FRSecure

BACKGROUND

Introduce your business and what you do there.

I’m the VP of operations at SERVICE 800. We provide voice of the customer (VOC) services to help our clients measure the satisfaction of their consumers.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

Data protection laws recently shifted from the relatively lax International Safe Harbor Privacy Principles to the more strict GDPR framework. In preparation of migrating our physical servers to the cloud, we wanted to ensure our clients’ data continued to be secured as outlined in the new policies.

SOLUTION

What was the scope of their involvement?

Our first involvement was contracting FRSecure to perform an external vulnerability scan. They followed up with a more thorough, two-day day scan of our physical site, including our cameras, windows, rooftop access, and servers. After finishing the assessments, they generated a detailed roadmap of where our data protection currently stands and where improvements could be made. The report included a list of what they discovered and the measures that we should take to resolve them; their team meets with us each month to track our progress. FRSecure also helped us draft a new NDA that requires our subcontractors and consultants to adopt GDPR-compliant policies.

What is the team composition?

They have a designated vCISO for our account, but we also interact with the CEO, the sales team, and the IT department.

How did you come to work with FRSecure?

A simple web search led us to FRSecure. They provided all of the security scans that we needed. Considering that they also had an office close to ours helped as we met with them in person before deciding to hire them for the job.

How much have you invested with them?

We’ve spent about $30,000 to date. 

What is the status of this engagement?

They did the initial scan in July 2017, and they returned in October 2017 to complete the full assessment. We plan to continue working with them beyond our one-year agreement.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

In the past, we had to make certain assumptions that our data was protected. But FRSecure revealed areas that could be improved. Since using their services, we have the comfort of knowing that all of our policies are up-to-date and compliant with the new regulations.

How did FRSecure perform from a project management standpoint?

We have varying levels of technical proficiency with our staff, yet FRSecure was able to explain the recommended corrective actions coherently to our entire team.

What did you find most impressive about them?

FRSecure offers a wide range of services at a fraction of the cost compared to hiring those same skills internally/full-time. In addition, they’re exceedingly transparent about their security testing methods. Vendors don’t typically disclose all of the secrets to their success, but FRSecure regularly hosts meetings for all of their clients to attend and learn about the latest in cybersecurity news.

Are there any areas they could improve?

Due to the numerous changes in data security, we could miss out on a lot if we didn’t read their newsletters or attend their conferences. However, whenever we have raised questions on new services, they are quick to respond.

Do you have any advice for potential customers?

FRSecure’s data protection services are an excellent investment, so don’t hesitate to reach out to them.

BACKGROUND

Introduce your business and what you do there.

I am the president of Schuler Shoes, a retail store company with nine locations in the Minneapolis St. Paul area and an online presence. We’ve been around for 125 years.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We needed a technology specialist to create a roadmap to identify the information security threats we are exposed to as well as ways to approach them in order of priority based on the risk of the threat and related to our business needs.

SOLUTION

What was the scope of their involvement?

FRSecure started off with a general collection of data over the phone and sent us some documents to allow access to our security systems. Then, they walked us through the scope of the work.

For the main portion of the project, they came onsite and asked us questions to understand our company and its requirements. Then, their team did some offsite work, scanning our security for vulnerabilities. Using the gathered research, they prepared a 200-page report highlighting our strong points and places that needed improvement. They also provided a checklist in Excel with showcasing the security and functions that we could improve, which they took us through step by step. Finally, FRSecure created security policies to help guide and direct our IT team from a policy and HR standpoint.

What is the team composition?

We had an initial sales contact, and then once we signed on, we were assigned a project manager. We were also provided two technical specialists that helped us with the onsite work.

How did you come to work with FRSecure?

A previous employee of ours introduced us to FRSecure. We liked that they were local and understood our business a little—even before we hired them.

How much have you invested with them?

We invested $17,000 in total.

What is the status of this engagement?

We worked with them in March 2018 and ended the engagement in April 2018.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

It is a little early to measure results. However, through security scans they did, we found ways to secure against external threats and hackers. The policies they created for internet use, computer use, and device use from home also secured our systems.

