The deliverable is an Information Security health check report that assesses the health of the organization’s security risk management and offers a high level tactical plan for addressing observed deficiencies during the engagement. Estimated time of engagement is three days.
Option 2 -- Information security policy assessment and basic governance policies. Certified security consultants will visit your HQ site and review your organization’s information technology documentation and architectural environment using ISO 27002, COBIT and PCI DSS as guidelines. They will identify opportunities for controls within that environment and determine whether existing controls and policies are sufficient to meet your business goals and requirements.
The deliverables will include a narrative that follows the outline of the control areas described in one of the three frameworks above and a proposed set of three foundational policies that address IT security governance (Information Security Policy), acceptable use for corporate IT assets (IT Acceptable Use Policy), and identity management and authentication requirements (IT authentication policy).
The final report will also include a proposed tactical roadmap for future information security and risk management activities. Estimated time of engagement is 12.5 days.
Option 3 – Organization security assessment and compliance review. Certified security consultants will visit your location and work with your security, audit and compliance staff to identify compliance requirements for your organization (e.g. PCI, SOX, HIPAA, and FERPA). This activity will review the following:
· Findings and remediations from the most recent compliance audit
· Organization’s policies and standards for key security components and control points. (E.g. directories, servers hosting critical or sensitive data, perimeter and internal firewalls, intrusion detection and intrusion prevention systems, wireless access points and controllers, encryption components, VPN servers and controllers and other network access control enforcement points.)
· Configurations of key security components and control points. (Some scanning or use of non-intrusive tools will be used in this review)
The deliverables will include a report providing recommendations for strengthening existing policies and standards where needed as well as recommendations for deployment of other technologies to reduce the security risk within the organization’s network environment and perimeter control points.
The final report will also contain a tactical plan documenting further actions necessary to prepare for the next audit or compliance report. Estimated time of engagement is 20 days.
Option 4 – Network security assessment and evaluation. Certified information security consultants will visit your location and work with your security, audit, compliance and IT operations staff to review your organization’s policies, standards and configurations for key network security components and transition points. Automated tools such as Nessus and NMap will be used to scan various components in a non-intrusive manner. Examples of these components include perimeter and internal firewalls, intrusion detection and intrusion prevention systems, wireless access points and controllers, encryption components, VPN servers and controllers and other network access control enforcement points. During this review consultants will also examine logs from these devices for the previous 30 days to determine what anomalies or security events may have occurred and how the organization responded to those items.
The deliverables will include a report providing recommendations for strengthening existing policies and standards where needed as well as recommendations for deployment of other technologies to reduce the security risk within the organization’s network environment and perimeter control points.
The final report will also contain a tactical plan documenting further actions necessary to prepare for the next audit or compliance report. Estimated time of engagement is 30 days.