We offer toolkits and services to empower security and IT teams to continuously self-assess at the optimal level of detail and focus for their unique environment. By conducting such self-assessments, the organization will be better prepared for formal audit and regulatory scrutiny, and can improve its security-related decisions.
During a self assessment project, we begin with a short discovery phase to identify key business, risk, and compliance drivers. We quickly tailor our toolkits and instrumentation used for focused assessments to cover the required security domains and control frameworks (e.g., NIST, ISO, COBIT) for the client. We also consider the client’s core security objectives, including the level of maturity targeted, and the level of assessment detail to expose for teams.
We then deliver a draft self-assessment toolkit. For each control area covered, the toolkit contains multiple maturity tests, such as “Is a response plan executed during or after a security event?“, and four to five maturity indicators for varying levels of existing process or capability (i.e. ad hoc, defined, repeatable, etc.) for each test. The toolkit prompts respondents to score their maturity level for each maturity test based on the indicators provided. The toolkit also provides helpful prompts for proof points supporting each choice.
After obtaining feedback, we perform a second level of customization based on prominent features of the client’s industry, supply chain, business processes, and core IT systems or applications.
We can optionally monitor and support a full pilot self-assessment run by the client, and perform a third level of customization based on exhaustive feedback and results obtained. Note that the toolkit automatically rolls up maturity scores for the organization as a whole and within each category, control family, or domain. Using provided guidance, the client can pinpoint core areas in need of improvement to “move the needle” toward the target score and prepare for audits or regulatory scrutiny.