FRSecure's expertise, in general, has been very useful for us and they found technical solutions that we wouldn’t have known about. The results are still coming in, but so far it's already been worth the time and money we've spent.

How did FRSecure perform from a project management standpoint?

They were easy to get a hold of for questions and great at communicating with us. They worked autonomously and made the process easy.

What did you find most impressive about them?

FRSecure have a lot of experience, knowledge, and understanding of the landscape. They have a lot of clients who have more regulatory requirements such as health care providers, and we could tell they were professionals. They were very friendly and always polite with their suggestions. Their team was always trying to improve our business.​

​​​​​​Are there any areas they could improve?

The process relied heavily on the interviews and that took a long amount of time. Smaller companies, like us, would benefit from maybe a more miniature version of the discovery process to save some time and money. However, overall, they did an excellent job. 

BACKGROUND

Introduce your business and what you do there.

I’m the security administrator at a high-end printing company. We do printing primarily for fashion retail, financial, and healthcare industries.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We have access to a lot of our customers’ secure and sensitive data in order to print catalogs with their clients’ mailing addresses and send them out. As such, we need to have a strong security system to protect that data. Ours was a bit scattered and weak when I was hired, so I was looking to revamp our security policies and procedures, particularly involving security audits. FRSecure provided their expertise to guide that process.

SOLUTION

What was the scope of their involvement?

Security auditing is one of the largest aspects of FRSecure’s work with us. It assures our customers that we are as secure as we claim to be and they can trust us with their data. Every two years, they do a comprehensive two-day audit of administrative, technical and physical security systems. I provide them with documentation of our security procedures, as well as other evidence I can offer to prove we’re doing everything we can to protect our customers’ internal data. 

After they’ve completed the audit, they deliver a graded report with recommendations on what we can do to improve. That recommendation is extremely important to us because it helps us prioritize the issues that need to be addressed.

Beyond audits, FRSecure has advised on a lot of our security policies and procedures. They’ve designed some of the security awareness and incident response training we send out to our employees. They’ve also come on site and given live training to our employees. 

Another large part of our partnership is their assistance on our payment card industry (PCI) certification. To collect credit card data, our credit card data security system has to be audited and pass the PCI certification. PCI council allowed FRSecure to be our PCI auditor which has been greatly helpful because they know our system so well. With their recommendations and assistance, we’ve been able to pass our PCI certification for the last three years. 

What is the team composition? 

In the early days of our partnership, we worked closely with FRSecure’s CEO and founder, Evan Francen. As the company grew and Evan took on more responsibilities, we began working with our own security advisor and project manager from their team. We also work with a variety of additional people from their team depending on the project. Currently, we’re working closely with about five people from their team.

How did you come to work with FRSecure?

One of the sales reps cold-called us to offer their services. After doing a bit of research on them and meeting with Evan, we decided to move forward with them.

What is the status of this engagement?

We began working with them in 2012. Currently, we work with them on a monthly retainer basis.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Thanks to FRSecure’s PCI audits and recommendations, we’ve earned a level one PCI certification, which is the highest level you can achieve. 

The higher level of security we’ve achieved with their guidance has allowed our business to grow immensely. Clients trust us with their sensitive data and that wouldn’t be possible without FRSecure’s services.

How did FRSecure perform from a project management standpoint?

We’re very happy with their performance. They remain available to us whenever we want to communicate, whether it’s about current projects or any security incident we have to respond to. We primarily use email and phone to communicate with them.

What did you find most impressive about them?

They’re extremely personable. I know their staff on a first-name basis. Despite them being a growing business, I still feel like I’m working with smaller, personalized security consultants. I never feel like I’m bothering or burdening them when I reach out. They’re always available and willing to help.

Are there any areas they could improve?

This isn’t an area for improvement, but I would suggest that they make sure to maintain the small, personalized feeling of their firm despite its growing clientele. I think it’s what distinguishes them.

