IT systems are an integral part of business operations, and managing the security risks associated with our reliance on IT is an ongoing challenge. Systems have long been at risk from malicious actions, inadvertent user errors, and natural disasters, and today, the risk is even greater. The impact of a systems outage or a data breach can be devastating, and the likelihood that your organization is being targeted is ever increasing. Information is an asset and it must be protected to ensure its confidentiality, integrity, and availability.
We offer security assessment services that are based on best practices such as the guidelines documented within National Institute of Standards and Technology (NIST) 800-115 Technical Guide to Information Security Testing and Assessment. Our security assessment services include a review of your security posture and controls as well as a comprehensive vulnerability assessment, penetration testing, and social engineering. Each engagement is tailored to our client’s specific needs and systems environment, whether a review of the entire IT infrastructure; mobile and web application security; or a focus on cybersecurity.
We use a variety of commercial-grade tools as well as manual testing to identify and analyze vulnerabilities, including QualysGuard, Nessus, CoreImpact, Metasploit, IBM Security AppScan, Veracode, and Burp Suite. In addition, we also incorporate security configuration auditing tools such as Nipper Studio and email phishing tools like those provided by the KnowBe4 platform.
We work closely with IT management to confirm vulnerabilities and eliminate false positives and provide comprehensive reporting with varying level of detail that allows for you to easily parse through the results and focus on those vulnerabilities that pose the most risk to the systems environment. In addition, we work with executives and senior management to interpret the results of the assessment within the context of the overall business and determine a risk-based, prioritized remediation plan.
Many regulatory requirements have been enacted recently that focus on security, cybersecurity, and privacy. Therefore, most of our engagements incorporate aspects of compliance with a wide variety of regulatory and attestation requirements, such as:
- SOC 2 (SSAE 18)
- HIPAA / HITECH
- FDA 21 CFR Part 11
- SOX / JSOX
- European Union’s General Data Protection Regulation (GDPR)
- New York State’s Cybersecurity Regulations
- Singapore’s Computer Misuse and Cybersecurity Act
In order to seamlessly integrate the various compliance considerations, we use best practices provided by organizations such as NIST and ISO as the foundation for our engagements, including NIST’s Cybersecurity Framework and SP 800-53 Security and Privacy Controls, as well as ISO 27001 & 27002.
Our extensive experience within a variety of industries and organizations allows us to understand IT risks within the context of the overall business environment. No matter your particular areas of concern or compliance requirements, we will help you to identify which systems could be exposed if defenses are compromised, determine what information might be available to attackers, and define the business risks based on identified vulnerabilities.