Our process for Assessment and Authorization (A&A) places initial focus on boundary definitions, definition of roles and responsibilities, and security categorization based upon data types and sensitivity. After conducting a comprehensive risk assessment, our team is able to develop system security plans that explain who, what, how, and how often for each security control (leveraging common or inherited controls where possible). Our teams also develop all supporting documentation, such as eAuthentication Risk Assessments, Privacy Impact Assessments, IT Contingency Plans, Security Control Assessment/Test Plans, Security Assessment Reports, ATO Letters, and agency-specific documentation.
VULNERABILITY SCAN AND REMEDIATION
A vulnerability is a weakness in a system or network that can be exploited by an attacker to gain unauthorized access. An effective vulnerability assessment and remediation program must be able to prevent the exploitation of vulnerabilities by detecting and remediation vulnerabilities in the system or network in a timely fashion. Proactive managing vulnerabilities on covered devices will reduce or eliminate the potential for exploitation and save on the resources otherwise needed to respond to incidents after an exploitation has occurred. Our team has experience in designing, implementing and operating programs to ensure the security of you system or network.
Continuous monitoring and assessments at all levels and during the system life-cycle will decrease the overall risk to an organization and ultimately reduce the overall impact from breaches. We implement a six-step process as is indicated in the DHS Continuous Monitoring brochure or as outlined in the NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems, September, 2011.
SECURITY CONTROL ASSESSMENT (SCA)
A SCA is the formal evaluation of a system against a defined set of controls.
The SCA and ST&E will evaluate the implementation (or planned implementation) of controls as defined in the SSP. The results are the risk assessment report. This report will document the system’s areas of risk
POLICY & PROCESS DEVELOPMENT AND IMPROVEMENT
All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputation and discouraging inappropriate behavior by employees.
Many of these types of policies already exist for “real world” situations, but may need to be tailored to your organization and updated to reflect the increasing impact of cyberspace on everyday transactions. As with any other business document, cybersecurity policies should follow good design and governance practices -- not so long that they become unusable, not so vague that they become meaningless, and reviewed on a regular basis to ensure that they stay pertinent as your business needs change
Our cybersecurity consultants provide services and solutions that deliver continuous security assurance for business, government, and critical infrastructure.