We offer security assessments as standalone consulting engagements, or embedded tasks within a security architecture improvement project. Assessments span people and the organization, processes and procedures, and security technologies. The table below lists security domains we cover.
We can conduct assessments of a security program against the NIST Cybersecurity Framework, ISO 27001, COBIT, or a combination. Our control library – which has been been mapped to the NIST, ISO, and COBIT frameworks – provides us with a large number of interview questions and evaluation criteria.
We work with clients up front to determine what level of breadth and depth makes most sense for their situation and budget. With all assessments, our consultants pose questions to probe into our assessment criteria up to a point appropriate to the client’s level of maturity in the domain, and to discover related risk indicators. This enables us to provide a prioritized gap analysis.
We have a standard set of tools we use for comprehensive assessments as well as focused assessments and custom or specialized assessments. Where necessary we work with clients to prepare tailored assessment questionnaires and interview schedules. After conducting a series of interviews and rolling up the results for client review, we generate a draft report, take comments, and provide a final report.
We deliver a “Current State Assessment and Gap Analysis” identifying these findings on program-wide and domain-by-domain level. We prioritize and cluster the gaps by domains, and provide a preliminary roadmap with recommendations for closing the gaps to support developing a business case for program improvement. After an assessment, we offer an optional support package through our trusted adviser program, or flow forward into an architecture engagement.
We can also leave behind toolkits and services to empower security and IT teams to continuously self-assess at the optimal level of detail and focus for their unique environment. By conducting such self-assessments, the organization will be better prepared for formal audit and regulatory scrutiny, and can improve its security-related decisions.
For more information on how to tailor a maturity assessment to your unique challenges and target audience: