Peritus, meaning "skilled" or "expert" in Latin defines the level of knowledge and service that Peritus Security brings to every project. Peritus Security is a privately held provider of information security services that strives to meet the many security needs of today's businesses. Peritus has developed a strong reputation for bringing enterprise level security to the small and medium sized business without sacrificing the quality of the product. In a world where small businesses are being targeted in greater numbers than ever before, Peritus applies a common sense approach and the use of best practices to help you be compliant but more importantly –secure!
Businesses are constantly facing internal and external threats that risk the security and integrity of critical data, regulated data and that of your employees and clients. All industries are bound by some form of data privacy regulation such as: State Data Privacy laws, GLBA, SOX, HIPAA-HITECH, and PCI-DSS to name a few. Many hold executives and board members civilly or criminally liable.
A constant stream of high profile breaches has cost companies and consumers billions of dollars. Fines, lost revenue and consumer confidence, credit monitoring for years are just some of the costs, not to mention the costs for victimized consumers piecing their financial lives back together. Businesses are starting to see the true costs associated with the breach of sensitive or customer data. No one technical control (Firewall or Anti-Malware) will make your systems and data secure. People are usually the weakest link in the securing of your business and it is essential that they be controlled and educated to the threats facing every business. At the heart of any successful information security program is a framework based on best practices, Peritus uses ISO 27001-002 standards.
Learn More
The Credit Union industry represents a unique challenge for Information Security specialists. With a seemingly endless list of Information Security compliance requirements; the NCUA, FFEIC, Federal and State Regulators focusing on IT Security compliance - it is critical that your institution has a holistic approach to Information Security. Compliance requirements have become especially problematic for small credit unions. Peritus has developed a unique and highly effective approach to Information Security Compliance that utilizes the ISO 27001 framework as the basis for your Information Security Program and is used as the cornerstone for our thorough, yet cost effective, suite of services which includes: Auditing, Assessments, Penetration Testing and ISMS consulting.
Peritus Security is in a unique position to assist credit unions with their compliance driven information security needs. Whether it is GLBA, FFEIC or any of the other requirements handed down by the governing bodies, Peritus is an expert in the credit union information security and compliance space. Contact us today and see the Peritus difference for yourself!
Learn More
Our mission is to help organizations of all sizes to become more secure through the use of a practical and effective methodology that can be scaled to organizations of all sizes and in any industry. Our methods do not simply seek compliance for the sake of compliance but rather to create an end result that leads to a stronger and more sustainable security posture.
Founded in 2007, Peritus began working with small credit unions with Information Security Risk Assessments, Audits and Penetration testing. In 2008 and 2009, Peritus became very active in the hearings related to Massachusetts Data Privacy Regulation MA 201CMR17 at which time we began building Information Security Management Systems (ISMS) based on ISO27001 Security Framework. It was during this phase that we refined our methodology for compliance with most major regulatory requirements. Through the use of Best Practice frameworks such as ISO, Peritus seeks to help client’s gain compliance by building Security Programs that foster security centric culture in businesses and organizations of all sizes and within any number of Industries.
Our team of experienced professionals are well versed in major regulations affecting most sectors including: financial, healthcare, education, manufacturing and distribution, retail, defense and more. Whether we are working with large financial clients, municipalities or a small retail shop, our team takes pride in our ability to speak at a level our clients can understand while providing them with actionable information and recommendations.
The team is made up of individuals with many years of experience in both the technology sector and information security sector. All compliance assessments and audits are reviewed and signed by certified professionals who carry credentials such as CISSP, CISA, CISSP-ISSAP, CEH, CGEIT.
Peritus is very competitive with other security consultancies with our rates frequently beating out the competition by 30% or more. Based in Western Massachusetts and within 2 hours of all major cities in the Northeast (Boston, New York, Albany); Peritus has a fraction of the overhead of our competition in the major markets which allows us to bring greater value to every project at a very attractive price point.
