Services

• Do you have new regulatory information security or privacy compliance requirements to meet?

• Are you concerned about the impact to your organization of a potential loss of sensitive data?

• Are you challenged to maintain your desired state of information security with a limited in-house staff?

Assurance Point LLC has the knowledge and experience to help your organization manage information risk through these consulting and project services.

  • The 5-Step Program to Managed Privacy Risk™
  • Privacy Risk Assessment
  • Information Controls Assessment
  • Data Breach Incident Management
  • Security Education, Awareness and Training
The 5 Step Program to Managed Privacy Risk™

Attempting to reach the desired state of managed privacy risk without the right foundation in place is like constructing a building in a random order – there is nothing solid to stand on. 

Using our unique “5 Step Program to Managed Privacy Risk”, our experts will work with your organization to ensure that you have the necessary foundation to make good decisions about risk and execute a sustainable privacy risk management program. 

Here are the essential steps:

Create Governance

Privacy risk is business risk --- decisions need to be made by the business.  It is not sufficient to delegate this to the IT Department.  A committee of senior executives representing the stakeholder business areas should be formally charged by the CEO with the mission of ensuring that privacy risk is managed.

Establish a Security Program

The Security Program specifies your organization’s risk management and acceptance policy as well as defining organizational security roles and an information classification policy.

Assess Information Privacy Risk

Studies of data breaches have found that the majority of breaches have occurred on assets that the organization did not know existed.  Vulnerabilities and threats to new and existing systems and processes need to be identified in order for risk to be mitigated and managed.

Implement a Control Framework

Risk is mitigated through the implementation of controls.  A comprehensive control framework will ensure that the appropriate policies, standards and procedures have been chosen to meet your organizations needs to cost effectively mitigate risk to an acceptable level. 

Measure Compliance

A compliance program to provide a dashboard of controls compliance will give your governance committee the information to answer the questions posed by the CEO and/or Board of Directors; “Are we secure? Are we in compliance with privacy laws and regulations?” 

Privacy Risk Assessment

Studies of data breaches have found that the majority of security compromises have occurred on assets that the organization was not aware existed.  Vulnerabilities and threats to new and existing systems and processes need to be identified in order for risk to be mitigated and managed.

Assurance Point has developed a flexible engagement process based on Octave™  which enables your organization to use your own expert resources in a series of facilitated workshops to discover privacy assets and uncover both business process and technical vulnerabilities which might lead to compromise and risk.  The output documents created are permanent tools which enable your organization to periodically re-asses risk, satisfy regulatory requirements and report on risk to senior management. 

Here’s the high level Risk Assessment process outline:

Phase I – Business View

Establish the business scope of the risk assessment based on business process owner knowledge.

Using a workshop format, identify the privacy assets and capture business knowledge of the processes and vulnerabilities.

Through a custom developed survey, capture business knowledge of process vulnerabilities.  This is particularly effective in a distributed organization.

Create threat profiles for the privacy assets and vulnerabilities identified.
Phase II – Technology View

Using a workshop format, identify critical technology assets and relevant controls.

Capture or perform vulnerability assessments on the technical components.

Phase IIIStrategy and Risk Treatment Plan Development

Analyze Risk:
Develop or review the set of security controls which should be in place to safeguard the class of protected information.
Analyze the controls which are actually in place (or planned) which meet the Security Requirements.
Assign a level of risk for each threat/vulnerability identified

Develop organizational protection strategies, risk treatment plans and an action list.  This is the final report to senior business management and information security governance.

The Incident Management Plan is scenario tested and training provided to the incident management team.  Actual incidents are reviewed for the purpose of improving the process

Information Security Controls Assessment

Our Approach

Assessment of your organization’s security controls against a baseline standards framework will yield valuable benefits.  We have experience assessing an organization’s security controls against either NIST Special Publication 800-53 or ISO/IEC  27002 and to recommend cost-effective control mitigations to reduce risk.   The design and performance of your organizations’ controls assessment will take into account your organizations information asset classifications and security objectives and be accomplished with cost-effectiveness as an important goal.  You can expect the following outcomes:

Outcomes
Identify potential problems or shortfalls in the organization’s implementation of security controls

Identify information system weaknesses and deficiencies.

Prioritize risk mitigation decisions and associated risk mitigation activities.

Confirm that identified weaknesses and deficiencies in the information system have been addressed.

Support information system authorization (i.e., security accreditation) decisions.

Support budgetary decisions and the capital investment process.

Data Breach Incident Management

A security incident involving a breach of customer or employee information exposes your organization to the penalties of State and Federal privacy laws, loss of sales revenue due to reputational damage and the painful ordeal of possible litigation.  It is critical to prepare your organization before such an incident occurs so that the impact of the event and the resulting liabilities are minimized.  Assurance Point has direct experience helping organizations manage such events and will work with your management team to put in place the following ata Breach Management Framework and will assist you in the event of such an incident.

Establish an Incident Management Team
with responsibility for understanding the required actions of an incident and also managing the incident should it occur.  Organizational representatives from the following disciplines should be included on this team. 
Communications/Public Relations
Legal/Regulatory Compliance
Information Security
Information Technology
Law enforcement contact
Privacy Asset Business Owners (e.g. Human Resources)

Prepare an Incident Management Plan that documents the policies and procedures to be followed which include:
Incident detection
Prioritization and Escalation
Technical Response and Analysis
Management response
Legal Response including breach notification, non-disclosure, and prosecution

Security Education, Training and Awareness Services

One of the biggest threats to loss of information security in an organization are its employees or contractors who may not be aware of security policy or trained in privacy data handling standards and procedures.  We can deliver or help you develop a customized training program to meet your organization’s specific needs using our SETA Services FrameworkTM which tailors the education content and delivery media to the needs of the target audience.

Assurance Point LLC - Education