Functions
Governance
Governance
Governance
The governance function develops programs, policies, specifications, and practices and ensures that they are effectively implemented and maintained which improves strategic alignment, risk management, value delivery, resource management, performance measurement, and assurance process integration.
Management
Governance
Governance
The management function implements programs, policies, specifications, and practices and ensures that facilities, systems, applications, processes, and data are effectively secured, protected, and recoverable which improves the current state posture of security, privacy, resilience, and risk management.
Programs
Security
Security
Security
It is essential that facilities, systems, applications, processes, and data are secured and protected. Failure could result in monetary damages. This requires a combination of people, processes, and technologies focused on security and balanced against the needs of the business. In today's world, if your clients cannot trust you with their data, they will go elsewhere.
Privacy
Security
Security
Personal information is no longer free from the rights of people. Various laws and regulations control the collection, storage, processing, transmission, security, and other aspects of that information. Being compliant with privacy laws and regulations is not an option and can result in monetary damages to your business for non-compliance.
Resilience
Risk Management
Risk Management
An adverse security event can lead to unauthorized access, use, disclosure, disruption, modification, or destruction of facilities, systems, applications, processes, or data. It is essential that continuity, contingency, and incident response plans exist and are exercised. If you cannot effectively respond to events, you could lose clients or the business entirely.
Risk Management
Risk Management
Risk Management
Where a threat meets a vulnerability there is an exposure which implies a risk. Identifying, tracking, analyzing, treating, and managing that risk is necessary to limit risk to an acceptable level based on risk appetite. Anticipating risk, based on sound analysis, is essential to avoiding unexpected outcomes that could have severe repercussions.
Policies
Organization
System-Specific
Issue-Specific
We compose organization statements of management intent to frame the vision and direction of the security, privacy, resilience, and risk management programs.
Issue-Specific
System-Specific
Issue-Specific
Where focus is needed on areas of current relevance, concern, or controversy, we document issue-specific statements of management intent to provide direction.
System-Specific
System-Specific
System-Specific
When individual systems or a group of like systems need granularity, we write system-specific statements of management intent on security objectives and operational rules.
Specifications
Standards
Frameworks
Frameworks
We review and implement industry standards that apply to your business such as FFIEC Info Sec, PCI DSS, HIPAA, OWASP ASVS, and others to ensure you are in compliance.
Frameworks
Frameworks
Frameworks
We reference industry frameworks and develop internal frameworks to structure your security, privacy, resilience, and risk management programs.
Architectures
Architectures
Architectures
We reference industry architectures and develop internal architectures to build out your security, privacy, resilience, and risk management programs.
Plans
Architectures
Architectures
We develop, implement, and exercise continuity, contingency, and incident response plans to prepare your business for adverse security events, incidents, and breaches.
Practices
Controls
Guidelines
Baselines
We develop controls that apply policies and specifications to people, processes, and technologies.
Baselines
Guidelines
Baselines
We establish baselines that set the minimum level of control on people, processes, and technologies.
Guidelines
Guidelines
Guidelines
We write guidelines on controls, as needed, that provide clarity and application advise.