These case studies showcase example real-world deliverables as part of ongoing virtual CISO services.
Case Study One: CMMC Compliance
Industry: Manufacturer (Federal Subcontractor)
Size – Approximately 50 FTEs
Problem: The client, a manufacturer of hardened equipment for government, military, and private sector use, reached out to vCISO Services, LLC to enhance their security program. A major customer of theirs had issued a series of requirements that they either did not comply with or understand. They were under a time limit to demonstrate their security program matched the customer’s requirements. Losing this customer would severely impact their revenue.
Solution: vCISO Services, LLC worked with the client’s team to determine the “as-is” of the company in relation to the immediate requests of the customer. Where gaps existed, vCISO Services, LLC determined corrective measures to provide both control functionality and evidence of compliance. Next, vCISO Services, LLC worked with the client to align their policies, processes, operations, and controls to meet CMMC L2 requirements. The client understands that they will need to pass a C3PAO audit to maintain their client base and expand business. vCISO Services, LLC positioned the client for having a successful audit (not yet scheduled).
Case Study Two: PCI Compliance
Industry: Customer Acquisition
Size – Approximately 150 FTEs
Problem: The client, providing customer acquisition for utility providers, collected and processed credit cards as part of signing their customers up for utility services. This PCI exposure was a level that required an audit by a QSA. They had never undergone a third-party audit of their security program.
Solution: Initially, vCISO Services, LLC assisted the client’s MSSP with fortifying the information security program, beginning with a restructuring of the Information Security Policy. vCISO Services, LLC the conducted a PCI-DSS SAQ-D, a very thorough self-attestation, to identify gaps prior to engaging with a PCI QSA audit firm. Gaps identified were remediated and the audit was scheduled. No significant exceptions were discovered during the audit.
Case Study Three: SOC2 Attestation
Industry: Financial Services (Non-Bank/Credit Union)
Size – Approximately 25 FTEs
Problem: The client, a startup providing SaaS wealth management services, required enhancement of their security program based on prospect needs. More often, prospective customers were requiring a third-party attestation of their security program; the vendor risk assessment questionnaires were not always sufficient.
Solution: vCISO Services, LLC conducted a gap analysis against the AICPA SOC2 Common Criteria and assisted the client in remediating gaps identified. vCISO Services, LLC, then helped the client evaluate and select a SOC2 auditor. Because of the confidence in the control implementation, vCISO Services, LLC recommended a contiguous process from SOC2 Type 1 to SOC2 Type 2 for two reasons: first, customers and prospects were anxious for a quick third-party attestation on the design of controls, and second both the client and vCISO Services were confident that the SOC2 CC requirements were satisfied. The client passed both audits with no exceptions on the first try.
Case Study Four: Risk Management Advisory Services
Industry: Healthcare (Revenue Cycle Management)
Size: Approximately 10,000 FTEs
Problem: vCISO Services, LLC began an engagement with the client, a provider of revenue cycle management services, because of an acquisition of a company providing patient intake services for which vCISO Services, LLC had been providing CISO advisory services for several years. This was a separate engagement to help stand up an effective GRC-based risk management program while integrating the risks from the acquired company into the ecosystem.
Solution: vCISO Services, LLC worked with the client to evaluate and configure a GRC platform, enhancing control taxonomy and risk ratings. The result was a clear understanding of the risks to information security of the acquired organization as related to the acquirer. Additionally, vCISO Services, LLC helped the acquirer enhance their vendor management and risk review programs as part of the overall GRC strategy.
Case Study Five: Maturing to Self-Sufficiency
Industry: Education (Employee)
Size: Approximately 10 FTEs
Problem: The client, a provider of employee education services, approached vCISO Services, LLC with the need to satisfy customer vendor risk management requests. Shortly into the process, both vCISO Services, LLC and the client realized that a third-party attestation was the appropriate next step.
Solution: As with Case Study Three, vCISO Services, LLC helped the client reach and pass their first SOC2 Type 2 Audit. As part of that process, vCISO Services, LLC enhanced the strength of the risk-based security program while mentoring a new hire responsible for information security. One end goal for vCISO Services, LLC, if it is the client’s desire, is to mature the information security program to a point of self-sufficiency. The relationship successfully ended 18 months after the initial engagement with the program in the hands of a competent security leader.
Case Study Six: Implementing a GRC
Industry: Financial Services (Credit Union)
Size: Approximately 170 FTEs
Problem: The client, a credit union with <$1B in assets, had undergone information security risk assessments with a previous vCISO using spreadsheets. The result was an unnecessarily complex method for evaluating and presenting information security risks that did not effectively convey the risk environment.
Solution: vCISO Services, LLC recommended, implemented, and managed a cost-effective GRC solution (eramba) and transferred the existing risk register to the system. From there, vCISO Services, LLC mapped controls to risks and to the NIST-CSF framework. This provided a simple dashboard heat map representation of the risks. Its dynamic (versus static) nature meant changes were reflected in real time on the dashboard instead of building manually.