BACKGROUND

Introduce your business and what you do there.

I am the senior IT security analyst for a regional grocery store chain in the upper Midwest.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

I am a staff of one and we do not have a lot of funds to dedicate to security initiatives. In order to get a better handle on threats, I realized we needed to reach out to a company with an excellent history of conducting risk assessments and was competitive in the market space. Specifically, we needed someone to look at our e-commerce platform and assess its internal and external risks.

SOLUTION

What was the scope of their involvement?

FRSecure had a unique proprietary risk assessment methodology that started with a basic scope review. They then moved onto a technical phase by taking a look at our network diagrams and policies while scanning for vulnerabilities.

Next, they conducted a two-day onsite visit. The first day, they focused on our administrative controls by interviewing key stakeholders involved in the management of the e-commerce platform. The second day, they focused on our physical security—administrative and physical controls, etc.—and then provided a very comprehensive report. The report included a basic executive summary for middle management and a technical overview that identified exactly what we need to fix.

They used a comprehensive methodology that produced a comprehensive report. I was very pleased and so was my boss.

What is the team composition?

I worked with one individual from FRSecure on the project.

How did you come to work with FRSecure?

The store has a business relationship with them going back a few years, so we knew they were a proven commodity we could trust. The relationship was established before my time, but I was aware of them as well and knew they were a great company.

How much have you invested with them?

It was very economical—approximately $13,000.

What is the status of this engagement?

We began working with FRSecure in December 2017, and we concluded with the onsite visits in February 2018.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

An interesting aspect of their methodology is that their metric reports correspond to credit report ratings so that people are innately familiar with it. Like credit scores, FRSecure’s scores go from 300 to 800, and we did outstanding overall. There were some findings however, and we are using their recommendations to actively remedy some technical aspects of our security and add to our administrative policies.

How did FRSecure perform from a project management standpoint?

We had no problem at all with project management. We mostly communicated over email and phone, while collaborative work was done through their own communications application.

What did you find most impressive about them?

FRSecure has a very common sense approach to risk assessment. Most other companies get carried away with grandiosity and make things too complicated. FRSecure’s approach is very intuitive. Take for example their application of credit score ratings; the information is presented in a way that makes it easy for key stakeholders to understand without needing a long explanation process.

Are there any areas they could improve?

I don’t have any recommendations for improvements. They just need to keep doing what they are doing.

BACKGROUND

Introduce your business and what you do there.

I’m a financial manager at Mackoff Kellogg Law Firm. We’re a traditional law firm, but also provide legal services to major banks across the country.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

Our bank clients require us to do penetration testing to ensure our system is secure. We reached out to FRSecure to provide this service.

SOLUTION

What was the scope of their involvement?

They currently only do penetration testing for us, but that could change at any moment with our requirements. The actual testing lasted about a week. Afterwards, they gave us a comprehensive report with suggestions on how to further protect our data. We're definitely open to utilizing them for additional services in future.

What is the team composition?

I communicated with a main point of contact and worked directly with one tester as well. However, two or three testers worked on the project.

How did you come to work with FRSecure?

We considered several companies, but FRSecure was recommended to us by our IT vendor. Considering the cost and a couple of other factors, we felt they were the best fit for our company.

How much have you invested with them?

We’ve spent $4,500.

What is the status of this engagement?

We started working with them in June 2017 and the relationship is ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

FRSecure’s services help us maintain compliance with our major banking clients. The process was smooth and painless. We’re very happy with the quality they provide.

How did FRSecure perform from a project management standpoint?

They respond to questions via email on the same day. They’re prompt and the process was everything I could have wanted. We met every deadline set in the project timeline.

What did you find most impressive about them?

Their responsiveness and expertise are noteworthy. There was no downtime on our end, so we didn’t notice when it was happening. They made it an easy process for us.

Are there any areas they could improve?

I don’t have any complaints about what they did for us.

Do you have any advice for potential customers?

I’d recommend customers ask lots of questions. They’re incredibly knowledgeable, very helpful, and willing to answer anything.

