800.903.6264

AUDIT & COMPLIANCE

PA-DSS Assessment RoV/Gap Assessment

NERC CIP Gap Assessment Pre-Audit

Continual Compliance Program

ISO 27001 Gap Assessment & Implementation

Cross Compliance Mapping Assessment

PCI GAP Assessment

SSAE 16 SOC 2 Pre-Audit or CPA Assistance

PCI ASV Scans

TR-39 Gap Analysis and Audit

Application Process Flows

FedRAMP Gap Analysis

External CPA Support = IT & Security Assessment Services

HIPAA Gap Assessment

GLBA Assessment Gap Analysis

Privacy Gap Assessment - Pre Audit

SOX 404(b)

EU Directive Safe Harbor Gap Assessment

Business Process Mapping/Application Process Flow Assessment

Essentials

A Business Process Mapping/Application Process Flow Assessment is the first assessment to perform when an organization is attempting to identify critical assets and/or systems in-scope for the various compliance mandates. This assessment will map out the different systems, devices, databases, etc. involved in an application process. Without performing this type of assessment, it is essentially impossible to identify assets which are most critical to the organization; and therefore which controls to implement to effectively reduce risk to an acceptable level.

In addition, all regulatory compliance mandates either implicitly or explicitly require some sort of asset identification exercise:

PCI DSS – 12.3.4: Labeling of devices with owner, contact information and purpose
ISO 27002 – 7.1.1: All assets should be clearly identified including an inventory of all important assets drawn up and maintained
NERC- CIP -CIP-002 R1: The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria.

Finally, without performing this type of assessment and having an idea of what critical assets are housed within the environment, it is impossible to implement a data classification program. Without a good data classification program, it’s essentially impossible to implement any sort of enterprise Data Leakage Prevention (DLP) solution.

Benefits

First step for any associated Gap Assessment
Helps organizations identify critical assets and business processes that are mission critical to the organization
Assists in budgetary planning and strategic security roadmap development
First step in the implementation of an enterprise DLP solution
Determines systems in-scope for regulatory compliance mandates
Helps to better understand maturity

Expertise

SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of an organization. Furthermore, our expertise lies in facilitating a number of white boarding sessions in order to map out application data flows. Our experienced Team Members have performed many of these assessments in order to help an organization implement more strategic asset management and data classification programs.

Get Scoping Questions Now!

Fill in your details and you can download a FREE questionnaire to ask your vendors.

Your Name

Your Phone

Your Email

Your Company

We will not share or distribute your email to anyone. It will be used solely to contact you about the service you have inquired about.

Did You Know?

Process data flows and/or data inventories are often required by regulation
Documenting data assets will narrow scope and allow you to focus on critical data flows
Often overlooked are data flows to vendors, a recent study suggests that 41% of breaches were caused by 3rd party vendors

Our Approach and Methodology

The stages of our Application Process Flow Assessment, with limited descriptions, are as follows:

High Value Business Process Identification:

Interview applicable Line of Business Owners and other management or executive personnel
High value business processes identification

Interview and Observations:

Interview various application’s resources including but not limited to:

Executives
Project Managers
Team Leads
Other supporting personnel

Observe applicable functional areas
Corroborate any documented controls

Application Flows:

Interview applicable Line of Business Owners and other management or executive personnel
High value business processes identification
Develop Control Matrix which outlines potential control weaknesses

Validation and Testing:

Document areas where additional validation and testing may be required
Identify control weaknesses in areas including, but not limited to:

Application Security Code Review
Network Analysis Tools
Internal Systems Security Reviews
Encryption/Password Cracking

Embedded Change Control / Security QA Process:

Co-develop an embedded security review process

What Makes Us Different

SecureState:

Provides comprehensive on-demand security expertise during the engagement and throughout the year
Advised organizations on development of asset management and data classification programs
Assisted organizations in enterprise wide DLP implementations
Has performed many regulatory Gap Assessments that have all began with Application Data Flow Assessments

Related Services

Downloads

We Can Help You

Generate New Image

Enter the code from above.