1.       PURPOSE

AlixPartners Information Security Program has been developed to address the need for continuous security improvements and is designed to protect AlixPartners Information Assets from internal and external threats now and into the future.

 

2.       SCOPE

ALIXPARTNERS HAS ADOPTED THE ISO 27001 FRAMEWORK TO MANAGE AND CONTINUALLY EVALUATE ITS INFORMATION SECURITY PROGRAM.

AlixPartners Information Security Program goals are to:

  • Secure the firm’s and client’s confidential information through risk-based methodologies
  • Increase the information security awareness of AlixPartners’ employees
  • Design and deploy technology and processes to enable security and compliance with corporate, regulatory, and client requirements
  • Enable digitization of the firm and client projects while providing security commensurate with the classification of information
  • Ensure cost-effective deployment of processes and technology to protect AlixPartners’ Information Assets

 

3.       ROLES, RESPONSIBILITIES AND REPORTING STRUCTURE

The Information Security Team reports directly to the Chief Technology Officer (CTO). This ensures that the CTO is fully informed of information security risks without filtering through other groups.

3.1 CHIEF INFORMATION SECURITY OFFICER (CISO)

The CISO is responsible for security and risk decisions related to information and technology, which is managed through the coordination, development, implementation, and maintenance of security and risk programs.  This position is responsible for assessing the firm's risk tolerance, risk profile and continuous measurement of the success of the security program elements.  The CISO must have a thorough understanding of the business goals and strategic objectives of the firm. Executive support is vital.

RESPONSIBILITIES

  • Provide the central point of contact for all information security issues and concerns
  • Hire and mentor Information Security personnel to ensure skills and experience are aligned with business objectives
  • Communicate complex security requirements in business terms
  • Assess Information Security personnel training needs and develop roadmaps to increase security knowledge
  • Allocate resources effectively to maintain the Information Security Management System (ISMS)
  • Request additional resources (as needed)
  • Approve the distribution of information security policies to interested parties, as needed
  • Report on the performance of the Information Security Management System (ISMS) to the Information Security Steering Committee (ISSC)
  • Propose projects to the ISSC that:
    • address risks and opportunities
    • ensure the ISMS achieves management’s objectives
    • require implementation of security controls that prevent or reduce undesired effects of doing business
    • provide continual improvement of information security management
  • Provide updates to the ISSC of progress and/or changes to the information security objectives
  • Review and update information security objectives as appropriate based on changing business strategies or changing information security risks/opportunities
  • Use authority to delegate security functions to staff as required
  • Maintain a documented list of the current activities used to measure the effectiveness of ISMS controls and processes as outlined in the Security Metrics document
  • Evaluate the need for action to eliminate the cause of any non-conformities
  • Report on the performance of the Data Protection strategy to the Data Governance Committee (DGC)

3.2 EXTERNAL USERS

Access to the AlixPartners private computer system is for authorized users only. Unauthorized and/or inappropriate use, including exceeding authorization, is strictly prohibited and may subject said user(s) to civil criminal penalties. System use may be monitored and recorded. Use of the system constitutes consent to any such monitoring.

4.     SECURITY FUNCTIONAL AREAS

There are 4 functional areas within the Information Security Team.


4.1 SECURITY – ASSESSMENT

The Assessment team is responsible for ensuring infrastructure is designed, implemented and operated in accordance with applicable security standards, policies, and practices.  Their primary responsibilities include operational oversight of the vulnerability management, application security, and secure configuration management programs, as well as additional risk assessment, validation of security pen-test results, problem resolution, system documentation, and system security management and support.

Key areas of focus include:

  • Vulnerability Management
  • Secure Configuration Management
  • Asset Compliance Scanning
  • Application Security
    • Dynamic
    • Static
    • Manual
  • Penetration Testing
  • Controls Assessment

Responsibilities  

  • Conduct information security threat analysis on new and changed application development initiatives towards design, review and incident response planning
  • Review application source code for vulnerabilities
  • Identify and explain risks associated with common application vulnerabilities, demonstrate exploitation and recommend mitigation options
  • Develop and deploy monitoring program to ensure devices are compliant to build standards
  • Report findings and work with internal resources to ensure remediation occurs within defined SLAs
  • Research and assess new threats and security alerts and recommend remedial actions
  • Develop technical documentation, including standards and standard operating procedures (SOPs)
  • Develop and report on key compliance and operational metrics for the vulnerability program
  • Perform periodic internal assessments of implemented security controls
  • Conduct annual information security risk analysis


