Cybersecurity Risk Management Program

 

Organizational Benefits

Cybersecurity Risk Management Program

Most CIO/CISO’s believe that the protection of intellectual property from external threats is important to the long-term success of their organizations. In a recent survey, seventy-nine percent of the IT security practitioners indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise. These same organizations were experiencing, on average, more than one cyber attack per month at a cost of $3.5 million annually. There is a consensus lack of tools and resources to monitor, analyze, understand, and mitigate threats.

A comprehensive information security risk assessment will allow an organization to: 1) evaluate its security needs and risks in the context of its business and organizational need; 2) identify risks; and, 3) develop and implement risk mitigation actions. However, key stakeholders in IT and cybersecurity often claim that cybersecurity management programs are too technical, only internal facing, or too complex to be properly developed and implemented.

Periodic reviews and assessments are a very important and necessary first step, and may demonstrate compliance. Due to ever-evolving threats and the persistent nature of the threat actors, a “snapshot in time” will not keep your environment safe.

Our Cybersecurity Risk Management Program (“CRMP”) helps you build a continuous, proactive approach to identifying and protecting your most important assets: your data, information technology, and critical business processes. The service plans are tailored to the size, complexity, and risk tolerance of your individual organization. With our assistance you can integrate a successful cybersecurity management framework which is not too technical, addresses both internal and external concerns, and right-sized to implement, operationalize, and manage over the long term.

Service Plans to Fit Your Key Objectives and Organizational Complexity

The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. You are facing a persistent threat, aimed at well-defined targets, with a clear set of objectives. It is no longer a question of if you will have a cyber event, it is a question of when…and will you be ready?

Protecting information is a business problem costing millions of dollars and reputational loss. Even with an acute awareness to these risks, many attacks go unchecked. The solution requires more than deploying technology, like firewalls and antivirus gateways, and hoping for the best. Security professionals cited a critical need for expertise, technology, and external services to address their growing concerns about these external threats. The solution requires a vigorous, comprehensive investment in risk management of your complete environment.

Our Cybersecurity Risk Management Program allows you to identify your risks and track risk mitigation actions, stay compliant with industry requirements, and protect your reputation with your clients. 

Cybersecurity Risk management Program OPTIONS

(Click the links to learn more about our services)

When you select a service plan that meets your requirements and risk tolerance, you will get reports and deliverables that will identify your vulnerabilities and compliance to industry standards. Here is a listing of the tasks and deliverables that come with your selected plan.

CRMP Tasks and Deliverables

Task

Description

Deliverables

Enterprise Security Audit (ESA): 2 per year

1

Audit of CIS Controls.

 

Silver: Basic (Top 6 Control Coverage)

Gold: Basic and Foundational (Top 16 Control Coverage)

Platinum: Basic, Foundational, and Organizational (Top 20 Control Coverage)

1.       ESA Report

2.       ESA Review Session

3.       ESA Remediation Guidance

1

Gold and Platinum Only: CIS Endpoint Security Assessment (ESA Technical Add-On)

Automated scanning of select enterprise endpoint devices to validate current technical controls support the CIS Controls.

4.       CIS Endpoint Security Assessment Report

Internal Vulnerability Assessment: 12 per year (monthly)

2

Internal Vulnerability Assessment against all internal endpoints. Includes Enhanced Vulnerability Assessment Reports.

1.       Internal VA Report

2.       Internal VA Review Session

3.       Attestation Letter

External Remote Black Box Penetration Test: 4 per year

3

Black box penetration test against external (public-facing) IP addresses, includes validation retest after each quarterly test.

 

1.       External BB Penetration Test Report

2.       External BB Review Session

3.       Post Validation Retest Report

4.       Post Validation Review Session

5.       Attestation Letter

Social Engineering: 4 per year

4

Gold Only: Social Engineering:

·         Email Phishing

·         Voice Phishing (Vishing)

 

1.       Email Phishing Report

2.       Vishing Report

3.       Social Engineering Review Session

4

Platinum Only: Physical Penetration Test

4.       Physical Penetration Test Report

 

Wireless Penetration Testing: 4 per year

5

Gold and Platinum Only: Wireless Penetration Test against corporate and guest access points

1.       Wireless Penetration Test Report

2.       Wireless Penetration Test Review Session

Internal Onsite Penetration Testing: 4 per year

6

Platinum Only: Internal black box penetration test against internal IP addresses.

 

1.       Internal BB Penetration Test Report

2.       Internal BB Review Session

3.       Post Validation Retest Report

4.       Post Validation Review Session

5.       Attestation Letter

6

Platinum Only: Internal gray box (authenticated as domain user) against internal IP addresses.

1.       Internal GB Penetration Test Report

2.       Internal GB Review Session

3.       Post Validation Retest Report

4.       Post Validation Review Session

5.       Attestation Letter

Web Application Penetration Testing: 4 per year

7

Platinum Only: External Gray Box

Web Application Penetration Test

1.       External GB Penetration Test Report

2.       External GB Review Session

3.       Post Validation Retest Report

4.       Post Validation Review Session

5.       Attestation Letter

Incident Response/Digital Forensics (Breach Only)

8

Platinum Only: Clients that follow our remediation guidance and remain on the Platinum CRMP receive free incident response and digital response if they are breached

1.       Incident Response Report

  • Clients who participate in the Platinum tier of the CRMP will receive free Incident Response and Digital Forensics services if they are the victim of an external data breach while they are on our program. We believe that testing schedule and remediation guidance of the Platinum tier will greatly reduce the risk to our clients, and should prevent any external data breaches. We believe in this program enough to make a promise to our clients that we will cover their incident response and digital forensic needs for free if they are breached while they are on our Platinum CRMP program and implementing all our remediation guidance.

If you would like to learn more about our Cybersecurity Risk Management Program, click the contact us button below and we would be excited to discuss how we can team together to protect your intellectual property and improve your information security.