Security Compliance
Many organizations have to meet security compliance requirements such as PCI, HIPAA, NIST-800-53/171 etc. In addition attesting to compliance with standard frameworks such as ISO 27001 and the AICPA SOC 2 Type II are invaluable in providing your prospects with the confidence that your systems are secure and their data is safe with you. In addition, you have contractual obligations to meet specific security measures on behalf of your clients.
Demonstrating security compliance becomes a drain on your resources that are better spent elsewhere. Your priorities are to spend your resources securing your organization rather than demonstrating your controls. There are times when your external assessor asks for evidence of a control that you may not have or that you believe is necessary. Let us take the burden of identifying the controls, managing the evidence and communicating with your assessor so you can get back to your real business.
CISO Consulting Services will take on the responsibility of meeting these requirements and giving you back your time. This is our methodology
Phase 1: Business Process Review
- Our first step is to understand and document the critical processes that are essential to your business. This is an important first step as it informs the rest of the process. We identify the threats to the business and the core controls necessary to protect your business. We believe that compliance is the natural outcome of a robust security program and not the other way around.
- We will assemble documents that relate to system architecture, data flows and network diagrams. This is carried out once at the beginning of the engagement. Thereafter, we will update this as your business grows and changes as required.
- Contract terms reviews may be agreed to by legal counsel that may commit you to implementing security controls that came from a stock security addendum but is irrelevant to the product or service you provide you client but commits you to investing in expensive controls that do not add value to your security. For example, a Financial Institute may have included a financial background check in its requirements from third parties but may not be relevant to your service (non-transitional). CISO Consulting Services will review contracts and red-line terms with explanations that could be renegotiated with your clients.
- Assessment Normalization: We will take stock of all your regulatory and contractual security requirements and break them down to a common set of controls required for the organization. This will ensure that effort is not duplicated or wasted across multiple requirements
- Controls Assessment: We will take an inventory of all existing controls and their measurement to grade their effectiveness. Validating the effectiveness could include penetration testing, vulnerability scanning, incident response testing etc.
- Gap Analysis: We overlay the compliance requirements our the existing controls and identify areas that are unaddressed of limited in their effectiveness. These are prioritized and remediation steps drawn up
Phase 2: Implementing Security Controls
- Remediation of vulnerabilities: We support you as you remediate the vulnerabilities by providing the tools, methods and processes to rectify identified issues. We help measure and ensure the controls are effective and evidence is collected appropriately.
- Evidence Gathering: We create a documentation framework where all evidence necessary to show compliance is gathered and easily presentable to multiple assessors. The differentiating focus here is on establishing a repeatable process or automated system so the evidence gathering effort is reduced significantly over time. It also has the benefit of making sure that compliance is a on-going process and not a point-in-time event, ensuring early detection of problems.
- Continuous Monitoring: We monitor vulnerability assessment, penetration testing reports and assist in prioritizing patching and remediation.
Phase 3: Communication with Assessors
- Evidence Presentation: CISO Consulting Services will engage directly with the assessors early and on a periodic basis to ensure that their expectations are clearly understood, agreed to and met consistently. We will represent your organizations security posture and demonstrate its effectiveness as well.
- We maintain contact with your assessors to ensure they are comfortable with your controls and the annual assessment is business as usual