NIST-Based Risk Assessment
Our security review process assesses the Company on three critical elements of a successful security program: policies and procedures, roles and responsibilities, and best practices.
Based on NIST 800-53 security control guidelines, we will assess the organization at a high level to determine if security policies and procedures exist to protect the organization and its sensitive information.
We will also evaluate if organizational security roles are defined and carried out effectively and ensure security best practices are followed to protect, detect, and react to security threats.
Each cybersecurity review shall cover the following topic areas across the three critical elements:
- Access control
- Security awareness and training
- Audit and accountability
- Configuration management
- Business continuity and disaster recovery
- Authentication and authorization
- Security incident response
- Personnel security
- Physical and environmental security
- Asset management
- Media protection
- Network security
- Application security
- Data security
- Privacy
- Development and maintenance
- Compliance
- Information systems acquisition
Our deliverable will identify key risks, mitigation solutions, and investment recommendations. Our objective is to provide insight into value creation opportunities to enable and maximize technology to improve and scale the business. We will specify the IT investments required to drive revenue, cost reduction opportunities, and efficiency improvements. The investment analysis will be grouped into the following categories: application portfolio, IT organization, and technology architecture. One-time and ongoing costs will be described. We will also provide comments/rationale for identified investments/upgrades.