What We Offer
Our goal is to provide the best cyber information security service to the Chief Information Security Officer (CISO) function and supporting staff, to enable and facilitate delivery of the most effective value to direct and end customers.
Service Delivery Methods
- Virtual Chief Information Security Officer (vCISO) retainer or piecework-based advisory or document/plan preparation engagements
- Implementation projects in conjunction with solution partners
- Training in the various Service Areas
- Subscription-based information service covering each of the Service Areas (ramping up in 2019)
Current Instructor-Led Training Offering
- CISSP Certification Preparation
- DevSecOps Best Practices
- Starting a Cyber Threat Hunting Program
- Identity, Credential, & Access Management (ICAM)
Service Areas
Board of Directors Governance
- Strategic Risk
- Business Risk
- Risk Culture
- Risk Appetite Statement
- Risk Tolerance
- Key Risk Indicators
- IT Security Budget
- Audit & Compliance
Risk Management Committee
- Operational Risk
- Key Risk Indicators (KRIs) by Business Unit
- Key Performance Indicators (KPIs) by Business Unit
Information Security Management
- Program Plan
- Roles, Responsibilities & Structure
- Program Management Office & Security Portfolio Management
- Operations Handbook
Information Security Governance
- Security Enterprise Architecture
- Integrity & Change Control
- Security Configuration Management
Compliance & Audit
- FISMA
- NIST
- ISO 27001
- PCI-DSS
- HIPAA
- U.S. Federal Goverment Inspectors General
Policy and Process Design
- CISO-owned
- Relevant non-CISO-owned
Risk Management
- National Institute of Standards and Technology (NIST)
- NIST Cyber Security Framework (CSF)
- Enterprise Risk Management
- Enterprise Risk Register
- IT Programs Risk Register
- Performing Enterprise Risk Assessment
- Enterprise Risk Response
Security Engineering and Architecture
- Tools Effectiveness Assessment
- Software Supply Chain Risk Management
- Building Security In
- Engineering in Resilience
- CERT® Resilience Management Model (CERT-RMM)
- Agile Security Architecture
- Commmon Controls Selection
- Tool Selection & Implementation
Security Testing
- Third Party Application / Component Assessment
- Source & Provenence
- Sandbox Testing
- Procurement
- Open Source Software
- Strong Authentication
- Application Security Testing (static & dynamic)
- Strong Authentication
- Testing to Security Functional Requirements
- Penetration Testing
- Continuous Montoring of Vulnerabilities
Application Development
- Secure Coding Standards
- Secure Software/System Development Lifecycle Process
- Specifying Security Functional Requirements
- Security Functional Requirements Design Patterns
- Security Resources for Developers
- DevSecOps Pipeline & Process
Security Operations Center (SOC)
- Testing & Mapping Control Effectiveness
- SOC Design, Tool Selection & Review
- Incident Response (IR) Procedures
- Cyber Threat Intelligence Feeds
- Playbook Development
- Security Orchestration and Automation Response (SOAR)
- Threat Hunting
- MITRE ATT&CKTM Framework
- Attack Detections
- AI & Machine Learning Planning & Effectiveness
Identity, Credential and Access Management (ICAM)
- Identity Proofing
- Identity Management
- Device Identity Management
- Multifactor Authentication Authenticators
- Credential Issuance
- Public Key Infrastructure
- Federation
- Single Sign On (SSO) & Strong Authentication
- Access Lifecycle Management
- Federation of Authoritative Attributes
- Dynamic / Attribute Based Access Control (DAC/ABAC)
- User & Entity Behavior Analytics (UEBA)
Privacy
- Engineering Assessment (Privacy by Design)
- GDPR
- Program Management & Customer Care
- U.S and State Laws
- International Conventions
- Downstream Disclosure Controls
Insider Threat Program
- Establishing an Insider Threat Program
- Operating an Insider Threat Program
Vendor Risk Management
- Privacy & Security
- Contractual Considerations
- Service Level Agreements
- Inspections
Security & Performance Reporting
- Security Operations
- Identity, Credential and Access Management
- Continuous Monitoring
- System Compliance
- Privacy
- Key Control Indicators (KCIs)
- Key Performance Indicators (KPIs)
- Service Level Agreements (SLAs) – Internal & External
- Key Risk Indicators (KRIs)
- Leadership Reporting & Dashboard
- Executive Dashboard & Reporting
Breach & Disaster Response, Contingency Planning
- Business Resilience & Impact Assessment
- Develop Breach & Disaster Response, Contingency Plans
- Develop Breach Response Communications Plan
- Periodic Plan Testing Exercises & Updates
Security Innovation
- Design Thinking
- Technology Research
- Tools Research
- Gap Analysis & Roadmap Definition
- Digital / Organizational Transformation
MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.
CERT® is a registered mark of Carnegie Mellon University.