Phase One: Assessment
The first phase is an assessment of your physical security, your virtual security and the adequacy of your company’s security policies and procedures. The assessment answers the questions, “Are we living up to our security framework? And if not, what needs to change?”
- Physical security: We’ll physically search for ways that someone, anyone, could get the information they should not be allowed to have. Are your servers behind locked doors? Are any workstations accessible to visitors? Are workstations left logged in while people are away from their desks? There are hundreds of places to look for these cracks in the wall.
- Virtual security: We’ll search your network with vulnerability scanning software tools. They’ll uncover things like devices you didn’t know were connected, devices that have not been updated with the latest security patches, and whether a poor network configuration has left you vulnerable to hackers.
- Security policies and procedures: We’ll search for risks by asking questions about how things are done. When someone leaves the company, what do you do with their laptop and phone? How do your people use flash drives? What do you do with old computers? Do you have a written procedure for on-boarding new users? Can you confirm that these steps were done and by whom?
A security assessment needs to be done every year (or perhaps more often) because the risks are always changing and because people get complacent.
Phase Two: Remediation
To begin the remediation phase, we’ll make a basic plan for neutralizing the risks that were uncovered in the assessment. (And risks are always uncovered.)
We’ll discuss the remediation plan with your Security Officer, and you’ll need to decide who will tackle each remediation task. If your internal team has the time and expertise, they can do it all. If not, we can do it all or we can collaborate with your people and divide up the tasks. In any case, we can serve as your project manager to make sure the work gets done right.
Remember that remediation isn’t just fixing the technology; you need to get the business practices right, too — security awareness training, procedures for on-boarding and terminating, checks and balances to make sure your people are walking the walk, and many others.
Phase Three: Monitoring
Monitoring is needed because security is a moving target. What kept you safe last month, may not work this month.
Different companies need different levels of security monitoring. The most basic level would be to refresh the security assessment each year. Beyond that, you might need to add more advanced firewalls, security monitoring systems, login systems, intrusion prevention systems or other proactive scanning systems. If your organization is subject to compliance rules like HIPAA or PCI, or you hold very sensitive data, you may need to outsource monitoring to a Security Operations Center (SOC) with full-time security people who have more training than most IT people.
We can set up any level of monitoring for you, from basic to maximum. And we can connect you with top-level SOC’s and manage their service to you.