Virtual CISO Gold
Virtual CISO services for midsized businesses with the complexity to require the features of Silver but at a greater volume of virtual CISO services.
Virtual CISO Gold builds on Virtual CISO Silver and is often best for midsized businesses with more than 50 employees. Often such businesses have more complex requirements: multiple audits (e.g. SOC2, PCI), multiple frameworks(e.g. CMMC, HITRUST CSF), many remote sites, and/or substantial vendor risk assessment volume. Your virtual CISO will develop and implement a strategy to manage and track all of these complexities while maximizing the security posture of your organization, often with the use of a Governance, Risk, and Compliance (GRC) tool (eramba). Example services are included below; we will tailor the program for your specific needs.
The above included services are examples only and is based on resource needs. Services can include:
Our managed eramba GRC service enables tracking and dashboard reporting on information security risks, compliance with various frameworks and regulations, asset management, incidents, and more. Requires one year commitment.
The human is the weakest link. As a KnowBe4 partner, our virtual CISOs provide and manage online training to further your organization’s information security awareness, reducing the risk of an information security incident caused by human error. Requires one year commitment.
Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process.
Compliance does not equal security, but is necessary to demonstrate the viability and effectiveness of the security program. We have a documented, solid history of building security programs aligned with many frameworks, including the ones above. Whatever the regulation or standard your organization needs to comply with, our virtual CISOs and information security risk analysts can get you there.
A fundamental but often overlooked aspect of information security programs is a quarterly governance committee, led by our vCISO and involving business unit leaders and executives organization-wide. The C-suite and the Board of Directors can only make risk-informed decisions if they understand information security risks, and a quarterly committee facilitates that communication. Our vCISO can present once annually or every quarter.
Does your firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs and risk management analysts provide an independent review to verify IT controls or recommend changes, all while not impeding business operations.
The Information Security Program document and associated policies form the foundation of an organization’s information security program. However, a policy downloaded from the internet that does not take into account the unique operating environment of your organization is not only useless, it can become a liability. A virtual CISO or risk analyst will design policies and standards (including RACI charts if desired) to match your organization’s need and culture.
Stuff happens. Your business needs to survive unintended events. We script different scenarios for clients each year. In 2019, the exercise focused on a pandemic, which prepared our clients for the improbable COVID-19 pandemic in 2020. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption.
Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Our virtual CISOs’ and risk analysts’ years of experience reviewing vendors make vendor information security reviews simple and complete for your business and are an essential element of proper information security risk management.
Testing is the first step. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and cost and add efficiency while increasing security posture.
Testing exposes vulnerabilities; penetration testing attempts to exploit those vulnerabilities. May be added to any package for an additional fee, based on scope of services desired and environment.
When an incident occurs, timely response is critical.
Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls – and is required for GDPR.
Don’t see what you need? Let us know, we may be able to assist.