4.2 SECURITY – GOVERNANCE, RISK AND COMPLIANCE (GRC)

The GRC team is responsible for managing the Information Security Management System (ISMS) through the implementation and maintenance of IT policies, standards, and procedures as well as the design and implementation of security controls. They are also responsible for assessing the Firm’s adherence to regulations, policies, standards, controls, and procedures that support the effective, secure and compliant use of information assets.  They conduct compliance assessments and independent reviews.  They also perform information security risk assessments, track any identified risk, report on risk items and ensure the follow-up and closure of open risks. 

Key areas of focus include:

  • Policy Management
  • Technical Standards
  • Compliance and Regulatory Management
  • Control Framework Management
  • Process Improvement
  • Risk Assessment and Remediation
  • Issue Management
  • Communications and Security Awareness Training
  • Vendor Security Monitoring and Assessments
  • Business Continuity Planning and Disaster Recovery (BCP/DR) governance
  • IT System Development Lifecycle (IT SDLC) governance
  • Identity & Access Governance and Compliance

Responsibilities

  • Coordinate development and annual review of IT policies, standards, and procedures
  • Measure and report on IT’s and the Firm’s compliance with global IT policies, standards, procedures, regulations, and controls
  • Support and manage internal and external audits and assessment activities through documentation, scheduling and collecting evidence
  • Perform information security risk, project and vendor assessments
  • Provide governance and input to the BCP/DR and IT SDLC programs
  • Coordinate and manage Security Training and Awareness programs
  • Develop information security awareness training, educational materials, and new hire security awareness training

Support incident response activities initiated by the Firm and Security Operations team


4.3 SECURITY – OPERATIONS
 

The Operations team provides security monitoring, incident response, and threat analysis for the firm. The team is responsible for managing the daily activities of system event logging, IDS monitoring, data leakage prevention, and incident triage, response, and analysis.  They also provide support for security investigations and incident management.  They continually monitor, detect, and respond to security incidents and help improve the security posture of the firm by sharing lessons learned from responding to incidents

Key areas of focus include:

  • Threat Prevention
  • Endpoint Prevention and Hardening - Endpoint prevention tool administration and OS hardening (GPO, Intune, and security tool configuration)
  • Threat Prevention Advisory - Advises on threat prevention controls and recommends secure configurations to the teams responsible for administering IT and Security solutions based on observed activity and known tactics and techniques of threat actors. Examples include email security, cloud security, and security tools outside the scope of administration of the Security Operations team
  • Security Monitoring
    • Detection Engineering: SIEM – Administration and development and implementation of detection use cases
    • Detection Engineering: Other tools & Process – Development and implementation of detection use cases and processes for effective treat detection using detection logic and threat hunting techniques
  • Incident Response and Threat Management
  • Incident Response – Alert response and incident handling
  • Threat Management – Threat Hunting (non-alert driven threat exploration) and management of threat intel, indicators, and associated processes
  • Security Orchestration and Automation – Security integrations, orchestration, and automation
  • Physical Security
    • Implementation and Maintenance – Implementation and maintenance of access control systems and video surveillance systems
    • Physical Access Control Management – Management of access control system and associated process

Responsibilities

  • Monitor and respond to events from intrusion detection systems and system event logs
  • Perform root cause analysis of security incidents and recommend corrective action
  • Research, evaluate, test, and recommend new security controls and solutions
  • Maintain physical security badge access control to AlixPartners environments
  • Monitor physical security alerts and assist with door security
  • Research and assess malware recommending remedial actions
  • Report on key compliance and operational metrics for security operations
  • Identify, detect and escalate incidents as defined by incident response procedures
  • Report on identified incidents


4.4 SECURITY – DATA PROTECTION

The Data Protection team is responsible for reviewing client contracts for security requirements and advising engagement teams on appropriate processes to secure client information, as well as implementing information classification and protection tools.  The team also provides configuration and ongoing monitoring of the data loss prevention technologies in use by the firm. In addition, they oversee the review process for potential malicious insiders and support investigations and incident response as necessary

Key areas of focus include:

  • Data Loss Prevention
    • Security Investigations
    • Cloud Usage Monitoring
  • Data Protection Plans (DPP)
  • Digital Rights Management (DRM)
  • Key Information Review Process (KIRP)

