KRM Associates Inc. has extensive experience serving both the public and private sector in a broad variety of Network Security and Engineering capacities. With experience in planning, implementing, and supporting secure networking solutions, as well as experience developing custom solutions to meet specific needs, KRM has the expertise to fulfill a wide variety of security related requirements.
KRM has provided customer support, network engineering and security engineering for a secure data network for the Department of Veteran Affairs with over 300,000 network customers for more than five years. Responsibilities included customer support in configuring, installing, testing, and documenting system architectures and component configurations with routers, VPNs (Virtual Private Networks), firewalls, intrusion detection systems, host protection tools, and other information assurance products.
In 2005, KRM delivered ENTISAS© the Enterprise Information Security Assessment System, to the DoD Tricare Management Office (TMA). This DITSCAP (DoD Information Technology Security Certification and Accreditation Process) certified application provides the capability to create a security assessment database to track vulnerability trends in the long term while assessing and mitigating them in the short term. This tool allows KRM to conduct HIPAA security risk assessments using the OCTAVE© (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) methodology. OCTAVE© was developed by CERT ® Coordination Center (CERT/CC) and is a risk-based strategic assessment and planning technique for security, for organizations who want to get a full picture of their information security needs. Established in 1988, the CERT C/C is a center of Internet security expertise, located at the Software Engineering Institute , a federally funded research and development center operated by Carnegie Mellon University. The OCTAVE© methodology phases maps very well to the requirements set forth at 45 CFR 164.208(a)(1) – the HIPAA Security Rule – and is consistent with NIST Special Publication 800-30 revision 1. NIST SP 800-30 is a standard that provides guidance on the range of risk management activities for information assets across a system life cycle. Rather than being directive, it provides general guidance on actions that should be accomplished under the umbrella of risk management. OCTAVE is a methodology that focuses specifically on information risk assessment activities.
The OCTAVE method incorporates activities for identifying and analyzing information assets, threats, and risk and for forming plans and strategies to mitigate, transfer, or otherwise manage risks to meet NIST SP 800-30 criteria. By using KRM, ENTISAS and OCTAVE, a HIPAA covered entity can ultimately accomplish the security risk analysis required under 164.308(a)(1) of the ARRA.
Other successful endeavors include performing helping establish the VA’s Health Information Security Division (HISD, the associated VA Medical Device Security Assessment Center (MEDSAC), and coordinating the Certification and Accreditation of all of the VA’s VistA installations in 2006. These, and other projects, have provided KRM’s staff with a thorough grounding in the legal and regulatory requirements (such as HIPAA) for keeping data, and especially health-related data, safe and secure.