INFOSEC Control and Maturity Assessment
One of the difficulties every organization faces is determining exactly where it stands with regard to security. An audit around a regulatory standard, such as the PCI DSS, will give a clear picture of what needs to be done to meet that regulation. Meanwhile, a penetration test shows how much work is needed for a skilled attacker to compromise your IT systems by acting on a subset of your available vulnerabilities. But where does the organization as a whole stand as far as information security? What has the greatest value to your organization and is it well protected? To answer these questions, a more business-focused view is necessary.
- SecureState assesses Security Programs on 15 Security Domains
- The CMMI model is leveraged for INFOSEC assessments control maturity
- The INFOSEC serves as the centerpiece for building and managing Security Programs
- This is coupled with the iRisk Assessment for a complete approach
Performing this assessment on an annual basis provides an organization with a clear view of the current state of its entire security program, as well as how it has changed over time. Controls are precise and carefully designed not to distract attention from running the business. The recommendations provide essential and useful information, and ultimately add value to the business.
This approach specifically reviews the design and with validation efforts addresses the effectiveness of controls and denotes missing or broken controls. Coupled with an iRisk assessment, which is used to identify and assess risks that could impact the achievement of business objectives, the organization gets a useful, holistic foundation for its security program.
SecureState has performed hundreds of assessments using the INFOSEC methodology over the last 10 years; and has continually refined the process over time. The INFOSEC methodology has been employed to assess small, private organizations of fewer than 100 employees, as well as Fortune 500 corporations with thousands of employees.
Assessments have been performed across numerous verticals including healthcare, manufacturing, financial, government, and Service Providers. Assessments are performed by assessors with a wide range of expertise, including ISO 27001 Auditors, PCI Qualified Security Assessors (QSA), Certified Information Systems Security Professionals (CISSP) and even GIAC-certified Penetration Testers (GPEN) and GIAC-certified Web Application Penetration Testers (GWAPT).