To establish an effective Cyber Security plan, careful examination of the various Assessments, Audits and Development/Consulting components available is critical. This section of the proposal breaks down these three components and provides useful information on each.

Information Security Assessment
An independent, objective review of your information security program, including technical, physical and administrative security controls. This is more than just an IT assessment. Security exists in every part of the organization from HR, to finance, to sales, to IT. An information security assessment measures the risk to information in each of these areas and provides a report to you explaining where the most significant vulnerabilities exist and what is required for remediation. It’s highly recommended that your company perform this assessment for regulatory compliance reasons. This will give your company a good idea of how secure its systems really are.

Network Security Assessment
A Network Security Assessment is a baseline review of your technical (IT) security controls. It’s typically considered a first step in any security review. There are multiple components that make up a Network Security Assessment:

  • IT security policy review
  • IT security management practices
  • IT secure architecture review
  • Internal IT vulnerability scanning
  • External IT vulnerability assessment (penetration testing)

Network Security Assessments give an indication of how securely an IT team has setup and configured a network. There are multiple reasons to perform this type of assessment:

  • Establish a baseline to identify gaps that need to be remediated
  • Regulatory compliance requires a technical security assessment
  • To get a snapshot view of current systems security status

 

Cyber Security Assessment and Audit
An information security assessment measured against the ISO standard – a set of industry standards and best practices to help your company manage Cyber Security risks. Any gaps to the standard are identified, measured and reported to you. There are multiple reasons to conduct a Cyber Security assessment:

  • Establish a baseline to identify gaps that require remediation
  • Regulatory compliance requiring a security assessment compared to the ISO standard
  • To determine how secure the network architecture really is

A Cyber Audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the wake of legislation (such as HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act) that specifies how organizations must deal with information.

Penetration Test
A Penetration Test is a security assessment that attempts to identify vulnerabilities in your firewalls, web pages and web applications. These tests are performed from outside your network (the Internet) and simulate attacks that outside parties would employ to identify vulnerabilities that can be exploited remotely. These types of tests are essential for organizations to consider when it comes to security assessments due to the high-risk nature of organized Internet based attacks. There are multiple reasons to perform Penetration Testing:

  • Establish a baseline to identify gaps that need to be remediated
  • Regulatory compliance requires a technical security assessment

 

Financial Controls Assessment
Financial controls play an important role in ensuring the accuracy of reporting, eliminating fraud and protecting the organization’s resources, both physical and intangible. It is the responsibility of the IT organization to identify and implement these controls in order to reduce process variation, leading to more predictable outcomes. When considering financial controls, we will look to industry standards and best practices, to create our plan of attack; including but not limited to:

  • Segregation of duties e.g., A/R & A/P
  • Check writing
  • Access to Accounting software
  • Access to credit cards
  • Inventory Management
  • Payroll
  • Financial Reporting
  • Integration of external vendors

 

Administrative Control Assessment
Administrative controls are the backbone of an information security program. Administrative controls provide the governance, the rules, and the organization’s expectations as to how information is protected.

An Administrative Control Assessment identifies and measures gaps in security policies, processes and procedures; it also measures how compliant documented security policies are.

Administrative security controls are critical to a robust information security program compared against the ISO standard. All security compliance requirements (GLBA, PCI, etc.) demand documented security governance and “regular” assessment of that governance.

Internal Vulnerability Assessment
An Internal Vulnerability Assessment is a technical security assessment focused on the internal IT infrastructure. There are typically two components to an Internal Vulnerability Assessment:

  • Internal architecture and IT management practices review
  • Internal network vulnerability scanning

 

HIPAA Network Security and Risk Assessments
A HIPAA assessment is an audit for validating compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). These security rules require administrative physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (ePHI).

HIPAA/HITECH compliance practices apply to:

  • Covered entities – doctors, dentists, retirement homes and other health care providers who transmit ePHI
  • Business associates – accountants, law firms and other entities that perform activities for covered entities involving use or disclosure of ePHI

There are two assessments offered by CyberGate IT to determine your risk level in accordance with the HIPAA/HITECH security rules:

  • HIPAA Network Security Assessment
  • HIPAA Risk Assessment

A HIPAA network security assessment is provided as a free service by CyberGate IT for all of our prospective clients. The network security assessment establishes a baseline report with an ongoing quarterly or annual HIPAA security assessment to ensure continued compliance. The assessment includes:

  • HIPAA risk analysis report
  • External vulnerability scan detail report

A HIPAA risk assessment is based upon the HIPAA network security assessment, number of seats, locations and other factors. It includes an onsite walkthrough with a survey of locations during work hours. You’ll meet with one of our HIPAA-certified vCIOs to answer any detailed and technical questions you may have. HIPAA risk assessments provide baseline HIPAA compliance reports and remediation for a business and includes the following confidential reports:

  • HIPAA risk analysis report
  • HIPAA management plan
  • HIPAA policies and procedures report
  • Disk encryption report
  • File scan report
  • External vulnerability scan detail report
  • User identification worksheet
  • Computer identification worksheet
  • Network share identification worksheet

 

PCI Assessment
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard PCI DSS, a set of security standards for merchants who accept, process, store or transmit credit card information. During the assessment, a PCI Qualified Security Assessor (QSA), determines whether the merchant has met the PCI DSS 12 requirements, either directly or through a control that provides a level of defense that is similar to the PCI DSS requirement.

IT Security Policy Assessment and Audit
An IT Audit is a term primarily used by banks and credit unions when complying with GLBA and NCUA security requirements. The term IT Audit generally refers to an assessment of IT controls in the following areas:

  • Penetration test
  • Internal vulnerability scan
  • IT security policy assessment

Because the definition of an IT Audit varies, a discovery meeting with the vCISO team is critical in order to determine exactly what is needed and prepare.

Even though IT Audits are highly technical audits, the experience of the auditor play a significant role in determining the value of the audit over and above mere compliance. Our vCISO team is comprised of experts with years of specific industry experience. We understand the challenge of balancing security needs with budgets, and understands how to make recommendations that are realistic and doable.

ISO/IEC 27001 Certification Assessment and Audit
An ISO 27002 Security Assessment is an information security assessment measured against the ISO security standard. Gaps to the standard are identified, measured and reported to you. ISO 27002 is the security standard used most often by security experts when assessing information security programs. It is an industry accepted, well known security standard and a great fit for most high growth publicly traded companies. There are multiple reasons to measure against the ISO 27002 standard:

  • Regulatory compliance requiring a security assessment
  • To determine how secure the network architecture really is

ISO/IEC 27001 Certification is a formal audit against the ISO security standard. There are two audits that take place during ISO/IEC 27001 certification:

  • Stage 1 “Document review” – The focus for the Stage 1 audit is documentation. It seeks to determine if the organization has all of the documentation as required by the ISO/IEC 27001 International Standard.
  • Stage 2 “Main audit” – The focus for the Stage 2 audit is to determine if the organization is doing everything that they should be doing according to the ISO/IEC 27001 International Standard and documentation reviewed in Stage 1.