BACKGROUND

Introduce your business and what you do there.

I'm the chief compliance officer and chief technology officer for an investment adviser. We manage individual accounts and invest our clients in stocks and bonds.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We were looking for a company to provide a double check of what we’ve done to secure our clients’ information. We wanted to find out if we’re doing the things that we should be in order to protect them and if there are areas where we need to improve.

SOLUTION

What was the scope of their involvement?

They perform an annual penetration test by attempting to access our system to see where there might be holes and vulnerabilities. They also do a scan of what’s out there in social media or on our website that may give people information that could be dangerous. The test itself takes place over one night and then FRSecure runs the results through their scoring system. About three weeks later we have a conference call where they give us a full report along with their recommendations for any changes we should make.

What is the team composition?

The team is about four people and we have one main contact.

How did you come to work with FRSecure?

I was introduced to them when they spoke at a compliance roundtable. I called and talked to them and liked what they had to offer.

How much have you invested with them?

The initial test was more but now we spend around $1500 each year.

What is the status of this engagement?

We started in 2015 so this will be our third year running the test in July.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

There were a number of suggestions for steps to take after the initial test in 2015. We followed their recommendations and it significantly changed our score. The tester actually said he had to double check to make sure he was looking at the same company because the score changed so dramatically.

Putting in place new security measures and seeing the score change has really given us a lot more confidence in our IT provider. It also comforts our clients when they learn of the steps that we’re taking to protect their information.

How did FRSecure perform from a project management standpoint?

I never have any issues with communication. They’re always available to answer any questions, even when I have follow-up questions after getting the report. The test requires very little hands-on time on our end, which makes it painless.

What did you find most impressive about them?

I really like the report that they provide because they really break everything down. That level of detail makes me feel that they looked into things carefully and are there to help us do better.

Are there any areas they could improve?

No.

Do you have any advice for potential customers?

Take time to analyze the report and ask questions. Having them break down the technical jargon and discuss it in layman's terms is really important and really helpful.

BACKGROUND

Introduce your business and what you do there.

We’re a small actuarial consulting firm with 11 employees.

OPPORTUNITY / CHALLENGE

What challenges were you trying to address with FRSecure?

We had a client that was worried about their data, so we were basically required to do a SOC 2 (Service Organization Controls) audit if we wanted to keep them as a client. This was the first time we interacted with a cybersecurity company in this way.

SOLUTION

What was the scope of their involvement?

Everything’s been related to a SOC 2 audit. We’ve done two to three different engagements with them related to that. A lot of firms are requiring their partners and vendors to go through a SOC 2 audit. It basically makes sure we have the processes and procedures to minimize risks of a cybersecurity breach. We hold a lot of their data, and they want to ensure we’re secure. That’s where FRSecure came in.

A SOC 2 audit entails getting all your systems up to snuff, and then an auditor comes in to confirm we’re done it right. We’re at the stage right now where FRSecure is helping us get ready for this audit. We’ll have the auditor come in very soon, and we’re hoping we pass. We’re setting up lots and lots of policies. For example, if you have a new employee come in, we have a policy that defines the steps IT needs to take.

They look at our server to make sure it has all the up-to-date stuff, so the client can’t get hit. We have to make sure we lock our file rooms and don’t leave stuff at our desks, all the various things that would increase the chances of Social Security numbers being released to the wrong people. It’s the whole process; setting up all the policies, and then other processes, and working with our internal IT guy to make sure we’re doing the most up-to-date stuff.

We had one on-site meeting, but otherwise, it’s all done remotely. It’s nice to have that option. FRSecure delivers reports and action items as they go along. They’ve given us samples to work with, so we start with those and modify them to meet our firm’s specifics. They’ve been very knowledgeable, and they’ve had a lot of good tools that allow us to work with what they’ve given us and to update.

How did you come to work with FRSecure?

I looked up local auditors who do SOC 2 audits, and they’re the ones who actually referred us to FRSecure. The auditors had worked with them many times and said it’s gone well. They’re a smaller company close to us, so it just made a lot of sense. They were the only company we interviewed.

