CIS-Based Risk Assessment
Our security review process assesses the Company on three critical elements of a successful security program: policies and procedures, roles and responsibilities, and best practices.
Based on the Center for Internet Security (CIS) Critical Security Controls (CSC) for Effective Cyber Defense guidelines, we will assess the organization at a high level to determine if security policies and procedures exist to protect the organization and its sensitive information.
We will also evaluate if organizational security roles are defined and carried out effectively and ensure security best practices are followed to protect, detect, and react to security threats.
Each cybersecurity review shall cover the following topic areas:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement Security Awareness and Training Programs
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Our deliverable will identify key risks, mitigation solutions, and investment recommendations. Our objective is to provide insight into value creation opportunities to enable and maximize technology to improve and scale the business.
We will specify the IT investments required to drive revenue, cost reduction opportunities, and efficiency improvements. The investment analysis will be grouped into the following categories: application portfolio, IT organization, and technology architecture. One-time and ongoing costs will be described. We will also provide comments/rationale for identified investments/upgrades.