Peritus works hard to earn the confidence and trust of our clients by consistently acting in their best interest and providing maximum value. Peritus works very closely with the client and their technology provider to thoroughly evaluate your information security posture and to build a program that creates greater security for your systems, data and ultimately your customers and employees.
This relationship is critical to overcoming the position of many business leaders that continue to view Information Security as purely a regulatory requirement and thus an expense that they reluctantly accept purely to establish compliance with a regulatory requirement. Through education and an understanding of the many threats that exist today, information security can be viewed as a critical business function of today’s businesses. Peritus works closely with our client’s to build Information Security Management Systems that meet compliance requirements but more importantly build a solid foundation for information security resulting in a strong security posture.
Today’s businesses are faced with an endless list of Cyber-Threats both internal and external. As a result, government and industry regulation related to data privacy has exploded effecting businesses of all sizes. In-fact virtually every business is bound by some form of data privacy regulation. In addition to the regulatory risks, there is growing concern over the skyrocketing frequency of malware and ransomware infections. Either way, smart business leaders are scrambling to get in front of these risks before they become the next headline. Risks extend beyond the extortion or remediation costs that accompany these infections or regulatory fines. There are even greater risks to one’s reputation and the trust of their customers.
Choosing the right partners and products to protect your data assets is certainly important but of equal or greater importance is having an Information Security Management System (ISMS) that is based on a best practices framework and taking a holistic approach to information security. It is essential that businesses have sound policies, procedures and controls that are clearly defined, enforceable and articulated to employees and vendors.
Cyber Security is a way of life for the modern business and failure to take the necessary steps can cripple a business’s ability to do business or survive a breach. By using the Peritus approach, Best Practice (ISO27001) acts as an umbrella that ensures first and foremost that your assets are safe and secondly, that regulation specific needs are identified and addressed.
The Credit Union industry is heavily regulated and represents a unique challenge for Information Security specialists. With a seemingly endless list of Information Security compliance requirements and the NCUA, Federal and State Regulators focusing on IT Security compliance, it is critical that your institution have a holistic approach to Information Security. This has become especially problematic for small credit unions. Peritus has developed a unique and highly effective approach to Information Security Compliance that utilizes the ISO 27001 framework as the basis for your Information Security Program and is used as the cornerstone for our thorough, yet cost effective, suite of services.
Peritus Security is in a unique position to assist credit unions with their compliance driven information security needs. Whether it is GLBA, NCUA, FFEIC or any of the other requirements handed down by the governing bodies, Peritus is an expert in the credit union information security and compliance space.
Starting in 2016, the FFEIC has released a new set of requirements for Cyber Security and the assessment of a credit unions readiness. The new CyberSecurity Assessment tool is in place and enforcement was due to begin March 31, 2016. If you are not aware of the requirement, you should review this change and contact Peritus. Peritus has developed a program specifically for small to medium sized credit unions to deal with these changes.
For more info:
https://www.ffiec.gov/cybersecurity.htmPeritus has been successfully adapting our approach to small to mid-sized credit unions for many years. Our ability to scale our offerings has allowed us to be very competitive against other consultancies operating in this space.
Contact us today and see the Peritus difference for yourself.
Peritus is always happy to answer any questions that you may have. Please feel free to contact us. So, what do all of these acronyms mean?
ISMS - Information Security Management System aka, Written Information security Program (WISP): Systems that are developed using standard frameworks that provide policies, procedures, processes and controls that govern the security of an organization.
ISO 27001: ISO - Internal Organization for Standardization is an independent organization that has developed standards for pretty much anything you can think of. ISO 27001 and ISO 27002 are information security frameworks used in building Information Security Programs.
MA 201CMR17 - Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. For additional details please reference: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
Payment Card Industry Data Security Standard (PCI DSS) - Establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Gramm–Leach–Bliley Act of 1999 (GLBA), aka Financial Services Modernization Act of 1999 - Protects the privacy and security of private financial information that financial institutions collect, hold, and process.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 - Requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data.
