Home » Business Areas » Program Management & Acquisition » Information Security & Privacy

Information Security & Privacy

National Security

Noblis has been evaluating operating systems and computing system components for conformance to the DOD's Orange Book Security Criteria for many years. Our independence and objectivity create confidence in both vendors and system integrators that our evaluations are free of bias and ulterior motivation. As the DOD security evaluation community moves to adopt the international Common Criteria, we are helping to ensure that the new processes maintain the high standards of the old. We assist the DOD in implementing the Common Criteria and supporting methodologies by training evaluators, certifying evaluation laboratories, serving on the Interpretations Working Group and Technical Review Boards, writing and evaluating Common Criteria Security Targets and Protection Profiles---all to assure the technical correctness of evaluations and the consistent application of standards. Noblis personnel have conducted Orange Book evaluations that range from Microsoft Windows NT at the C2 security level to Wang XTS-300 at B3. Noblis supports the InfoSec Research Council and its InfoSec Science and Technology Study Groups. Noblis personnel have played significant roles in the President's Commission on Critical Infrastructure Protection (PCCIP) development and follow-on activities. These skills and experience have broad applicability in government and commercial application, from the least sensitive to the most critical.
(See Homeland Security for more information)

Network Security Engineering

Noblis' network security engineering experience can help you realize the potential of Internet business while avoiding the pitfalls---protecting your business and keeping your customers' confidence. Internet business opportunities often carry a significant potential for adding new security vulnerabilities, in the form of theft, unauthorized release of privileged information, modification of data, identity masquerading, introduction of computer viruses or other hostile code, and system downtime. Our network security experience can help you bring your Internet business or government application online with a minimum risk of security problems.

Risk Management

Noblis' extensive risk management experience can be applied to identify and reduce risk in your next system implementation or enhancement. System designers without computer security expertise create insecure systems, and with the increasing use of networking, very few systems can survive insecurity. Yet this situation arises in nearly every government modernization project, even those based on the use of commercial off-the-shelf software components.

Security Assessment

A Noblis security assessment is a two-step process: a threat analysis followed by a vulnerability analysis. The threat analysis identifies the assets that require protection and the vulnerability analysis uncovers the specific computer and network weaknesses that need to be strengthened. The threat analysis requires examining system infrastructure and determining the threats to which it is vulnerable. The emphasis is on correlating and linking threats to specific environments so that the best use is made of information security resources. The vulnerability analysis identifies security-related weaknesses in the system. Using both manual methods and automated tools, the team looks for vulnerabilities that are exploitable. If desired, this analysis can be supplemented by "red team" penetration of the system.

Security Awareness

Noblis' technical staff can create custom security courses, ranging from one day to many weeks, for end users, system administrators, security managers and anyone who wants to understand computer security in general or the security characteristics of a particular system. Awareness of security issues by those who will design, implement, operate, and use computing systems is critical to overall security. These classes often complement other security activities and can be tailored to the needs of a wide range of application domains (e.g., healthcare, finance, defense, public service, intelligence).

Security Policy Analysis

Noblis develops security policies for a broad range of systems, including those in healthcare, financial, scientific, public service, government, and defense. We also evaluate existing policies for continued applicability to the constantly changing security environment. Policies reflect both domain-specific security concerns and the general security issues of preserving information integrity, safeguarding against improper information disclosure, and ensuring the availability of information. Policies identify and categorize the types of data involved and the level of protection each needs, the individuals who are permitted to access information and what access each is allowed, what restrictions should be placed on remote access, how the system is protected from malicious code, and the use of proper user authentication procedures. Physical security is often included, as well.

Internet Security

Noblis' knowledge of Internet protocols, technologies, and attacks allows us to help our customers understand the issues behind the jargon and the marketing hype, and to anticipate and mitigate security vulnerabilities in the applications they deploy. Our vendor-independent perspective and broad technical knowledge allow us to solve tough security problems and do it objectively and provide unbiased advice. Our experience in successfully securing our own Internet connected infrastructure can be applied to our customers' systems.