We offer comprehensive security assessments as standalone consulting engagements, or embedded within a security architecture improvement project. Comprehensive assessments span people and the organization, processes and procedures, and security technologies. The table below lists examples of security domains we cover.
We can conduct assessments of a security program against the NIST Cybersecurity Framework, ISO 27001, COBIT, or a combination. Our own library of over 400 security controls – which have been been mapped to the NIST, ISO, and COBIT control sets – provide us with a large number of interview questions and evaluation criteria.
We work with clients up front to determine what level of depth and project methodology makes most sense for their situation and budget. With all assessments, our consultants pose questions to probe into our assessment criteria up to a point appropriate to the client’s level of maturity in the domain, and to discover related risk indicators. This enables us to provide a proritized gap analysis.
We have a standard set of tools we use for comprehensive assessments as well as focused assessments and custom or specialized assessments. Where necessary we work with clients to prepare tailored assessment questionnaires and interview schedules. After conducting a series of interviews and rolling up the results for client review, we generate a draft report, take comments, and provide a final report.
We can offer onsite assessment workshop delivery, or a combination of online and onsite workshops. Workshops combine informational presentations and group facilitation methodologies with our standard assessment service elements. For example, we could facilitate a brainstorming or team-building day for security stakeholders with an assessment service and/or we could tailor our criteria to vary the level of coverage for specific security domains.
We deliver a “Current State Assessment and Gap Analysis” identifying these findings on program-wide and domain-by-domain level. We prioritize and cluster the gaps by domains, and provide a preliminary roadmap with recommendations for closing the gaps to support developing a business case for program improvement. After an assessment, we offer an optional support package through our trusted adviser program, or flow forward into an architecture engagement.