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§ 1232 g; 34 CFR Part 99) - US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student to release any information from a student's education record.
Federal Financial Institutions Examination Council’s (FFIEC) - Security guidelines for auditors specifies requirements for online banking security. https://www.ffiec.gov/cybersecurity.htm.
Sarbanes–Oxley Act of 2002 (SOX) - Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.
CISSP (Certified Information Systems Security Professional) - A vendor-neutral certification for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks.
CISSP-ISSAP & ISSAP - A concentration for those holding the CISSP credential which certifies their capabilities related to Information Systems Security Architecture Professional. It requires a candidate to demonstrate 2 years of professional experience in network architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities.
CISA (Certified Information Security Auditor) - The CISA certification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems.
CGEIT (Certified in Governance of Enterprise IT) - It recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience.
CEH (Certified Ethical Hacker) - An accreditation that provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization. The good news is that these are the good guys!
ISO 27001 and 27002 is a published and accepted international standard that is meant to act as a model (framework) for implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems. This impacts your compliance efforts in a positive way because guiding security actions with ISO 27001-002 as a framework of reference will provide auditors and regulators a familiar standard for the basis of your program.
MA 201CMR17: Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. Link to MA 201CMR17 title to the document provided
answer some of the more commonly asked questions in this section. However, Peritus is always happy to answer any questions that you may have. Please feel free to email info@peritussecurity.com.What do all of the security certifications mean? CISSP – Certified Information Systems Security Professional is a vendor-neutral certification for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks. CISSP-ISSAP – ISSAP is a concentration for those holding the CISSP credential which certifies their capabilities related to Information Systems Security Architecture Professional. It requires a candidate to demonstrate 2 years of professional experience in the area of architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities. CISA – The CISAcertification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. CGEIT- CGEIT recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience. CEH – The Certified Ethical Hacker accreditation provides the advanced hacking tools and techniques used by hackers and information security professionals alike to break into an organization. The good news is that these are the good guys! What is ISO 27001? ISO 27001 is a published and accepted standard that is meant to act as a model for implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems. This impacts credit unions in a positive way because guiding security actions with ISO 27001 as a framework of reference will allow you to capture all of the needs for legislative security compliance. Peritus models the audit and assessments methodologies around ISO 27001 and thus is able to satisfy many requirements mandated by multiple compliance acts. All these Regulatory acronyms???MA 201CMR17: Massachusetts Data Privacy regulation which has been touted as one of the most stringent of its kind in the nation. Builds on consumer privacy laws MGL93H. Built using best practices from ISO27001. Applies to anyone holding MA Resident Personal Data. Link to MA 201CMR17 title to the document providedPayment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Gramm–Leach–Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§ 1232 g; 34 CFR Part 99) is a US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. Federal Financial Institutions Examination Council’s (FFIEC) security guidelines for auditors specifies requirements for online banking security. https://www.ffiec.gov/cybersecurity.htm. Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.
If you are not incompliance, penalties and even imprisonment can result. Of course it all depends on what act you are not in compliance with, but as a good example, GLBA stipulates that a credit union can be fined ten thousand dollars for each instance of non-compliance and officers can be imprisoned. MA 201CMR17 can fine up to $5,000.00 per incident (Per record) and under MGL93H they could go for treble damages. PCI-DSS and HIPAA also have very stiff fines. With the number and frequency of breaches, especially among small businesses, it is becoming much more risky to simply roll the dice.
