IT and Cyber Security

Securing key IT and cyber security assets
that our clients must protect

National Institute of Standards and Technology (NIST) Minimum Security Requirements

The IT and Cyber Security approach will focus on a high-level overview of the company's approach to IT Security, key previous incidences that have shaped the current situation, external factors impacting or influencing the client, specific business related factors impacting IT Security, and a high-level description of the key information assets that the client must protect

Through interviews, research and systems observation, this section of the report will outline the most relevant technical IT related vulnerabilities to provide the reader with the highest possible level of context leading into the section where assessment of NIST standards is performed.

The basis of the vulnerability assessment for the IT Security section will focus on applying the National Institute of Standards and Technology (NIST) Minimum Security Requirements for Federal Information and Information Systems. The FIP Standards are the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002 are one of the industry baselines for IT Security planning and counter measures.

The final assessment will cross reference findings against NIST standards where applicable and most relevant to improving IT Security for the client.

Some key objectives include:

Primary

  1. Identify the organization's current security posture by assessing policies, procedures, technologies and personnel.
  2. Identify critical security gaps in the organization's information technology assets, and provide remediation recommendations.
  3. Determine if there is an IT Information Security Program that operates under the Corporate Information Security Program.

Secondary

  1. Is an Information Security Program and roadmap in place?
  2. Does the organization have Security Controls in place, and are they regularly reviewed and updated to ensure currency with changing Cyber Security Threats?
  3. Are the Security Controls used by the organization aligned with industry standards such NIST, ISO27001, CIS, etc.?
  4. Does the organization have robust third-party security risk management in place?
  5. Does the organization have a robust vulnerability assessment program in place?
  6. Does the organization ensure that its IT assets are patched regularly or as needed to address security vulnerabilities?
  7. Are the IT/Security personnel continuously improving their skills and expertise as part of their professional development plan?

Stakeholders we work with from your organization:

It is important to the data gathering process that the appropriate management and other accountable representatives attend the data gathering meetings to ensure the required information to support an effective analysis is available. It is recognized that certain client representatives may have multiple responsibilities and terminology may vary, therefore, it is critical to make prior preparations with the Project Lead during the Introduction Meeting to ensure representatives with the following accountably attend this meeting:

  • Project Lead
  • IT Security Representatives
  • CIO
  • Senior Management Representative/s
  • Executive Responsible for Information and/or Corporate Security
  • Chief Security Officer or Manager
  • Executive Responsible for Corporate Services
  • Policy Development
Unite Interactive