Information Security Services

Building an Information Security Program is the broadest of all security & risk services. Information Security programs are customized based on the needs of the organization, risks uncovered during a risk assessment,  a regulatory obligation or because of an unfortunate breach.

Arguably the foundation of any Information Security Program is the corporate security policy. However, the true foundation is the Risk Assessment. Without understanding the current state of Information Security. In our Information Security Services we will provide the following services:

 

Program Management

  • Determine overall strategy and plan for the information security management program
  • Ensure program meets organization’s most critical business needs
  • Coordinate with related tasks such as fraud, e-Discovery, physical security, product security, and/or privacy

Corporate Security Policy and Standards

  • Develop and document the overall directives and rules that prescribe how the organization protects information
  • Elaborate the complete set of administrative, technical, and physical information security controls used by the organization (i.e. the controls framework) including access controls, encryption, identification and authentication, configuration management, monitoring, audit logging, application security, and awareness training (of staff and customers)
  • Consider requirements of various laws and regulations (e.g. SOX, HIPAA, PCI)
  • Ensure controls are agile and track with changes in business and threat landscapes

Controls Operation

  • Implement controls based on policy and standards and on internal and external environmental factors

 

Controls Design (Architecture)

  • Develop new controls or new ways of implementing controls based on changes to business, IT, and threat landscape
  • Includes application-development techniques; specifying, deploying, customizing, and/or developing new security technology; and new end-user agreements and procedures

Control Operations

  • Operate the controls based on policy and standards and on internal and external environmental factors

Control Oversight / Assurance

  • Assess all controls to ensure they conform to policy and standards
  • Verify all controls are present and performing as intended
  • Ensure all controls are consistently monitored and attested

Business Continuity / Incident Response

  • Coordinate and manage the organization’s response to security incidents, including business continuity/disaster recovery

Corporate Risk Assessment

  • Evaluate the risks of a program, process, project, initiative, or system based on the value of in-formation, data assets, applicable threats and vulnerabilities, likelihood of compromise, impact to organization (e.g. reputation, revenue, regulatory non-compliance), and estimated losses

 

Information Risk Management / Business Risk vs. Reward Analysis

  • Establish risk owners’ risk appetites and authorized risk acceptance levels
  • Based on risk assessment for particular program, process, project, initiative, or system, formulate risk mitigation and remediation strategy
  • Have a consistent process to weigh the information security risks against the business rewards
  • Determine required controls to bring risk to acceptable level
  • Integrate information risk with enterprise risk management framework/program

Asset Inventory and Valuation

  • Delineate the complete inventory of business processes, sensitive data, and information systems used by the organization
  • Perform comprehensive business process documentation and data flow mapping in order to understand the processes and data that need protecting and formulate protection strategies
  • Identify the privileged users throughout the extended enterprise who have access to critical systems
  • Determine the value of assets in order to prioritize protection strategies

 

Cyber Risk Intelligence and Threat Analysis

  • Understand the adversarial landscape relative to business assets (identity, capabilities, motivations, targets)
  • Gather intelligence data regarding threats to the organization
  • Manage sources of intelligence data, interpret data, perform analysis, and produce threat intelligence reports and alerts
  • Integrate threat modeling and intelligence into entire security management process and lifecycle

 

Security Data Analytics

  • Use advanced analytics techniques and data science to analyze security data enriched by intelligence data
  • Develop queries, algorithms, and data models used to detect or predict malicious activity

 

Security Data Management and Big Data Security

  • Develop a data management strategy and infrastructure for aggregating and analyzing security data from various inputs (security systems, databases, applications, threat feeds) for various purposes (e.g. threat detection, enterprise risk management and compliance, continuous controls monitoring)
  • Architect a data warehouse for security data

 

Security Process Optimization

  • Consistently track and measure the efficiency of security processes and implement improvements using formalized quality management, project management, and service delivery methodologies

 

Long-Range Planning

  • Look at future trends in business, technology, and regulation in order to formulate proactive security strategies. For example, technology developments such as the “Internet of Things” and wearable computing are bringing new security challenges

 

M&A Due Diligence

  • Conduct a due diligence assessment of potential acquisitions.
  • Targeted review including: IT Assets, technologies, intellectual property, source code, security posture, potential risk assessments