Responsibilities

  • Advise engagement teams on client security requirements​
  • Partner with Legal to perform reviews of client contractual language​
  • Data Protection Plan oversight​
  • Assist engagement teams with client data purging requests
  • Research, evaluate, test, and recommend new data loss prevention security controls and solutions
  • Respond to and investigate DLP alerts

 

5.       SECURITY PROGRAM

ACCESS CONTROLS

Logical and physical access controls exist to maintain the confidentiality, integrity, and availability of information assets.  To ensure non-repudiation, users are provided unique user ID’s and are granted access based on the concept of ‘need to know’ and ‘minimum necessary’ basis. All access requests must be approved by the information or system owner. The appropriate teams then provision these requests.  AlixPartners periodically reviews user access and requires system and information owners to confirm that access is still required.

Source: Logical Access Policy (IT-1020-Policy); Logical Access Procedure (IT-1020-Procedure); Acceptable Use Policy (IT-1001-Policy) Sec. 3.16 Physical Access


AUTOMATION

AlixPartners uses automation to enhance its processes and leverages automatic threat intelligence feeds, automatic updates of threat prevention signatures, and automatic detection watchlist updates to monitor for anomalous behavior. Vulnerability scans are automated and run on a scheduled basis, and multiple automated methods are in use to improve the efficiency and effectiveness of prevention, detection, and response capabilities.


BACKUP
S

AlixPartners employs various tools and services to support recovery and restoration capabilities for the client and firm information.

Source: Backup and Restore Policy (IT-1088-Policy); Data Restore Procedure (IT-1088-Procedure); Operational Backup Standard (IT-1088-Standard)


BASELINING

AlixPartners uses baselining techniques to enhance security detection of anomalous activity and to identify the non-standard use of our systems.


CHANGE MANAGEMENT

Change management is an essential part of maintaining the integrity and availability of information. AlixPartners requires employees to submit changes through its change management process. This process requires detailed change information to be captured such as Change Description, Impact, Risk, Rollback, Dependencies, etc. This allows the Change Management Board to have a thorough understanding of a change and its benefit to make an informed decision.

Source: Change Management Policy (IT-1047-Policy); Change Management Procedure (IT-1047-Procedure)


CONTAINERIZATION AND SEGMENTATION

The firewall will not allow traffic it evaluates as a threat from one zone to another, helping to keep a threat containerized.


DATA ANALYTICS

Security analytics tools and techniques are deployed to consume large amounts of security data to monitor, alert, and create behavioral data sets to further understand anomalous or confirmed threats.


DATA LOSS PREVENTION (DLP)

Data Loss Prevention tools are in use to monitor and identify sensitive information that is at rest, in motion and in use.

Source: Event Monitoring Policy (IT-1002-Policy); Security Monitoring Procedure (IT-1002-Procedure)


DEVICE HARDENING

AlixPartners uses a baseline configuration for all systems. The baseline consists of disabling unnecessary services and setting specific options. Device hardening is defined through Active Directory GPO policies and cannot be changed at the local system level.

Source: Printer Settings Standard (IT-1019-Standard), Router and Switch Security Standard (IT-1006-Standard), Firewall Hardening Standard (IT-1006-Standard), Wireless Network Security Standard (IT-1006-Standard), Server Configuration Standard (IT-1024-Standard)


ELECTRONIC INFORMATION DESTRUCTION

To securely destroy electronic information, AlixPartners uses a number of mechanisms. For physical media such as paper copies and optical media, cross-cut shredders are used. These are installed in various locations within each office. For digital storage devices, such as USB and hard drives, a secure wipe process is used. All hard drives found in multi-function printers, copiers, or scanners are destroyed by an approved vendor. 

Source: Data Destruction and Reuse Standard (IT-1030-Standard)


ENCRYPTION

AlixPartners utilizes full disk encryption on laptops and desktop devices to ensure lost equipment does not expose firm or client information. Network communication is encrypted with secure protocols and virtual private networks are used using secure connection methods for client remote access.

Source: Data Encryption Policy (IT-1011-Policy)


FIREWALLS

AlixPartners deploys a network firewall at all network perimeter locations that connect to the Internet. The firewalls are all configured with a default deny policy. This policy blocks all network connectivity unless it is explicitly allowed. The firewalls are also configured to log all traffic. Some of the firewall devices provide additional security functions such as URL filtering, malware prevention, and threat prevention.

