Security Consulting FAQs

1. The IT department installs and maintains our information security. Why would I need eVestigations Inc.?

Even the most skilled IT department may have blinders on when evaluating the effectiveness of their own information security. Fresh eyes and specialized skills may be needed to head up security surveys, risk assessments, or penetration testing to assure there are no unaddressed vulnerabilities. Paul Herrmann, president of eVestigations Inc., is an experienced Chief Information Security Officer with a proven track record in global responsibility for information security. His credentials and experience position him as a valuable asset to assist your IT department in documenting due diligence in the area of information security, whatever the size of your company.

The following services are available:

• Security Survey
• Risk Assessment
• Security Policy Review or Improvement
• Employee Awareness Programs
• Security Process Design or Improvement
• Executive Security Posture Report
• Reporting of Security Process Measures
• Crisis Plan or Plan Review
• Compliance Design
• Incident Management
• Virus Management
• Monitoring
   

2. We can’t afford a full time Chief Information Security Officer and consultants are very expensive. Do you have any suggestions?

eVestigations Inc. offers an annual contract to provide executive level service at the best value. Customers on this contract select the amount of time that suits their needs, which includes onsite evaluation and offsite monitoring of their information security. This allows the smaller company to have the support of 1/6 of a full-time Chief Information Security Officer, for example, without the expense of an executive-level employee and other employee issues. For complete information about this service, Contact Us.

3. We’ve had an incident and can’t find the perpetrator. What kinds of investigations do you do?

eVestigations Inc. specializes in high technology investigations in which electronic evidence is the key component. We can provide you with facts retrieved from the suspect’s computer, PDA, cell phone, GPS, etc. We have successfully located perpetrators of malicious website hacking, side-business operation, corporate espionage (intellectual property theft), sexual harassment, threats, unauthorized spy-ware installation, downloading of pornographic material, email spoofing, etc. We use current best practices to provide complete, well-documented reports, and work through your legal counsel in order to retain your options to legal action (see Computer forensics).

4. Can you check for listening devices in our building?

Yes, eVestigations Inc. has successfully searched boardrooms and other sensitive areas using current Technical Surveillance Counter Measures (TSCM) technology. We discuss results with you and produce a detailed report for documentation of due diligence. Some customers schedule annual or six-month “bug-sweeps” to assure privacy on an on-going basis. We are confidential and can schedule this service after hours or on weekends if you prefer, or we can bring a labeled truck and perform the service during work hours if you prefer a deterrent effect. The choice is yours.

5. Can we meet somewhere private to discuss our information security problem? We want to keep this quiet.

eVestigations Inc. maintains a secure modern conference room at the Frazer, PA, location which has served clients who wish to go offsite for confidential meetings. Confidentiality is a top priority for us, and we are legally obligated to your confidentiality as licensed private investigators. If you wish, we will meet with you after hours at your business to prevent employees from becoming aware of the problem. When performing an incident investigation, we are careful to respect your requests, including maintenance of secrecy. Throughout an investigation, we work through your attorney to maintain attorney work product so that only the information you want to reveal is discoverable by opposing counsel should you choose to take legal action.

6. Certifications of personnel in information security are quite varied. How do I know which ones to look for?

It’s important to look for board certifications, which indicate that the individual has passed an evaluation, rather than certifications that signify completion of a course, which do not indicate that the individual has mastered any degree of competency in the field. CISSP, Certified Information Systems Security Professional, requires a written exam and experience qualifications. The National Security Agency certifies individuals in IAM, Information Assessment Methodology, which also requires written examination. CISA, Certified Information Systems Auditor, is another board certification requiring written examination.

For investigations involving computer forensics, EnCE, Encase Certified Examiner, is a rigorous board certification requiring a computer-based exam, experience and an extensive graded practical exam. It is highly recommended to use an individual who also holds a private detective’s license in order to safeguard your information. P.I.s are legally obligated to the client’s confidentiality.