Security Lifecycle Services
Our team can customize a plan to help you improve your cyber security posture. Our services include:
Regulatory and Compliance Audits
These audits evaluate your existing compliance with the appropriate frameworks and regulatory governance, identify areas of improvement, and recommend a plan of action for remediation and improvement.
Some of the key components of the CAG Regulatory and Compliance Audit include:
- Review current security practices and documentation developed to date
- Tour of the facilities and overall environment
- Interviews with key team members such as:
- CIO
- Security Manager
- Infrastructure Manager
- Support Services Manager
- Development Manager
- PMO Manager
- Deliverables provided upon completion of the Regulatory and Compliance Audit are:
- Information Security Program
- Information Security Plan
- Risk Register
Virtual Information Security Officer Services
Many institutions ask us to serve as their Information Security Officer in an ongoing capacity. In addition to a senior security leader that can attend client meetings and liaise on the institution’s behalf, institutions benefit from the support of our security team members to investigate and follow up on issues that may arise. Our VISO service can assist with increasing the security maturity of the institution, improving ROI on security activities and managing vendor relationships.
In addition, our ISO team will:
- Develop security and privacy policies that incorporate the best industry practices and fulfill all requirements of the institution.
- Coordinate planning activities related to responses to security events. Planning activities are to include cross-departmental and cross-campus procedures.
- Validate that activities and controls related to the prevention of security incidents are in place and being followed consistently.
- Ensure that appropriate controls related to the access of secure information are documented and are being followed.
- Provide guidance and counsel to the CIO and key members of the university leadership team. Work closely with senior administration, academic leaders, and the campus community in defining objectives for information security.
- Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the institution’s information and technology systems.
- Coordinate and track all information technology and security-related audits including scope of audits, members involved, and outcomes. Provide guidance, evaluation and advocacy on audit responses.
- Develop and administer technical security standards.
Responsibilities of the VISO
Controls alignment
- Gramm–Leach–Bliley Act(GLBA)
- NIST 800-171
- NIST 800-53
- PCI Compliance
- HIPAA
- FERPA
- TAC 202 or other state standards
Recommended meetings in which ISO participates
- Change control
- Identify Data movement and if it is secure
- Approval of Firewall rules
- Approval of third-party connections
- Staff meetings
- Project review meeting
- As needed developer meetings
- As need consultative discussions
- Monitoring of security alerts
- Subcommittees such as Information Governance and Export Controls groups
Documents produced and maintained by ISO
- Policy, Standards, and Procedures (aligned with required compliance)
- Information Safeguard and Security Program
- Information Safeguard and Security Plan
- Information Safeguards and Security Program and Security Plan Summary
- Information Safeguards and Security Program and Security Plan Executive Summary
- Information Safeguards and Security Program and Security Plan Public Summary (If open records request applies)
- Information Safeguards and Security Review Presentation
- IT Risk Register
- Incident Response Plan
- Insider Threat Management Program
- Control Crosswalk (mapping of standards and procedures to required controls)
- Monthly Report
Documents produced and maintained by IT custodians and information owners
- Information System Inventory
- Information System Component
- Network and Application Runbooks as identified by critical systems and Disaster Recovery
- Risk Assessments for Applications, Networks, Datacenters and Organization Security
Other activity as needed
- Third-party assessments; As needed contract review
- Legal hold management and collection guidance
- Tabletop disaster recovery testing and review
- Monthly as-available relevant security content for staff and users
- Monthly state reporting, if required
© 2021 Columbia Advisory Group