Security & Compliance Assessment – The process where assessors interview client employees and determine any gaps that may exist between the client’s existing security program and an accepted framework of standards. The assessment provided a baseline from which the client can take action to improve security controls. The deliverable is a findings document that documents the gaps that exist between current practices and best practices or regulatory compliance requirements.
Risk Management – An exercise used to prioritize the findings of a security assessment. This is completed by identifying threats, vulnerabilities, and risks and then determining the likelihood of recognizing the risk and the impact it would have if recognized. Using this methodology, security professionals assist clients with prioritizing potential remediation work according to risk.
Remediation – Typically involves the implementation of a new security control or the modification of an existing control. Common security controls include:
Perimeter defenses such as firewalls and content filtering
Intrusion detection and prevention systems
Endpoint security such as antivirus, network access control, encryption, and mobile device management
End user training
Vulnerability and patch management
Event detection and log correlation.
Awareness Training – Employees are often considered an organization’s greatest defense mechanism or weakest link. Effective training teaches employees how to use technologies in a secure fashion. Onsite, instructor lead training is available as well as online, on demand training via the web.
Penetration Testing – Regularly test security controls. Ethical hackers will launch a series of cyber and/or social attacks deigned to exploit vulnerabilities and compromise or exfiltrate client data. In the process, client security controls are tested for effectiveness. The deliverable provides a findings document that details the different attack methodologies executed and describes the results of the test.