What is the status of this engagement?

We’ve been working together for almost a year. It’s been taking us a long time, and I’m still not done. That’s not due to anything FRSecure has done, we’re just busy at work. I have to update a few more policies and get that ready for the auditor.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

We’ve made a lot of changes. We’ve set up all these policies, and now we’ve been having regular IT meetings internally. We’ve had meetings with employees to talk about security. We’ve locked our server room so no one can just walk in and do what they want. We’ve changed configurations on the server based on what FRSecure has told us. We’ve changed how we’re sending data back and forth with clients. Basically, we’ve changed most everything in the overall data process.

We’ve hired them to do penetration testing. They try to attack our server to see if there are any holes in it. They do those monthly. There have been a few things we’ve changed due to these tests, which has been good. They’ve also given us some ideas on disaster recovery and business continuity. We’re still in the process of working on that right now, but they’ve definitely given us some good tools to update that.

How did FRSecure perform from a project management standpoint?

A lot of our communication is by email, but we also have scheduled meetings. We all get on and do a live webcast so they can see what we’re doing. We’re showing them everything we’re setting up, asking questions, and getting ready for this audit. That’s really what we hired them to do, get us ready to pass the audit. If I could spend a couple hours working on this stuff, I think we’ll be ready for the audit. I’ve met with the auditor once, and there were a couple things we still had to do, so we’re very close.

What did you find most impressive about FRSecure?

I didn’t know what to expect. Trying to change all your processes is not fun and not our business. It’s kind of been a pain, but not because of them. We’re realizing that we’re so far behind the times. It’s been good to talk with them, and they’re helping us get into the 21^st century and be more prepared.

Are there any areas FRSecure could improve?

I can’t think of anything. They’ve done what we asked them to do. They’ve been there every step of the way and done everything as we agreed.

Do you have any tips for potential clients?

I would tell them that’s it’s going to take longer than they think, and it’s much more involved than they think. They’re going to have to devote someone to spend a lot of time. I’m not sure I would tell them to react any differently regarding FRSecure. I would just warn them as to what’s really involved. For a small business, it takes a lot of time away from doing your real business.

BACKGROUND

Introduce your business and what you do there.

I’m the president health care an online platform that brings together integrative holistic therapies. We educate consumers about their healthcare options and connect those consumers with local practitioners of each specialty. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We decided to approach FRSecure earlier than most companies would have. Many companies call them when they have issues or are in need of urgent consultancy. We called them as a startup because we needed a good HIPAA-compliance consultant from the beginning. We wanted to make sure that we built our website correctly and didn’t have to be reactive to something we didn’t build correctly, which can be very expensive and takes a lot of time. We were interested first in their HIPAA compliance knowledge and then PCI [payment card industry] compliance. We also wanted them to test what we’ve built via penetration to make sure that it’s sound. 

SOLUTION

What was the scope of their involvement?

We started building this website from scratch. We built it internally with our IT people, and FRSecure definitely consulted with us on how to build it. Once we made certain pieces, we would circle back with them for tweaks so that the finished product would be extremely secure and built the right way. For PCI compliance—which is needed for any website that's going to be collecting credit card information—they made sure that we had a secure payment gateway that was integrated correctly within our site. They also helped us on the policy side of things by explaining rules and regulations and making sure that we knew exactly what to expect from a compliance standpoint. They promoted a secure environment as we were building the website, rather than waiting until the end.

The team from FRSecure included a handful of really great guys. John [VP of Operations, FRSecure] was our first point of contact. Then, John and Steve [Senior Sales Consultant, FRSecure] helped us understand the scope based on our needs and directed us to the right people within the team. Ryan [Solutions Engineer, FRSecure] and Tim [Information Assurance Analyst, FRSecure] were incredibly knowledgeable and really bright guys. They can talk the techie lingo but are able to explain it in a way that non-techie people can understand. We also had an account manager who would set up meetings and sit in to understand what we’re about, what we’re trying to do, and facilitate our needs there. Now, we’re working with Derek [Security Consultant, FRSecure]. He's been responsive and really helped us understand what we're doing as well.

