MeasureRISK®

What doe GOOD look like? Can you demonstrate commercially reasonable security to your board of directors, clients and regulators? 

Our MeasureRISK® consulting services will measure and identify the risks your company is facing.  Engage with our team and produce an unbiased report with observations and prioritized recommendations.

---

MEASURE to one or many

• Cybersecurity Maturity Model Certification (CMMC)
  • ​CMMC Level 1 focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFR 52.204-21. 
  • At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.
  • An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3.  
  • At CMMC Level 4, an organization has a substantial and proactive cybersecurity program.  The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues.
  • At CMMC Level 5, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities.  The organization has the capability to optimize their cybersecurity capabilities in an effort to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization
• Business Continuity – Assessment of an organization’s level of preparedness for product and service delivery following an unforeseen disruption.
• California Consumer Privacy Act – Privacy rights and consumer protection for residents of California.
• CFPB (Consumer Financial Protection Bureau) – Financial Sector compliance for EOCA, EFTA, Fair Lending, HMDA, MLA, RESPA, SAFE, TILA, & TISA.
• Cloud Security Alliance – Guidance for managing and mitigating the risks associated with the adoption of cloud computing technology.
• Critical Infrastructure Association of America (CIAOA) Cyber Essentials
• COBIT 5 – Control Objectives for Information and Related Technologies – Recommended best practices for governance and control process of information systems and technology.
• C-TPAT – The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary supply chain security program led by U.S. Customs and Border Protection (CBP) focused on improving the security of private companies’ supply chains with respect to terrorism.
• DEA – Controlled substance storage security.
• FEMA 426 – Federal Emergency Management Agency
• FFIEC – Federal Financial Institutions Examination Council – A formal U.S. government interagency body.
• GDPR – The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
• GLBA Compliance – Gramm-Leach-Bliley Act (Financial Modernization Act of 1999) – A federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

• Center of Internet Security
• HIPAA, HITECH, & IAHSS – Health Insurance Portability and Accountability Act (including Omnibus Rule) – ensures equal access to certain health and human services and protects the privacy and security of health information. HITECH Breach Notification – Brings additional compliance standards to healthcare organizations regarding breach notification for unauthorized disclosure of unsecured PHI. IAHSS – International Association for Healthcare Security and Safety.
• Industrial Physical Security – Security standards that meet the guidelines of ASIS International.
• IRS 1075 – Guidance for US government agencies and their agents to protect Federal Tax Information.
• ISO 27001 – International Organization for Standards – Information technology, Security techniques, Information security management systems, Requirements.
• NATF CIP 014 – Physical security standard for electric power substations.
• NCUA – National Credit Union Administration – An independent federal agency created by the United States Congress to regulate, charter, and supervise federal credit unions.
• New York Shield Act – New York’s safeguard requirements for protecting “private information” of New York residents and security breach notification requirements.
• NFPA 1600 – National Fire Protection Association – Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.
• NIST 800-171 – Guidelines for protecting government controlled unclassified information
• NIST 800-53 – National Institute of Standards and Technology – Security and Privacy Controls for Federal Information Systems and Organizations.
• NIST 800-66 – Guidelines for Implementing the Health Insurance Portability and Accountability Act.
• NIST CSF (Cyber Security Framework)– Voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
• Open Web Application Security Project (OWASP)  Application Security Verification Standard ASVS, Software Assurance Maturity Model (SAMM), Top 10 Controls
• OCR Risk Analysis Final Rule – The Office for Civil Rights (OCR) – Guidance on the provisions in the HIPAA Security Rule.
• OSHA 3148 – Occupational Safety and Health Administration – Guidelines for preventing workplace violence for healthcare and social service workers.
• PCI DSS – Payment Card Industry Data Security Standards – Information security standard for organizations that handle branded credit cards from the major card schemes.
• Privacy Shield – Data protection requirements for transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
• Project Risk – Assessment of an organization’s Project Management policies and individual projects.
• SOX – Sarbanes-Oxley Compliance – Requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud.
• Supplement to Authentication in an Internet Banking Environment – A FFIEC guidance supplements the FDIC’s supervisory expectations regarding customer authentication, layered security, and other controls in an increasingly hostile online environment.
• Vendor Risk – Assessment of the level of inherited risk from your third-party vendors/service providers.