Source: Firewall Hardening Standard (IT-1006-Standard)


INCIDENT RESPONSE

AlixPartners follows a defined incident response procedure for any event that impacts the information assets. This procedure contains steps to identify an incident, assign severity levels, contain the effects of the incident, take corrective actions to remediate the incident, communicate with all relevant parties, and perform a root cause analysis assessment. The root cause assessment includes actions to protect against a recurrence of the incident.

Source: Security Incident Response Plan (IT-1086-Plan)


INTERNAL INVESTIGATIONS

AlixPartners follows defined processes, in addition to incident response procedures, to investigate matters that may put AlixPartners employees or information assets at risk.

Source: Security Incident Response Plan (IT-1086-Plan)


INTRUSION PREVENTION

AlixPartners deploys Intrusion Prevention at every network perimeter location that connects to the Internet. These systems are continuously monitored and tuned to ensure the maximum detection rate of malicious activity. This solution is configured to block malicious activity and log events.


ISO 27001 CERTIFICATION

AlixPartners has achieved ISO 27001 certification for Microsoft Azure, AWS, Oasis, SaaS applications and select data centers in the United States, Europe and Asia.  The scope includes management of data analytics, application development, web hosting and litigation for Engagement Technology Services.


MALWARE PREVENTION AND DETECTION

A defense in depth approach is used to prevent, detect, and mitigate malware. The firewall has threat protection signatures to stop malware at the network layer. Sandboxing technology is used to analyze executables for malicious behavior observed. Email prevention and detection controls are in place to prevent malicious email from being delivered and to alert when a malicious email may have been delivered, or when a user clicks on a malicious link. At the endpoint layer, multiple preventive and detective controls are in place including anti-virus, application control, and endpoint detection and response tools. These tools are continually updated with updates signatures and detection methods.

Source: Anti-Virus – Malware Policy (IT-1014-Policy); Event Monitoring Policy (IT-1002-Policy)


MOBILE DEVICE MANAGEMENT (MDM)

AlixPartners manages firm issued mobile devices with a mobile device management system appropriate for that device. This system is configured to push device-specific policies, updates and programs for the management of the device. They are also utilized to support the removal of sensitive data in the event of device loss or compromise. 

Source: Acceptable Use Policy (IT-1001-Policy) Section 3.4 Mobile Devices


PATCH MANAGEMENT

Reports concerning network infrastructure devices, servers, and endpoints and associated Operating System or software vulnerabilities are provided to the appropriate teams on a regular basis.

Source: Patch Management Policy (IT-9991-Policy); Patch Management Procedure-Corp. (IT-9991-Procedure); Patch Management Procedure-ETS (IT-9991-Procedure); Patch Management Standard (IT-9991-Standard)


PENETRATION TESTING

AlixPartners utilizes periodic penetration testing to evaluate its security controls and incident response processes. These tests help AlixPartners continue to improve its controls and procedures to provide an effective security program.

Source: Vulnerability Management Policy (IT-1073-Policy); Vulnerability Management Standard (IT-1073-Standard)


PHYSICAL SECURITY

Physical security is a key consideration for all AlixPartners offices.  Each facility is accessible only through badge-controlled access. Each site is monitored via security cameras deployed in strategic locations at each site. This badge access is reviewed periodically to ensure only approved personnel has access to AlixPartners offices.

Source: Acceptable Use Policy (IT-1001-Policy) Section 3.16 Physical Access; Physical Access Procedure (IT-1022-Procedure)


PRIVILEGE MANAGEMENT

Administrative privileges are restricted and only provided with proper justification. Users operate with standard user privileges and only escalate privileges as necessary. User and Entity Behavior Analytics tools are in place to monitor for privilege misuse.

Source: Logical Access Policy (IT-1020-Policy); Event Monitoring Policy (IT-1002-Policy); Security Monitoring Procedure (IT-1002-Procedure)


RISK ASSESSMENTS

AlixPartners’ continuously identifies, reviews and mitigates risks associated with Information Assets.  Periodic risk assessments are performed as appropriate.  The Network Security team also participates in risk assessments when it involves an issue with a client’s infrastructure.

