Federal and State Regulators focusing on IT Security compliance, it is critical that your institution have a holistic approach to Information Security. This has become especially problematic for small credit unions. Peritus has developed a unique and highly effective approach to Information Security Compliance that utilizes the ISO 27001 framework as the basis for your Information Security Program and is used as the cornerstone for our thorough, yet cost effective, suite of services.

Peritus Security is in a unique position to assist credit unions with their compliance driven information security needs. Whether it is GLBA, NCUA, FFEIC or any of the other requirements handed down by the governing bodies, Peritus is an expert in the credit union information security and compliance space.

Starting in 2016, the FFEIC has released a new set of requirements for Cyber Security and the assessment of a credit unions readiness. The new CyberSecurity Assessment tool is in place and enforcement was due to begin March 31, 2016. If you are not aware of the requirement, you should review this change and contact Peritus. Peritus has developed a program specifically for small to medium sized credit unions to deal with these changes.

For more info:

https://www.ffiec.gov/cybersecurity.htm

Peritus has been successfully adapting our approach to small to mid-sized credit unions for many years. Our ability to scale our offerings has allowed us to be very competitive against other consultancies operating in this space.

Contact us today and see the Peritus difference for yourself.

...

FAQ

There are always a lot of questions surround information security, especially during the initial phases of setting up a program or engaging in the Assessment process for the first time. We have attempted to answer some of the more commonly asked questions in this section. However, Peritus is always happy to answer any questions that you may have. Please feel free to email info@peritussecurity.com.


Peritus is always happy to answer any questions that you may have. Please feel free to contact us. So, what do all of these acronyms mean?

ISMS - Information Security Management System aka, Written Information security Program (WISP): Systems that are developed using standard frameworks that provide policies, procedures, processes and controls that govern the security of an organization.

ISO 27001: ISO - Internal Organization for Standardization is an independent organization that has developed standards for pretty much anything you can think of. ISO 27001 and ISO 27002 are information security frameworks used in building Information Security Programs.

MA 201CMR17 - Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. For additional details please reference: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

Payment Card Industry Data Security Standard (PCI DSS) - Establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Gramm–Leach–Bliley Act of 1999 (GLBA), aka Financial Services Modernization Act of 1999 - Protects the privacy and security of private financial information that financial institutions collect, hold, and process.

Health Insurance Portability and Accountability Act (HIPAA) of 1996 - Requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data.

Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§ 1232 g; 34 CFR Part 99) - US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student to release any information from a student's education record.

Federal Financial Institutions Examination Council’s (FFIEC) - Security guidelines for auditors specifies requirements for online banking security. https://www.ffiec.gov/cybersecurity.htm.

Sarbanes–Oxley Act of 2002 (SOX) - Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.

Security Certifications:

CISSP (Certified Information Systems Security Professional) - A vendor-neutral certification for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks.

CISSP-ISSAP & ISSAP - A concentration for those holding the CISSP credential which certifies their capabilities related to Information Systems Security Architecture Professional. It requires a candidate to demonstrate 2 years of professional experience in network architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities.

CISA (Certified Information Security Auditor) - The CISA certification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems.

CGEIT (Certified in Governance of Enterprise IT) - It recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience.

CEH (Certified Ethical Hacker) - An accreditation that provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization. The good news is that these are the good guys!

ISO 27001 and 27002 is a published and accepted international standard that is meant to act as a model (framework) for implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems. This impacts your compliance efforts in a positive way because guiding security actions with ISO 27001-002 as a framework of reference will provide auditors and regulators a familiar standard for the basis of your program.

MA 201CMR17: Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. Link to MA 201CMR17 title to the document provided

answer some of the more commonly asked questions in this section. However, Peritus is always happy to answer any questions that you may have. Please feel free to email info@peritussecurity.com.What do all of the security certifications mean? CISSP – Certified Information Systems Security Professional is a vendor-neutral certification for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks. CISSP-ISSAP – ISSAP is a concentration for those holding the CISSP credential which certifies their capabilities related to Information Systems Security Architecture Professional. It requires a candidate to demonstrate 2 years of professional experience in the area of architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities. CISA – The CISAcertification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. CGEIT- CGEIT recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience. CEH – The Certified Ethical Hacker accreditation provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization. The good news is that these are the good guys! What is ISO 27001? ISO 27001 is a published and accepted standard that is meant to act as a model for implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems. This impacts credit unions in a positive way because guiding security actions with ISO 27001 as a framework of reference will allow you to capture all of the needs for legislative security compliance. Peritus models the audit and assessments methodologies around ISO 27001 and thus is able to satisfy many requirements mandated by multiple compliance acts. All these Regulatory acronyms???MA 201CMR17: Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. Link to MA 201CMR17 title to the document providedPayment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Gramm–Leach–Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§ 1232 g; 34 CFR Part 99) is a US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. Federal Financial Institutions Examination Council’s (FFIEC) security guidelines for auditors specifies requirements for online banking security. https://www.ffiec.gov/cybersecurity.htm. Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.

If you are not incompliance, penalties and even imprisonment can result. Of course it all depends on what act you are not in compliance with, but as a good example, GLBA stipulates that a credit union can be fined ten thousand dollars for each instance of non-compliance and officers can be imprisoned. MA 201CMR17 can fine up to $5,000.00 per incident (Per record) and under MGL93H they could go for treble damages. PCI-DSS and HIPAA also have very stiff fines. With the number and frequency of breaches, especially among small businesses, it is becoming much more risky to simply roll the dice.

The Peritus team consists of individuals that have many years of experience in information security and technology. Our staff is capable of understanding diverse customer needs because we have worked closely with all types of customers. Whether the organization is small, medium, or large - Peritus tailors the approach to information security using sound industry principles. Our staff credentials include team members with the CISSP-ISSAP designation, CEH among others. Peritus employees also have many vendor certifications such as the Microsoft Certified Systems Engineer (MCSE) and the Cisco Certified Network Engineer (CCNE) to name just a few. Keeping up to date with industry standards allows Peritus to understand today's technologies and security requirements on both a strategic and tactical level

For clarification under ISACA and IFPA standards: the Audit is a formal process performed by a qualified independent auditor. The audit generates a report viewed to represent a high assurance of truth. Audits are used in assessed reporting engagements. Assessments are less formal and frequently more cooperative with the people/objects under scrutiny. Assessments can include both outsider's and internal self-assessments. The true value of the assessment is to create a sense of ownership by the user. Assessments are excellent vehicles for training and awareness. The goal of an assessment is to help the user/staff work towards improving their score. However the audit is the score that actually counts for regulatory compliance purposes. Remember the basic control requirement is to separate the "worker" from the person providing "authorization" (separation of duties). Assessments are considered bias since the separation is not clean as it would be under a formal independent audit.

A Penetration Test is basically an attack on a given system whereby the attacker tries to gain entry into a given set of systems. It is frequently performed against a given IP address or block of addresses with the attacker seeking to exploit any identified vulnerabilities. There are a number of regulations that require Pentests on a regular basis to ensure the integrity of a given gateway.

Contact Peritus

Please contact us directly at 413-224-1237, through email, or fill in the expanding contact request form below to let us know how we can assist you with your information security and compliance needs.



413-224-1237

44 Baldwin Street
East Longmeadow, MA 01028

Business hours:
8 am - 5 pm (from Monday to Friday)