What We Offer

Our goal is to provide the best cyber information security service to the Chief Information Security Officer (CISO) function and supporting staff, to enable and facilitate delivery of the most effective value to direct and end customers.

Service Delivery Methods

  • Virtual Chief Information Security Officer (vCISO) retainer or piecework-based advisory or document/plan preparation engagements
  • Implementation projects in conjunction with solution partners
  • Training in the various Service Areas
  • Subscription-based information service covering each of the Service Areas (ramping up in 2019)

Current Instructor-Led Training Offering

  • CISSP Certification Preparation
  • DevSecOps Best Practices
  • Starting a Cyber Threat Hunting Program
  • Identity, Credential, & Access Management (ICAM)

Service Areas

Board of Directors Governance

  • Strategic Risk
  • Business Risk
  • Risk Culture
  • Risk Appetite Statement
  • Risk Tolerance
  • Key Risk Indicators
  • IT Security Budget
  • Audit & Compliance

Risk Management Committee

  • Operational Risk
  • Key Risk Indicators (KRIs) by Business Unit
  • Key Performance Indicators (KPIs) by Business Unit

Information Security Management

  • Program Plan
  • Roles, Responsibilities & Structure
  • Program Management Office & Security Portfolio Management
  • Operations Handbook

Information Security Governance

  • Security Enterprise Architecture
  • Integrity & Change Control
  • Security Configuration Management

Compliance & Audit

  • FISMA
  • NIST
  • ISO 27001
  • PCI-DSS
  • HIPAA
  • U.S. Federal Goverment Inspectors General

Policy and Process Design

  • CISO-owned
  • Relevant non-CISO-owned

Risk Management

  • National Institute of Standards and Technology (NIST)
  • NIST Cyber Security Framework (CSF)
  • Enterprise Risk Management
  • Enterprise Risk Register
  • IT Programs Risk Register
  • Performing Enterprise Risk Assessment
  • Enterprise Risk Response

Security Engineering and Architecture

  • Tools Effectiveness Assessment
  • Software Supply Chain Risk Management
  • Building Security In
  • Engineering in Resilience
  • CERT® Resilience Management Model (CERT-RMM)
  • Agile Security Architecture
  • Commmon Controls Selection
  • Tool Selection & Implementation

Security Testing

  • Third Party Application / Component Assessment
    • Source & Provenence
    • Sandbox Testing
    • Procurement
    • Open Source Software
    • Strong Authentication
  • Application Security Testing (static & dynamic)
  • Strong Authentication
  • Testing to Security Functional Requirements
  • Penetration Testing
  • Continuous Montoring of Vulnerabilities

Application Development

  • Secure Coding Standards
  • Secure Software/System Development Lifecycle Process
  • Specifying Security Functional Requirements
  • Security Functional Requirements Design Patterns
  • Security Resources for Developers
  • DevSecOps Pipeline & Process

Security Operations Center (SOC)

  • Testing & Mapping Control Effectiveness
  • SOC Design, Tool Selection & Review
  • Incident Response (IR) Procedures
  • Cyber Threat Intelligence Feeds
  • Playbook Development
  • Security Orchestration and Automation Response (SOAR)
  • Threat Hunting
  • MITRE ATT&CKTM Framework
  • Attack Detections
  • AI & Machine Learning Planning & Effectiveness

Identity, Credential and Access Management (ICAM)

  • Identity Proofing
  • Identity Management
  • Device Identity Management
  • Multifactor Authentication Authenticators
  • Credential Issuance
  • Public Key Infrastructure
  • Federation
  • Single Sign On (SSO) & Strong Authentication
  • Access Lifecycle Management
  • Federation of Authoritative Attributes
  • Dynamic / Attribute Based Access Control (DAC/ABAC)
  • User & Entity Behavior Analytics (UEBA)

Privacy

  • Engineering Assessment (Privacy by Design)
  • GDPR
  • Program Management & Customer Care
  • U.S and State Laws
  • International Conventions
  • Downstream Disclosure Controls

Insider Threat Program

  • Establishing an Insider Threat Program
  • Operating an Insider Threat Program

Vendor Risk Management

  • Privacy & Security
  • Contractual Considerations
  • Service Level Agreements
  • Inspections

Security & Performance Reporting

  • Security Operations
  • Identity, Credential and Access Management
  • Continuous Monitoring
  • System Compliance
  • Privacy
  • Key Control Indicators (KCIs)
  • Key Performance Indicators (KPIs)
  • Service Level Agreements (SLAs) – Internal & External
  • Key Risk Indicators (KRIs)
  • Leadership Reporting & Dashboard
  • Executive Dashboard & Reporting

Breach & Disaster Response, Contingency Planning

  • Business Resilience & Impact Assessment
  • Develop Breach & Disaster Response, Contingency Plans
  • Develop Breach Response Communications Plan
  • Periodic Plan Testing Exercises & Updates

Security Innovation

  • Design Thinking
  • Technology Research
  • Tools Research
  • Gap Analysis & Roadmap Definition
  • Digital / Organizational Transformation

MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.
CERT® is a registered mark of Carnegie Mellon University.