Source: Information Security Risk Management Policy (IT-1005-Policy); Information Security Risk Assessment Procedure (IT-1005-Procedure)


SECURITY AWARENESS TRAINING

AlixPartners recognizes the need for information security awareness and education as the firm handles both sensitive client and firm information. AlixPartners provides formal information security and awareness training to employees based on roles and projects. The training is continually updated to provide employees with the most up-to-date security awareness information.

Source: Acceptable Use Policy (IT-1001-Policy) Section 3.18 Security Training and Awareness


SECURITY INFORMATION AND EVENT MONITORING

AlixPartners utilizes advanced security information and event monitoring tools to correlate events into meaningful information to provide detailed insight into activities that occur on its infrastructure.

Source: Event Monitoring Policy (IT-1002-Policy); Security Monitoring Procedure (IT-1002-Procedure)


SECURITY MONITORING

A Security Information and Event Management (SIEM) system are used to ingest logs from the network and host-based devices and correlation rule analysis and alerting are configured to detect and notify security analysts. Both reactive (alert-based) and proactive (hunting) methods are in place to continually monitor our environment for security threats.

Source: Security Monitoring Procedure (IT-1002-Procedure); Event Monitoring Policy (IT-1002-Policy)


SOC 2 CERTIFICATION

AlixPartners has achieved SOC 2 Type II certification for Microsoft Azure, AWS, Oasis, SaaS applications and select data centers in the United States, Europe, and Asia. This certification covers controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy.


SYSTEM DEVELOPMENT LIFE CYCLE (SDLC)

AlixPartners has adopted a formal SDLC policy to ensure high quality, secure systems are deployed in its infrastructure. The overall process includes developing, implementing, and retiring information systems through a multistep process from initiation, analysis, design, implementation and maintenance to disposal.

Source: System Development Life Cycle Policy (IT-1040-Policy)


THREAT INTELLIGENCE

Threat intelligence is a core focus of security operations and the incident response process allows for the creation of internally produced intelligence to feed into the security monitoring processes to create a more tailored and focused detection. In addition, we use and rely on external threat intelligence sources to provide better prevention and detection capabilities. These include threat intelligence feeds, portals to conduct research on threat actor techniques, indicators of compromise, etc.

Source: Security Incident Response Plan (IT-1086-Plan)


TWO-FACTOR AUTHENTICATION

AlixPartners has implemented two-factor authentication for administrative user access to all AlixPartners environments.  This will enhance authentication protection for remote access.

Source: Logical Access Policy (IT-1020-Policy)


VENDOR MANAGEMENT

AlixPartners has defined requirements and responsibilities for managing vendors. These processes ensure that security is considered when purchasing or leasing IT information assets and/or IT-related services.

Source: Vendor Management Policy (IT-1035-Policy); Vendor Assessment Procedure (IT-1035-Procedure)


VULNERABILITY MANAGEMENT

AlixPartners utilizes vulnerability management tools to routinely scan and identify risks in information assets. These risks are assessed and remediated as required to maintain a secure infrastructure.

Source: Vulnerability Management Policy (IT-1073-Policy); Vulnerability Management Standard (IT-1073-Standard)


WHITE AND BLACK LISTING (APPLICATIONS, WEBSITES, FILE TYPES)

Approved applications are controlled using application whitelisting techniques. Similarly, traditional blacklisting techniques are used which includes the use of anti-virus and endpoint detection and response tools to tactically ban applications as necessary based on knowledge of threats or risks within the environment. The firewall provides the ability to granularly control web filtering based on category or specific source or destination.

 

6.       DEFINITIONS

INFORMATION ASSETS

Information Assets consist of data, networks, systems, devices, and applications that are managed by AlixPartners. Some examples are: AlixPartners data in any format, client data in the possession or control of AlixPartners in any format, equipment such as mobile phones, office phones, computers, removable media (USB drives, DVDs, etc.), the email system generally, and any device used to access or manage access to the Internet, the AlixPartners’ Intranet, software or other systems and equipment.

 

7.       DOCUMENT REVIEW

This document will be reviewed on an annual basis by the Information Security Steering Committee.

 

8.       ENFORCEMENT

The Firm will take prompt and appropriate corrective action when it determines that a violation of this document has occurred. Any individual, regardless of position or title, whom the Firm determines has violated this document, will be subject to discipline, up to and including termination. Actions that violate this document will not be considered to be within an individual’s course and scope of employment nor in accordance with the discharge of his or her duties.