he relevance of Jonathan Foster's work was made a little too evident for his liking on Sept. 11, 2001. He looked out toward Manhattan from an office in New Jersey and watched as the World Trade Center exploded and crumbled.

His son worked for an investment firm whose offices were on the 93rd floor of one of the Twin Towers. Sixty-five of the firm's employees were among those who lost their lives that day.

Foster's son was not one of them - he was attending an off-site meeting that morning. Even knowing his son was not there didn't stop Foster from marveling at the magnitude of what he was watching.

"It sure brought it home for me," he said.

Foster has been in the business of evaluating risks and identifying weak spots in security systems for 20 years. The 9/11 terrorist attacks were a horrible illustration of how bad security lapses can get.

Fortunately, though, the kinds of risk evaluation that Foster's company, Information Exchange, deals with don't usually have the same devastating consequences.

As Foster said, though, no matter how large or small they are, businesses take risks every day. He and partner Peter Trombley help clients decide which risks are acceptable and which are not. "We're evaluators. We evaluate and make decisions on a company's current environment," Foster said. "We evaluate practices, identify and define the changes in policies and procedures that need to be made.

"We do gap analysis and then close the gaps."

The ultimate goal is two-fold: to help companies be able to better define gaps in their own systems, and to guide them toward industry and governmental compliance standards, for which there is no room for error.

This is true whether it's a company's computer network or payment-processing systems.

Information is the gold standard in today's global marketplace, so protecting its information assets should be a company's primary concern. Reliance on networks for business and financial transactions, as well as for communication, means that preventing down time for emergencies of any kind is critical.

Conducting business on the Web, undependable power supplies and, of course, terrorism have increased the need for businesses to take careful measures to prevent loss of data, revenue and reputation. Businesses of all types need to have contingency plans in place for disaster recovery and continuity.

Recently, Foster and Trombley have seen a definite spike in the interest generated by the services they offer clients. "At ETA in Orlando, we found security concerns were a higher priority with many of the firms we met," said Trombley. "Permanent players will want to take steps to ensure their viability.

"Today, this includes not only establishing solid financial foundation and sales efforts, but protecting their information assets and ensuring their ability to meet unexpected business interruptions."

Together, Foster and Trombley have 35 years' experience in business and technology systems security.

Foster started Information Exchange in 1994 as a management consulting firm, assisting and advising clients' business operations and technology risks. He has a varied background that includes commercial banking.

Trombley joined the firm three years ago, coming from a background of management consulting primarily in the financial services industry.

They have clients throughout the U.S. - mostly financial institutions, such as banks, credit unions, credit and debit acquirers and ISOs. They made a conscious decision to keep their firm small to be available and responsive to their clients. Foster said their combined experience allows them to provide superior service.

"There are a few other firms that do what we do, but we're the best," he said. "With our backgrounds in business and technology, with our skill set, we're able to offer a pragmatic approach.

"We're independent. When we go in to work with a client, we bring a fresh perspective. Very often the client is too close to the work and is not able to see what needs to be done. Self-audits are usually not in a business' best interests."

The partners at Information Exchange use a sensible approach in helping their clients decide which risks are acceptable and which are not. The increasing need for security in protecting information - from all types of personal data to all levels of corporate records - has the financial services industry scrambling to develop standards and systems on its own.

Information Exchange can make the process of reaching standardization, whether self-imposed or regulated by government agencies, much simpler.

"There is a growing concern in the financial services industry about wanting to regulate themselves so the government won't, like they did with banks," Trombley said. "The industry is saying we will tighten things up ourselves."

In the long run, any type of business will benefit from a more secure system - or one that's more efficient and thorough. Information Exchange can set up stringent technology safeguards as well as offer suggestions for improving workflow in everyday operations and preparing for emergency situations when disasters happen.

Meeting due diligence requirements and strengthening the ability to survive unexpected business interruptions will reduce financial risks and maintain the business' good reputation.

Foster and Trombley are certified to provide solutions to help their clients comply with industry security standards as well as those imposed by the government. They can help certify equipment and networks by conducting ANSI X9 and TG-3 security reviews for PIN injections; Visa Cardholder Information Security Program (CISP) security reviews; First Data PIN encryption reviews; and NACHA compliance reviews.

They also will help companies reach compliance regulations of the Patriot Act, the Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

In 2001, the STAR/MAC, NYCE and Pulse networks decided jointly to require independent reviews of PIN security and KEY management for firms handling their own PIN injection into POS devices or ATMs.

First Data Corp. has issued its own guidelines for safely processing PIN-based debit transactions; Visa also has specified compliance regulations for credit card transactions through its CISP. MasterCard requirements hold the acquirer responsible for ensuring that downstream clients have taken appropriate measures to secure data.

Information Exchange will conduct reviews and help companies reach verification compliance for all requirements. It is certified to complete the reviews and prepare the required TG-3 report for the networks, providing evidence of compliance.

When they work with ISOs, the security gaps are checked at the processor end. Foster and Trombley review the existing security processes in place. Clients will contact them to perform audits or suggest improvements in areas like encryption or network firewalls.

"This is about protecting the consumer. We look at it from the processor's shop and see how they encrypt their transaction information and how old their procedures are," Foster said.

"We follow the transaction all the way through the process and make reports and diagrams to illustrate."

For payment processing, this includes injecting encryption keys for PIN pads before the terminals are installed to reduce the large amounts of fraud in PIN debit transactions. For networks, the solution includes installing firewalls.

"It's a big risk to ignore safety issues concerning the Internet. When you ignore your network security, you run the risk of your data being exposed to hackers - as well as to anyone connected to the Internet," Foster said.

Foster and Trombley both will go for the initial review in most cases, and they usually work together in constructing a new set of safety nets.

With just the two of them, the clients get the same players from start to finish.

Foster and Trombley have worked with large consulting firms and pride themselves on the skills, experience and personal attention they're able to provide their clients.

They really get to know the clients and the nature of the business to provide the best security and risk solutions. Clients experience a minimum of staff downtime and minimum interruptions in workflow.