|
|
(Information Risk Management & Security)
MasterLink’s team of Information Risk/Security practitioners and engineering professionals provide a broad range of consulting services to assist clients with their information risk and security requirements. Utilizing the “Plan, Do, Check, Act” methodology of ISO to identify the core issues enables us to recommend and implement the appropriate level of controls, strengthen security, improve access, achieve compliance and reduce risks. Through partnership with you we deliver a holistic solution centered on People, Process and Technology -- creating the ultimate goal of a secure, compliant solution that is balanced with productivity and long term sustainability. Our goal is to not sell you technology, but to deliver a secure business solution based on understanding your challenges and strategy. We focus not just on solving today’s current regulatory compliance requirements, but preparing you for future requirements as well.
Additionally, we work with your management team to incorporate Management Responsibility of the ISMS, Ongoing Internal Audits of the ISMS, Management and Review of the ISMS and Improvement of the ISMS to ensure continuous and sustainable compliance of the ISMS within the business.
Consulting services that we provide include but are not limited to the following:
Strategic Direction Do you know where you want to be tomorrow, next year or several years from now? If so, do you have a plan for how you will arrive at that desired point? When will you arrive there? Whether your strategic direction is broad from a CEO perspective, or more specific like a CISO perspective, MasterLink can help. Let us help you better understand where you are and the direction that should be taken. We follow a structured ISO/IEC 17799:2005 methodology as a guideline, and incorporate an initial high level discussion, risk assessment, analysis and report to provide a clear picture of where your risk/security posture exists today. Then we provide recommendations and a plan for moving forward in achieving your desired results.
Policy/Standards/Guidelines/Procedures It all starts with policy, specifically the Information Security Policy. The purpose of a security policy is to define at a high level what should be protected, not how it should be protected. This high level document is created and approved by the Executive Management and/or Board of Directors to ensure buy-in across the company. The policy should be brief in providing company direction and philosophy, usually one to two pages in length. While policies are the important Strategic starting point for a company to establish direction and philosophy, they need to be supported by Tactical Standards, Guidelines and Procedures to truly be effective. The two primary high level areas MasterLink can assist you with are:
→ Security Policy Review
• How are the policies written?
• Do you align to your policies?
• Do the policies support your culture?
→ Security Policy Development
• Creation of Policy Review Board
• Understand the business culture, objectives, strategies and regulatory requirements
• Interview and assess the appropriate stakeholders
• Create the policy
Control Frameworks All successful ventures have one thing in common: they start with a plan. Like building a house, one of the first steps in building an Information Security Program is the blueprint that provides details of what the end result will look like. The blueprint within the information security and risk world is an established industry recognized control framework like ISO, NIST or CobIT. Whether you are seeking compliance to ISO/IEC 17799:2005 or achieving certification to ISO/IEC 27001:2005, MasterLink can assist you with all aspects of this challenging effort. Additionally, we can provide education and understanding of other control frameworks like CobIT, COSO and NCUA 748 Part A&B. Finally, should you be seeking another personal certification to complement current ones you may have (i.e. CISSP, CISA and CISM); we are a HISP certified training center with one of our very own practitioners as the instructor of the training.
Information Risk/Security Program Once you have determined your control framework (i.e. the Blueprint) it is now time to build the overall program. The risk/security program encompasses the framework, measurement, communication, governance, assessment, training, education, awareness, and partnership building. With the many stakeholders, strategic internal and external partnerships, and broadening of responsibility, a complete program contains many aspects. A sample listing of some key areas within a program are:
• Organization Structure
• Policy/Standards/Guidelines/Procedures
• Data Classification
• Compliance
• People/Process/Technology
• Awareness/Training/Education
• Dashboards/Metrics/Measurement
• Risk Assessment and Management
• Access Controls
• Control Frameworks
• Communications
Risk Management is the all inclusive process of identifying risk, conducting a risk assessment, developing action plans to mitigate the risk, tracking the status and completion of the mitigations and implementing a continuous cycle. Once you have identified the threats and vulnerabilities that create the risk, steps need to be taken to mitigate those risks, starting with the most critical. There are four basic options to take:
→ Avoid the risk
→ Reduce the risk
→ Accept the risk or…
→ Transfer the risk
No matter which step you take in addressing risk, you are always accountable for the outcome. Lastly, how do you address the residual medium and low risks (i.e. the risk that is remaining)? Risk is never eliminated; it just moves to the next weakest link. Thus, the challenge is in the ongoing management of risk. MasterLink can assist you in developing a continuous, repeatable and sustainable risk management process mapped to ISO controls.
Executive Dashboards Used correctly, dashboards, metrics and measurements are one of the most important and effective tools that a security leader can use in communication of risk. The key is in knowing that each level of the organization has a different knowledge level and information requirement. The Dashboard program should be able to communicate the risk posture and effectiveness of the Information Security Program itself. A company’s information security posture (i.e. maturity level) should be based on the combined components of People, Process & Technology. Additionally, it should have the ability to effectively communicate at all levels of the organization: Executive, Business, Management and General Employees. An Information Security/Risk Program should consist of two key components: one is the control framework accounting for the security/risk posture of the business and second is the security organization itself in how well it is functioning. This two part approach provides clarity between how prepared the business is to take on new challenges versus how well the information security/risk organization is running.
Virtual CISO Do you find yourself needing a CISO, but have difficulty justifying the expense in addition to the challenge of hiring one with the necessary experience? MasterLink is unique in being able to provide you with a virtual CISO to oversee your risk and security requirements. By leveraging our information risk/security practitioner who is a former CISO, we can make the challenging task of managing risk less stressful. Key components of the Virtual CISO program are assessing your risk, analyzing the results, establishing the mitigation plan, overseeing execution of the risk mitigations, and creating and presenting to senior management on strategy and status. While you cannot transfer accountability for risk, you can transfer the tremendous challenge of managing it to MasterLink’s Virtual CISO.
Secure Merger/Acquisition Integration and Divestiture MasterLink’s team members have solid industry experience across the globe assisting businesses with both the timely secure integration of newly acquired businesses into the core network or separation of business from the core network. This experience and knowledge includes understanding of international regulatory compliance, conducting risk assessments, discovery due diligence of Information Technology, creation of mitigation plans, development of initial connectivity designs and management of security gaps to recommended control levels. The value proposition to the business utilizing this experience and knowledge is the ability to quickly and securely connect a business in order to optimize the perceived benefit.
|
|
|