How did you come to work with FRSecure?

We did our own research online, starting with Minnesota and spreading as far as California. We looked at 15 companies. We came across FRSecure’s website fairly quickly and definitely were impressed in the first go-round. We really liked their website and message, and they seemed very professional from the start. From there, we talked to John and got a very good first impression, so we went with FRSecure.

How much have you invested with FRSecure?

Over the last 3 years, we’ve spent around $15,000–$20,000, probably closer to $15,000. They will continue working with us throughout the rest of this year. We’re going to be rolling out some new features to our website to support patient-to-practitioner messaging, which has to be HIPAA-compliant as well. If somebody talks about having a certain disease or condition, you've got to follow that HIPAA compliance protocol. We plan to double our budget over the next year, spending close to $30,000 by 2018.

What is the status of this engagement?

We started working with FRSecure almost 3 years ago. The platform is live. We launched trailheadhealth.com in December or January of this year. As with any complex website, you're going to have bugs that you can only learn about later. Once we launched, we made changes and talked with FRSecure to make sure that our tweaks are still in line with our security priorities. They have also done audits since the launch, and we explored some penetration testing, which went well. They reviewed the entire structure of our business and have been very helpful. 

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or impact of the engagement?

They are really knowledgeable. They took pieces of our complex site and pieces of ever-changing HIPAA compliance and made the requirements easy to understand. We’ve had the same group since day 1, and they’ve only brought in new experts as needed. That's always comforting as a business owner: when you have a point of contact, you don't want to be moved around to a bunch of different people and have to reintroduce your concept. This team stuck with us for the 3 years without any turnover. I think that speaks a lot to their business as well. Our IT guy loves working with them, too. We’ve had a great experience.

How did FRSecure perform from a project management standpoint?

They map and scope the audits, and they give us a heads-up about how many hours a project will take. They help us understand the timelines and the costs very well. They delivered reports and gave presentations on-site about things we need to do. They were great. They can work with us in any facet. They're so flexible; we do phone calls, send emails, and have screen-share presentations. We didn’t really use a specific portal for tickets.

We like working with them, so we would drive out to their location, which is about 40 minutes from our office. They’ve moved a little bit closer, so sometimes we see them in person, which is convenient for us. They’ve shown that they can work with businesses on any level.

What did you find most impressive about FRSecure?

They treat their customers with tremendous respect. Not everybody treats us that way. For building this website, we worked with a number of contractors and businesses. FRSecure was the only company that wasn't nickel-and-diming our business for each minute spent. They were very flexible and understood our situation, especially as a startup. They devoted the time to learn about our project and its direction. They weren't just focused on invoicing me as quickly as possible. When they moved offices, we had no hiccups at all. It was a seamless transition.

Are there any areas FRSecure could improve?

I don't know that I could identify any right now. They've done a fantastic job.

What tips or recommendations could you share that might increase the likelihood of success with FRSecure?

HIPAA compliance is a difficult topic, and it’s always changing. I would have started working with FRSecure even sooner. I always want to maintain control, but we really need experts for things like HIPAA compliance, PCI compliance, and security. With all of the hacking and security breaches going on, we need a good organization that has our back. FRSecure has had our back from the start. 

BACKGROUND

Introduce your business and what you do there.

I’m the vice president of technology and services at a regional bank with 6 branches and about $1.3 billion in assets. We have a high concentration of commercial real estate and focus on the commercial side of banking. My responsibilities include managing the infrastructure, help desk, security, and systems of the bank.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We’re required to do an audit every year. We change auditors every 2 years. For the past 6 years prior to working with FRSecure, we approached the audits through the audit companies exclusively. But, this time, due to cybersecurity risks, we wanted to look at the audit from more of an IT security framework versus just the compliance side of those controls. That’s why we chose FRSecure.

