The assessment service is customized to your organization. The goal is to document cybersecurity issues with a business risk lens. That enables business leaders to make informed decisions based upon the organization's risk tolerance.

Scenarios for Conducting an Assessment

• Executive leadership is concerned about cybersecurity risk
• It has been years since an assessment has been conducted
• The CISO has resigned. What is the current state of security?
• The new CISO wants a benchmark assessment

CISO: Why have an assessment when the security program is under control? Answer: A risk assessment can reveal threats and countermeasures that have not been considered. Controls thought to be in place may not be. Commissioning an assessment is a proactive approach, a sign of ownership.

Executive Summary

This assessment service is organized by four maturity levels, implementing a risk-based approach. Assessments take one-two months to complete. A detailed report is provided with an option for an executive briefing at the conclusion of the engagement.

Assessment Options (Select a Level)

Maturity Level 1: Minimal Compliance

Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework. A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.

Maturity Level 2: Common Controls

Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them.

Gap analysis: Deploy safeguards based on proven methodologies such as the 20 CIS Controls.

• Patching
• Penetration testing
• Web application firewall

Controls in this category are viewed by many as necessary and common sense in a cybersecurity context. Some may view this level as filling gaps in the control framework, basic due diligence.

Maturity Level 3: Risk Management

It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. Threat Landscape and Controls Analysis is conducted within this level of assessment, starting with the inherent risk of the organization. Potential adversaries are described, with techniques for compromising data and coverage of the cybercrime ecosystem. Potential for impact is detailed while citing reputable sources. The organization’s risk tolerance is referenced for context. The organization's assets are listed, with a pivot into cybersecurity protection boundaries, control framework and risk assessments. Fair and balanced analysis is conducted by documenting risk mitigation and recent accomplishments in that domain. Residual risk is detailed with recommendations for new processes and controls. A summary statement addresses the organization’s risk culture, with recognition for conducting risk analysis.

The assessment evaluates risk governance and whether a risk register process is in place. Cybersecurity entries should be reserved for issues that pose significant risk to the organization (risk mitigate or risk accept). Register entries should be discussed in meetings with IT and senior executives. Risk governance routines should include periodic meetings.

Maturity Level 4: Strong Risk Management

At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.

Examples of strong risk management include:

• The cybersecurity program maintains controls specific to line of business products, services and assets
• An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
• Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers

This level of assessment also includes evaluation of Insider Threat and Fraud Prevention controls.

Fees and Payment

The assessment is billed at a flat rate, not including travel expenses for two Assessors. That rate is an estimate for a single organization, with two on-site visits to conduct assessment activity.

The engagement begins once the Statement of Work is signed and upon receipt of the first of three equal payments.

Phase	Milestone	Amount
1	SOW and Contract Execution	1/3 payment
2	First Assessment Interview	1/3 payment
3	Delivery of Draft Report	1/3 payment

The assessment service does not include vulnerability scanning, penetration testing or other methods of deep technical inspection.

Next Steps

Each engagement is customized to meet the needs of the client. The first step in the process is to have a conference call to discuss requirements, such as which location(s) are in scope and how many on-site visits will be necessary.

Recommendations

"We contracted Virtual CSO to perform a risk assessment against our company, leveraging the NIST Cyber Security Framework. We do not map our internal security program to NIST CSF, so it gave us a good alternate view of the risk our company faces. Virtual CSO performed the assessment without prior knowledge of our company and were able to provide a very in depth report. This has helped our company get a stronger handle on residual risk that remains after our compliance requirements. This has strengthened our risk register and helped us craft a multi-generational plan to drive down risk throughout the company."
- IT Security Manager at a company in the Aerospace and Defense field

"We have leveraged Gideon's assessment services over several years. He has conducted two cybersecurity program assessments, a department assessment and an assessment of critical processes. Each assessment was thoroughly customized to our organization. Gideon's reports and presentations resonate with executive leadership, resulting in resource allocation and proactive risk mitigation. Gideon has been fantastic to work with. He often goes above and beyond my expectations."
- Chief Information Security Officer at a Government Organization

Assessment Process

Stage 1: Assessment Scoping

The Assessor hosts a scoping call as the first step in the process. We gather details to help ensure smooth and comprehensive execution of the assessment. The Assessor needs to be aware of assets, data categories, core products and services. S/he will ask for details required for the assessment such as key personnel, site locations and reliance on third parties.

Stage 2: Assessment Preparation

Customization of the assessment is the next phase. The Assessor creates work papers to prepare for assessment activity. Assessment techniques include staff interviews, observation of controls and documentation review. Work papers are also used to document in-place controls and assessment findings.

The Assessor prepares a list of job titles/roles for meetings. A list of requested documentation is also included.

The Assessor works with a Single Point of Contact (SPOC) identified by the client. The SPOC schedules availability of client personnel and service providers for the on-site phase of the assessment.

Stage 3: Assessment Activity

The Assessor arrives on location on the agreed upon start date. The SPOC provides a site tour, including external perimeter, office space, computer room and other areas in scope for the assessment. The SPOC also facilitates meetings with key personnel. The Assessor conducts interviews, collects documentation and observes in-place controls while on-site. The on-site assessment typically lasts 4-8 business days.

NOTE: Given the COVID-19 pandemic, the client may opt to cancel the on-site portion of the assessment. In that event, assessment interviews will be conducted remotely. It would be appropriate to evaluate physical security controls via a tour conducted over cell phone video.

Stage 4: Report Preparation

The Assessor begins to prepare the assessment report remotely. The SPOC supports requests for follow-up questions and documentation requests. A draft assessment report is provided to the SPOC. The final report includes an executive summary with a high-level overview of assessment findings. Findings are identified by risk severity, with recommendations to remediate issues where appropriate.

The assessment process typically takes 4-8 weeks due to the phases detailed above and reliance on client personnel.

Assessment Options

Custom assessments may be conducted based on the needs of the client. Here are examples:

This service offering description provides an overview for informational purposes only. The Statement of Work and the Master Services Agreement are the official documents for each assessment engagement.