The Peritus team consists of individuals that have many years of experience in information security and technology. Our staff is capable of understanding diverse customer needs because we have worked closely with all types of customers. Whether the organization is small, medium, or large - Peritus tailors the approach to information security using sound industry principles. Our staff credentials include team members with the CISSP-ISSAP designation, CEH among others. Peritus employees also have many vendor certifications such as the Microsoft Certified Systems Engineer (MCSE) and the Cisco Certified Network Engineer (CCNE) to name just a few. Keeping up to date with industry standards allows Peritus to understand today's technologies and security requirements on both a strategic and tactical level
For clarification under ISACA and IFPA standards: the Audit is a formal process performed by a qualified independent auditor. The audit generates a report viewed to represent a high assurance of truth. Audits are used in assessed reporting engagements. Assessments are less formal and frequently more cooperative with the people/objects under scrutiny. Assessments can include both outsider's and internal self-assessments. The true value of the assessment is to create a sense of ownership by the user. Assessments are excellent vehicles for training and awareness. The goal of an assessment is to help the user/staff work towards improving their score. However the audit is the score that actually counts for regulatory compliance purposes. Remember the basic control requirement is to separate the "worker" from the person providing "authorization" (separation of duties). Assessments are considered bias since the separation is not clean as it would be under a formal independent audit.
A Penetration Test is basically an attack on a given system whereby the attacker tries to gain entry into a given set of systems. It is frequently performed against a given IP address or block of addresses with the attacker seeking to exploit any identified vulnerabilities. There are a number of regulations that require Pentests on a regular basis to ensure the integrity of a given gateway.
413-224-1237
Business hours:
8 am - 5 pm (from Monday to Friday)
Risk Assessments can be scaled to the size, complexity and regulatory requirements of a given organization. A typical Risk Assessment includes: an internal and external vulnerability scan, policy review, and evaluation of the physical location. More detailed Risk Assessments include a detailed analysis of each risk, assigning it a priority based on severity and probability that the risk could come to fruition. In all cases, Peritus provides a formal report that includes: Executive Summary, Findings and Recommendations for remediation. A Risk Assessment is the first step in determining your security posture and can be aligned with specific regulatory requirements. It is cooperative in nature, meaning that Peritus assists the client in identifying the requested information and working with the client throughout the process.
The Audit process is designed to be very objective and is not a "team" effort. The auditor provides the client with a list of items and the client is judged on their response and the materials provided. The purpose of the IT Audit is to determine if the IT controls that have been put into place are indeed protecting the business’s assets, data integrity and are meeting the company's overall stated goals. The time to complete an Audit is dependent on the Regulations involved and the complexity of the organization being audited. Many times, IS and IT Audits are done together with the IS portion digging deeper into Policies, Procedures and their alignment with specific regulations. Peritus will supply a detailed Audit Report that is signed by a certified IS professional. In the report, there is always an Executive Summary, Detailed Findings and where appropriate, comments. Peritus is always available to discuss findings with leadership and consult on how to remediate any deficiencies and strengthen your Information Security Management System.
Peritus routinely performs Vulnerability Assessments to help organizations determine if their internal and/or external systems are properly configured and managed. The Vulnerability Assessment seeks to identify, quantify and prioritize vulnerabilities on a computer network. These tests are generally a scan that is performed against the network to determine such things as patch levels for software and hardware and the configuration of these devices. The software that is used to perform these tests use a library of tens of thousands of known vulnerabilities and configuration issues. The resulting reports will break down the vulnerabilities into categories which are generally reported as Critical, High, Medium and Low. The Vulnerability Assessment is frequently used in the Risk Asessment and Audit process as a sub component but can be used on a regular basis to keep IT on their toes.
Put simply, Peritus is given a free pass to break into your network through a defined group of IP addresses. A Pentest uses a combination of software and manual techniques to try to gain access to your network from an external location. A true Pentest is far more detailed than a typical vulnerability scan and is usually done more covertly with a very limited number of client side people aware that it is being performed so that the response can be assessed and if penetration is successful, details on what systems were compromised can be documented. Once again, a Pentest is an important piece of validating your Information Security practices.
