With as many breaches as has occurred recently in all markets and industries there are several regulatory frameworks that companies either choose to comply with or are mandated to comply with.
This service offering is centered around taking a industry best practice or mandated framework and discovering how a company does or does not follow the practice or framework.
Sarbanes Oxley (SOX) is one we find often times in companies. Usually we are requested to assist with either initially complying with or assisting with finding methods to comply with SOX to a greater extent.
While we are not an organization that can certify an company we can lay the infrastructure as well as participate to help pass audits. We can also assist companies in remediation of the findings.
We are no just limited to SOX but many other industry best practices and frameworks. Some of those frameworks that we can help an organization with is NIST 800-53, NIST 800-37, 800-82, IEC-62443, COBIT5, NERC CIP and several others.
As a first step we often understand the business model a company is following to assist in identifying which standard/framework is most appropriate for the company to adopt.
We follow a methodical approach to decomposing the clients environment and granularly identifying where investments are necessary and/or smart to be made in effort of complying with the identifying framework.
Compliance Assessments also assist with validating that the security program’s special provisions are followed at all of the companies locations and/or offices.
This has a goal of reducing risk and vectors a malicious minded individual may have to compromise a clients company. The intended output from this service is a GAP analysis.