Cyber Exercise Program Assessment

 

Our Cyber Exercise Program Assessment evaluates program activities and documentation to identify areas for improvement.

The foundation of the assessment is ‘NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities’ and the ‘Homeland Security Exercise and Evaluation Program (HSEEP)'. Remaining practices have been developed by Gideon Rasmussen based on 20+ years of cybersecurity experience within corporate and military organizations.

Areas of focus include:

  • After Action Reports
    		•
  • Communications
    		•
  • End-to-End Process
    		•
  • Evaluation and Feedback
    		•
  • Exercise Categories
    		•
  • Exercise Participants
    		•
  • Exercise Scenarios
    		•
  • Individual Assessments
    		•
  • Lessons Learned
    		•
  • Metrics
    		•
  • Policy
    		•
  • Program Architecture
    		•
  • Program Documentation
    		•
  • Program Scope
    		•
  • Public Relations and the Media
    		•
  • Specialized Training
    		•
  • Tabletop and Functional Exercises
    		•
  • Tours of Duty
    		•
Assessment activities consist of: [1] documentation and artifact review, [2] evaluation of incident response plans and exercise reports and [3] interviews with the Cyber Exercise Planner. The assessment is conducted by phone and screen share.

Deliverables include an assessment report and a slide deck presented to executive leadership.

Having an Incident Response Plan is a first step. The team needs to exercise the plan. That helps prevent an incident from becoming a data breach. As Mike Tyson said "Everybody has a plan until they get punched in the mouth". It's critical to be prepared for modern-day threats and adversaries.

Fees and Payment

The assessment is billed at a flat rate. The engagement begins once the Statement of Work and Contract are signed and upon receipt of the first of three equal payments.

Phase Milestone Amount
1 SOW and Contract Execution 1/3 payment
2 First Assessment Interview 1/3 payment
3 Delivery of Draft Report 1/3 payment

Next Steps

Each engagement can be customized to meet the needs of the client. The first step in the process is to have a conference call to discuss requirements.

Recommendation

"We contracted Gideon to perform an in-depth, independent assessment of our information security awareness program, which includes training, phishing exercises and cyber exercises. Gideon leveraged the NIST Cyber Security Framework and the Homeland Security Exercise and Evaluation Program (HSEEP) guidance to assess the programs. Gideon’s detailed, in-depth and comprehensive report has empowered our program to successfully challenge existing roadblocks and tackle several low-effort, but high-reward improvements. Gideon is personable and very experienced; he has been wonderful to work with and enriched our programs through his efforts. I highly recommend his work.”
- Security Awareness Manager at a Financial Institution

Assessment Options

Custom assessments may be conducted based on the needs of the client. Here are examples:

Assessments
Application Security Vendors and Service Providers Cybersecurity Program Ransomware
Business Process Risk Incident Response Line of Business Risk FMEA Process Risk
Security Operations Center (SOC) Fraud Prevention Insider Threat Security Awareness Program
Mergers and Acquisitions Infrastructure Security Zero Trust Security Model Threat Landscape and Controls
Cyber Exercise Program Penetration Test Program Cybersecurity Function Agile Security Testing

This service offering description provides an overview for informational purposes only. The Statement of Work and the Master Services Agreement are the official documents for each assessment engagement.