SOLUTION

What was the scope of their involvement?

They’ve done 3 audits for me—a social engineering audit and 2 IT audits for 2 different years. On the social engineering side, we were doing an internal phishing and calling scam to see how many of our employees would click on the link or answer the phone call by sharing some private information. The IT audit addressed 4 categories: penetration testing, vulnerability assessments, IT general controls and governance, and physical security.

The reports that they delivered at the conclusion of these audits resulted in action items, especially for the first year. The second audit report identified new threats. That was my expectation because we had satisfied the original items, as verified through this second audit. These new steps were designed to take us to the next level in the maturity model for security.

For both years, different analysts came in, but I was still able to ask the analyst questions. I had a project manager that was my single point of contact for each year, which helped make it more efficient on my side.

How did you come to work with FRSecure?

At the time, I had sent out an RFP. Five companies responded, including FRSecure. The deciding factors were the clarity and accuracy of their response to the RFP, experience level, presentation of documentation, and price point. FRSecure had the best answers and options. I did the social engineering audit almost as a test for their company to see how they handle even just a regular IT project. It was a good small scope to begin our relationship with.

How much have you invested with FRSecure?

For both years, we spent between $17,000–$20,000.

What is the status of this engagement?

I originally sent the RFP in 2015. The social engineering audit was done within the first year, prior to the IT audits. Both IT audits were done over 2 consecutive years. We added the FFIEC [Federal Financial Institutions Examination Council] portion to the last IT audit. 

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or impact of the engagement?

I really liked FRSecure because they gave priority to the action items. They put them into 2 formats: a technical list for the IT side, and the same information in a different way for the executive summary and the board. Having the same information in 2 different formats was incredibly helpful.

They gave us an estimation for how long the audits would take and delivered a week early. I had an aggressive timeline for the second year, which took out one of the RFPs because they initially knew they wouldn’t be close to finishing on time. Typically, we give anywhere from 5–6 months of request time, but they were able to do it in under 3.

For the first year, they had asked for a list of documents on a secure portal, similar to our FDIC exams. This year, they didn’t ask for them until they were on-site, which was another unique aspect. It was a good addition to the second level of testing as far as maturity for us.

How did FRSecure perform from a project management standpoint?

They helped interpret the reports for us twice. Our RFP stipulated that they give a presentation of the results, which they did both online through WebEx and on the phone. They also give the same talk or a different presentation to the executive committee or board if needed.

On 2 occasions, I reached out to them afterward by call or email to ask general follow-up questions to some of the action items and received great feedback.

What did you find most impressive about FRSecure?

FRSecure, compared to others that I’ve used in the past, offers work that’s more than just security-based; they’re also an information-sharing company. They truly want to make our security better versus offering sales points to advance their business. With other auditing firms, I’d go through an audit and receive a list of action items. Then, the provider would give me a list of charges for completing the items, which made the audit seem less genuine. With FRSecure, I never feel like I’m getting a sales pitch. We have a partnership that I rely on continually. I know they really stand by the results and recommendations of their audits because they’re willing to carry out the actions of what they’re identifying.

Are there any areas FRSecure could improve?

For the action items, I’d love to have some trackable portal that I could log into that isn’t just an Excel spreadsheet, but I can work with that. 

BACKGROUND

Introduce your business and what you do there.

First National Bank is a small community bank in the southwest of Minnesota. We are a $200 million bank. I am in charge of the IT department.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with FRSecure?

We originally hired them to do penetration testing and vulnerability testing, physical security testing, and then also an administrative controls test or review. Administrative controls would just be coming in and looking at policies and procedures to make sure how we are maintaining our environment. It is not a technical review, but it is a review of what we do in the technology department and how well we safeguard things from an administrative standpoint. The physical security portion is that they come out to each of our branches and take a look during hours we are not open, just to make sure we leave the bank in a secure manner. It can also follow over to opening hours as well, but they like to see how we leave things, checking to see where the cameras are, and if we locked up.

SOLUTION

What was the scope of their involvement?

