Company Overview Products and Sample Reports January 2007

Company Overview, Products and Sample Reports January 2007 Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Corporate Background • Founded in Nov. 2006 - Headquartered in Lilburn, GA - Sales and Marketing office in Buford, GA • Unique compliance solution - Addresses GLBA, HIPAA, FISMA and PCI markets - Traceable and Compliant with NIST protocols - Risk scores automatically updated using network data, new safeguards, Intrusion and Anti-virus data Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Introducing …. ACR 2 Basic - Risk Assessment Available in 2 versions January 2007: • ACR 2 Basic - Business Edition reports encrypted and auditable • ACR 2 Basic - MSP Edition reports headers can be modified And in Q 1 2007. . • ACR 2 Basic - Enterprise Edition For managing multiple locations Ships with 10 site licenses Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

The Compliance Process Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting • Information Security involves reducing the risk of loss or theft of protected information • Perfect Information Security would require infinite resources • Compliance involves providing enough security to meet the “standard of care” • Compliance is perfectly possible – and required! Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting • How does an organization determine a “reasonably foreseeable” risk? • Or a “material change”? • “reasonably foreseeable risks” under Federal law are defined by the National Institutes of Standards and Technology (NIST) • The NIST standards are freely available… Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

They are also complex and extensive Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting • There is a better way. • 79% of Americans use Turbo-Tax™ to deal with IRS regulations, which are long and complex • ACR 2 is a Turbo-Tax™ style simplification of the NIST protocols to deal with information security regulations, which are also long and complex Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting • Risk Score - is determined by multiplying the probability of event by the impact of the event • Risk Scores range from 1 to 100, with 50 -100 High, 10 -50 Medium and scores <10 considered Low. • For risks labeled High, corrective action must be taken "as soon as possible" (NIST 800 -30). Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting • For Medium Risks, correction must be within a "reasonable amount of time", while Low risks may be merely observed. • How do organizations achieve acceptably Low Risk? • NIST definition of “Low Risk” means that “controls are in place to prevent…the vulnerability from being exercised” • What controls are needed to achieve acceptably “Low Risk? ” Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Special Publication 800 -53 Recommended Security Controls for Federal Information Systems Ron Ross, Stu Katzke, Arnold Johnson Marianne Swanson, Gary Stoneburner, George Rogers, Annabelle Lee Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

NIST 800 -53 includes citations of these additional protocols Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Automated Compliance Reporting is Much Easier • To Initiate the “Turbo-Tax™” approach to compliance, just browse to: www. acr 2 solutions. com Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Using the ACR 2 Basic Reports The first three ACR 2 reports are 1. The Safeguards Status Report – a summary of the current system status vs NIST standards 2. The Automated Baseline Report – 30 threat source/vulnerability pairs scored from 1 -100 3. The Risk Assessment Chart – same data as the Baseline, scored as red/yellow/green Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Using the ACR 2 Basic Reports - cont. Detailed information on each safeguard is available from the NIST Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Using the ACR 2 Basic Reports - cont. • the Deficiency Report lists the missing or underperforming safeguards relative to each risk. • This allows creation of a remediation plan that addresses the high risk elements first, as required by the NIST protocols • Each of the 30 risks is assessed separately Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

ACR 2 reduces over 90 NIST protocols to a simple “Turbo-Tax™” style question and answer format. The ACR 2 reports can be updated on demand whenever new data becomes available Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

One Compliance Option is to Read, Understand Apply the NIST Protocols Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com

The Better Option is to Use Automated Compliance Reporting How Much is Your Time Worth? Click to edit Master subtitle style www. acr 2. org www. acr 2 solutions. com