Governance & Strategy Services

Building Strategic Security Programs

Building a Security Program using ISO 27001

CASE STUDY: American Imaging Management

“As part of AIM’s commitment to securing the protected health information

that we receive from our clients, we strive to set the industry benchmark in
information security.”
- Rich Bergman, CISO American Imaging Management
“The infosec space has certainly matured in recent years. Organizations
have realized the need to actively patrol security as a part of their
governance framework,” says Terry Kurzynski, CEO of Halock Security
Labs, a Schaumburg, IL based information security consultancy.
Halock refined its service offerings and identified healthcare as one of
the major verticals to serve. “With heavy new regulations hitting
healthcare, we developed solutions tailored for the industry and trained
our teams.” says Jeremy Simon, Halock’s CTO. Why ISO 27001?

Kurzynski says the message is simple, “use ISO 27001 to govern your Model for establishing,
security program.” Since 2005, organizations in the U.S. are able to implementing, operating,
register their Information Security Management Systems commonly
monitoring, reviewing,
referred to as the Security Program to the ISO standard. “We see
2008/2009 as the tipping point year. The year when a critical mass of maintaining, and improving
companies has completed registration and awareness begins to spread an Information Security
virally. Like many in manufacturing worked to obtain the ISO 9001 Management System
registration in the early 90s, so too will information-centric organizations
(ISMS); often referred to
strive to obtain ISO 27001 registration to demonstrate they have a
mature information security program,” says Kurzynski. as the Security Program

IT Security Controls

Recognized
Internationally
“Halock helped us identify threats and gaps to ISO
27001, and also helped us remediate our Formal Registration
vulnerabilities” Available
- Inna Berkovich, CIO, AIM

Harmonizes security
requirements from
regulation, legislation,
and the business
A great example of Halock’s services in action is its recent work with
American Imaging Management (AIM). AIM is a leading technology
Often identified as a
company in its segment and was in the process of redefining its
vendor requirement
information security program to meet its evolving business demands.
AIM was searching for the right partner to help it harmonize and
centralize the management of security controls. Enter Halock Security Demonstrates the
Labs. existence of a mature
security program

Why Halock…. Flexible to adopt to

During an internal review of its security needs, American Imaging changing threats and
Management (AIM) identified the need to perform due diligence with security requirements
an outside security expert. AIM spent a month interviewing security
firms and selected Halock Security Labs because of Halock’s ability to Integral part to any
not only assess vulnerabilities, but to assist in remediation efforts enterprise IT
including application security solutions. Governance Strategy
 “AIM differentiates itself through innovation, technology and
service; security is a pre-requisite for all of those values.”
-Brandon Cady, President, AIM

Solution Approach
AIM concluded that it needed to invest and expand its current corporate security posture to enhance
security for itself, its clients and the lives covered under its programs. Halock’s first task was to
perform a risk assessment on AIM’s current security program.

Part I

Halock performed an ISO 27001 gap assessment to quantify AIM's overall security posture, and
delivered a detailed recommended course of action to address and remediate areas both under and
over controlled

Halock provided guidance during various remediation efforts and an independent audit to ensure that
AIM’s scheduled client deployments were uninterrupted.

Subsequently, Halock provided a roadmap for building a Security Program that could be registered to
the ISO 27001 standard. Inna Berkovich, AIM’s CIO stated “Our applications are consistently evolving to
meet client needs. We need a security program that provides the flexibility to address new threats and
security requirements; ISO’s framework offers us that ability.”
Part II Plan-Do-Check-Act
Cycle
As a first step to implementing the new Security Program, Halock
championed ISO’s Plan-Do-Check-Act cycle to deploy a comprehensive Plan - Establish the
set of security controls and initiatives. Through the following months, Security Program
Halock worked as a member of AIM's Security Governance Committee
and the following efforts were completed: Do - Implement and
Operate the Security
Defined granular roles and responsibilities Program
Specifically indentified security requirements
(legislative, regulatory, and contractual) Check - Monitor and
Defined supporting policies, standards and procedures Review the Security
Defined and established security awareness program Program
Expanded vulnerability management program
Collaborated with BC/DR to integrate Security Program objectives Act - Maintain and
More clearly defined incident response program Improve the Security
Implemented internal security control audit program Program
Conformed Security Program to existing AIM Compliance, Privacy
and Standards initiatives

“As we continue to expand relationships with new and existing clients, our security
program offers an important and tangible area of differentiation that is
increasingly required by our customers.”
- Brandon Cady, President, AIM