We used them two years ago for all of those things, then we switched to somebody else. We have a policy that says we have to switch who we use for that type of service. We have really liked working with FRSecure. We used the other company for a year and now we’ve gone back to them. This year they performed the administrative controls audit and we have not done the physical yet. The rest of the audits are set to be done before the end of the year.

The admin controls audit takes them about a day of interviews with myself, HR, and some with operations. Then they go back and they review policies and write up a report on that. I would say they had a report back to us within one to two weeks.

Because we are a bank, we are heavily regulated and the OCC is who regulates us. They require these vulnerability tests and penetration testing. We need to make sure that we have those done and that we mitigate any risks that are found. I have one person that I work with that is in charge of coordinating all of it, but I can work with a number of different people depending on what is being done. There is one person assigned as your coordinator.

How did you come to work with FRSecure?

We were working with CTS, a company here in Minnesota, and they had FRSecure out to do a security presentation. Evan, one of the owners, spoke at that event. Afterward, there was a chance to talk with him and based on that, we hired him.

How much have you invested with FRSecure?

We are doing a three-year contract with them instead of just a year by year. If you do multiple different types of audits, they give you a discount because of the different amount of audits that you are doing. They also give you a discount if you contract with them for multiple years. The administrative controls audit is actually two different audits. It is a five-step administrative controls review. Then there are the FFIEC additional admin controls. FFIEC is one of the regulators and they put out a guidance for security controls. They go through that and see how we do as it relates to that. So that is something that is really valuable to us because it relates directly to what OCC is going to come in and look at. There are the external and technical controls, which is penetration testing, an internal technical controls assessment, and physical controls review. And all total, based on a three-year contract in doing all five of those type of audits, it is about $22,000 a year. We get a 10% discount for a three-year agreement.

RESULTS & FEEDBACK

Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?

At this point, we were really interested in them doing the administrative controls this year because there has been a lot of new guidance coming down from the FFIEC. We are basically going through and rewriting our internal controls or information security program. Their feedback was really good, and they have been able to provide us with some great templates to use for some of the different types of policies we are going to need to write. We’re rewriting our whole program based on the feedback they’ve given us.

They also gave us a framework of how they see the information security program being built and how it would relate to our bank specifically. That has been really helpful. Everything right now is basically risk-based. Having a really good risk assessment is really key to that. I did go up there for a day and spend a day with them going over that and rewriting our risk assessment. Based on that, we’ve been applying the policies for all those risks. They do offer some classes. I know they have one that is for specifically for writing policies and procedures. They are really good at what they do.

How did FRSecure perform from a project management standpoint?

We communicate by email and phone whenever I need it. When we were originally doing that assessment, I probably talked to them on the phone every day about a week with different questions. Then I went up for a day and did our risk assessment. We are getting ready to do the vulnerability assessment and penetration testing.

What did you find most impressive about FRSecure?

In my opinion, one of the reasons I prefer them is that they really offer you very personal instruction and guidance. Some of the other companies that we’ve used are bigger. The last one we used, for instance, was so big. They are not real flexible in what they are going to do. You may want them to do a certain portion of it, but then you want them to do something a little different, but they are not willing to do that. FRSecure wants to make sure that they give you exactly what you need, and that’s the primary reason that I went back to them.

This type of service is unique at this point and time from what I see out there. They are just really helpful. They really want to make sure that the end result is what you wanted. If they are not going to really give you any kind of a benefit, then they really don’t want to work with you. The really want to know that their work is helpful to you. They have a great group of people to work with them. Some of the people that I worked with on the administrative controls are people that were previously working at a bank in the technology department, that were in charge of those type of things. They really first hand, not just the security side, but also the banking side which is awesome. 

Are there any areas FRSecure could improve?

I can’t think of any. I have been very satisfied.

What tips or recommendations could you share that might increase the likelihood of success with FRSecure?

I guess just read everything that you can get your hands on. There is just so much out there, but a company like FRSecure is certainly going to help you with what’s specific for your area. Read everything you can.