Peritus is prepared to help our clients with a variety of remediation. Whether you are trying to remediate issues that were uncovered in an Assessment or Audit; or you are in the unfortunate position of having to investigate and remediate a breach; Peritus can help. Our team of seasoned security professionals can identify the most effective means of remediating the issue at hand.
primary components that make up an Information Security Program which is known by many names such as Written Information Security Program (WISP) or Information Security Management System (ISMS). No matter the acronym, it is essential that the program be built using a recognized standard framework such as ISO 27001 or 27002; NIST or COBIT. These frameworks are basically a set of best practices that establish guidelines for the protection of critical infrastructure and Data. Peritus has extensive experience helping businesses develop, refine and maintain Information Security Programs across many industries. By using these standard frameworks, organizations can satisfy most regulatory compliance simply by using these best practices. Obviously, there are always some regulation specific needs. However, if you build a security - centric culture based on best practices, compliance is a whole lot easier to achieve. Whether building a program from the ground up or refining an existing program, Peritus can help!
The cornerstone of any Information Security Program is people and their ability to understand their role in executing the organization's information security strategy and operate in a manner that is in line with policies and controls. Peritus will customize a training that helps your team better understand different aspects of information security and why it is so important to the organization's success. Peritus has done many trainings to help businesses educate people on PCI-DSS, Best Practices, Disaster Recovery, MA201CMR17, current Threats and regulatory requirements related to information security. Ask Peritus about our managed automated training modules or a custom training at your facility.
Businesses large and small need to plan for catastrophic events. Whether it is a natural disaster, a breach or system failure - you need a plan! If your plan is to wing it, there is a real chance that you could join the overwhelming percentage of companies that do not survive. According to FEMA, 40% of businesses that experience a disaster without a plan do not reopen, another 25% fail within a year and the SBA states that 90% fail after 2 years following a major disaster. Peritus has helped many businesses build Disaster Recovery (DR) and Business Continuity (BCP) Plans so that when the inevitable happens, your team knows what to do and is not swallowed up in the emotion and confusion of the actual event. Having a clear, written and accessible plan is essential to any business if they are to successfully survive a major disruption.
Many of the people that we talk to about DR and BCP only think of major weather events such as a flood, tornado, hurricane or snow storm. The reality is, it is far more likely that you will need to react to more common events such as fire, equipment failure, Ransomware or Malware attack. The latter being no less disruptive or destructive to the well-being of your business and your bottom line!
A business impact analysis (BIA) predicts the consequences of disruption of a business function or process and gathers information needed to develop recovery strategies. During this process, the team will develop a variety of Impact Scenarios; Assess the probability of the event occurring; Assign a Criticality for the function affected; and determine the operational and financial impacts to the organization. From this information, an effective Disaster Recovery and Business Continuity Plan can be created.
DR Plans focus on the critical moments following the actual disaster. Basically, survival mode and getting the most critical functions operational on a temporary, short-term basis. It establishes clear lines of command and communication: Are people safe, who is in charge, how are key people contacted, where is your data and how can you gain access to it, where is the "Hot Site" or temporary operations, Insurance contacts, IT contacts, Banking Contacts and so much more. All of the short term critical needs that the company requires to return them to basic operations in the hours and days following the event should be clearly housed in your DR Plan.
A Business Continuity Plan focuses on the long-term needs of the organization that will return the company to full operations. Things like rebuilding facilities and critical infrastructure are part of the BCP. Typically, you are talking about the months or years following an event.
This is probably one of the most telling forms of testing one can perform. Why, because it tests people. Through Social Engineering, Peritus can test the response of a business' employees or vendors to see how they respond to a given request or situation. Basically, we go phishing. There is no better way to explain the process than by example:
Peritus was asked to help a municipality quantify the level of risk from phishing emails. We put together a plan to engineer a bogus website that looked much like the real one and created a password change screen. We then spoofed an email from the IT director asking everyone to change their password by clicking on this link. Although the site looked close, we intentionally left imperfections in it so that someone paying attention would notice. The suspicion was that people would click on anything without thinking. Unfortunately, the suspicions were correct and over 70% of those that were sent the email clicked on the link. They were then sent an email telling them to contact the director. The good news is that as the adage goes "The proof is in the pudding". Rest assured, this was a tremendous tool for IT to use to push forward with training and better controls.