Halock begins Independent Auditor

project reports evidence that
management and AIM has an ISO 27001
engineering efforts based security program
AIM is HIPAA to remediate gaps and client
Security from the risk implementation
Compliant 2006 assessment. continues as scheduled
April 2003 August 1 September
April 2005 August October
AIM is HIPAA AIM enters into Independent
Privacy contracts with Halock auditor performs
Compliant Security Labs to assist comprehensive
with an ISO 27001 GAP Corporate Security
assessment including a Assessment
detailed recommended against ISO 27001
course of action to standard.
remediate findings.
Part III

As AIM prepares for its annual Corporate Security Assessment in late Q3 and as Halock continues to
refine and improve components of the operational Security Program, AIM is confident that it is fully
compliant with the expectations of the ISO 27001 Standard and is ready to begin preparations for
formal registration. AIM has set a target of Q1 2008 for completion of the registration process. Inna
Berkovich, the CIO of AIM stated “Halock helped us to get Senior Management buy in early in the
process, which was key to successful implementation of the new Security Program.”

“AIM’s partnership with Halock to implement the ISO 27001 standard only
serves to strengthen our HIPAA privacy and security programs to protect
the confidentiality and integrity of the information entrusted to us by our
clients.”
- Kristine Tomzik, VP and Chief Compliance Officer, AIM

AIM adopts newly AIM establishes

integrated Security an appropriate
Charter with schedule and
representation resource
throughout the allocation for ISO
2007 organization 27001 registration. 2008
November January—July Q1
January September
AIM Executive Management AIM wins new Anticipated
approves a long term contracts covering completion of ISO
strategy with Halock to fully over 3 million lives. 27001 registration.
adopt an ISO 27001 Bringing the total
Security Program lives covered under 2008 Q2 & Beyond
throughout its entire the company’s
operation with a primary program to over 20 AIM to maintain and continually improve its
objective to achieve million. Security Program in accordance with new
registration in 18 months. legislative, regulatory, and business
requirements.
Founded in 1989, Deerfield, Ill.—based AIM is a leading manager
of outpatient diagnostic imaging services. Since its inception, AIM
has developed a spectrum of programs and services that ensure
the right test is ordered at the right time, that patients are
directed to the best imaging location for the service, and that
proper payment is made by the health plan for the service. AIM’s
programs manage diagnostic imaging services for more than 20
million people on behalf of health insurers across the United
States. For more information about AIM, please visit
www.americanimaging.net.
About ISO 27000 (27001/27002):
As security breaches intensify and regulations multiple, the need
for a framework to manage vulnerabilities is eminent. ISO 27000
provides the guidance to initiate, build, and manage, and assess
information security within any organization. Some of its features
include:
Security Policy – Documented management support for
information security.
Security Organization – a management framework for
information security.
Asset Classification and Control – assigned responsibility for
inventory of assets.
Personnel Security – well defined security roles and
responsibilities.
Environmental Security – security requirements for people
and premises.
Communications and Operations Management –
operational optimization of communications of your ISMS.
Access Control – ensure appropriate access to information
and network assets.
Systems Development and Maintenance – appropriate
systems life cycles that minimize vulnerabilities and encrypt when
necessary.
1834 Walden Office Square Suite 150
Halock Security Labs, is a full service Security Risk Management
consulting firm focused on leveraging the ISO 27001 standard for
information security best practices. Founded in 1996 Halock
Security Labs (formerly Remington Associates), has assisted
clients in securing their networks and applications while meeting
their security requirements in confidentiality, integrity, availability,
and compliance. Halock service teams include Governance &
Strategy, Assessment & Compliance, PCI Compliance & Validation,
Network & Systems Security, as well as Application Security.
Halock’s client base is centered around healthcare, retail, and
finance. www.halock.com
About Halock Governance & Strategy Services:
Governance & Strategy starts with identification and publication of
security requirements and the security organization. Halock’s
Governance specialists will assist in identifying the regulatory,
legislative, contractual and business mission related security
requirements and harmonize them. These requirements are
gathered from the business leadership, many of which will be a
part of the security organization.
Development of the Security Program Roadmap is a key
deliverable from the Governance & Strategy team. Organizations
can then build and deploy the controls and solutions that help
meet their security requirements. Halock’s Governance & Strategy
Services include:
InfoSec Program Development
Virtual CISO/Security Council
ISO-27001 Registration Preparedness
Policy & Procedure Development
Security Governance Planning
Incident Response Planning
DR/BC Planning & Strategy
* Schaumburg, IL 60173 * 847.221.0200 * www.halock.com