Stand-Alone vCISO Services
We offer some virtual CISO/information security risk management services as stand-alone services, for those organizations that may need just a component and not a full virtual engagement.
Pricing is based on scope and complexity.
Information Security Risk Assessment (Qualitative):
Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process.
CMMC, NIST-CSF, PCI-DSS, HITRUST, FFIEC CAT/ACET, SOC2, ISO 27001/2, and Other Framework Gap Analysis:
Compliance does not equal security, but is necessary to demonstrate the viability and effectiveness of the security program. We have a documented, solid history of building security programs aligned with many frameworks, including the ones above. Whatever the regulation or standard your organization needs to comply with, our virtual CISOs and information security risk analysts can get you there.
Quarterly Governance Committee:
A fundamental but often overlooked aspect of information security programs is a quarterly governance committee, led by our vCISO and involving business unit leaders and executives organization-wide. The C-suite and the Board of Directors can only make risk-informed decisions if they understand information security risks, and a quarterly committee facilitates that communication. Our vCISO can present once annually or every quarter.
Information Security Program / Policy Creation and Implementation:
The Information Security Program document and associated policies form the foundation of an organization’s information security program. However, a policy downloaded from the internet that does not take into account the unique operating environment of your organization is not only useless, it can become a liability. A virtual CISO or risk analyst will design policies and standards (including RACI charts if desired) to match your organization’s need and culture.
Business Continuity Plans and Table Top Exercises:
Stuff happens. Your business needs to survive unintended events. We script different scenarios for clients each year. In 2019, the exercise focused on a pandemic, which prepared our clients for the improbable COVID-19 pandemic in 2020. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption.
Third-Party (Vendor) Reviews:
Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Our virtual CISOs’ and risk analysts’ years of experience reviewing vendors make vendor information security reviews simple and complete for your business and are an essential element of proper information security risk management.
Data Mapping Exercises:
Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls – and is required for GDPR.
Don’t see what you need? Let us know, we may be able to assist.