720-891-1663

US Flag EN Brazilian Flag PT German Flag DE

Our Risk Assessments and Audit Services

NOTE: CyberCecurity offers a full range of both assessment and technical testing services that examine your governance of risk management. We utilize automation wherever practical to increase accuracy and reduce the cost of assessments. We offer verified, unverified, and certified assessments. The available assessments are described below. Our TECHNICAL TESTING follows ethical hacker best practices. For more information about our TECHNICAL TESTING services please go to:
https://www.cybercecurity.com/it-tech-testing

(Our risk assessments are listed in alpha order. See our list of AUDITS at # 21 below)

(1) Application Risk Assessment

All applications have bugs in them; most have architectural flaws, design flaws or configuration issues that create security vulnerabilities in the application and potentially the host network. The question is how easy is it for attackers to discover and exploit these vulnerabilities? According to the Verizon Data Breach Investigations Report, application attacks account for 35% of all breaches. It is critical that the software development process takes security into account at every step of the process. Recently Juniper, the security products company (firewalls), announced that someone inserted unauthorized code into their software library that allowed attackers to take over any network behind that Juniper hardware. Our application assessment can evaluate the software development process, developer training, quality assurance processes, code checking process and review code to identify the vulnerabilities. Learn more...

(2) Asset Management Processes Assessment

As smart devices (devices with a processor and storage) proliferate, it is important that businesses are able to track those assets - what they are used for - by whom - and in what context. Those devices can be the source of an attack or the vehicle for a breach. Businesses need to have a formal process for tracking these assets. We break assets down into hardware, software and cloud assets.

  • Cloud Services Inventory. What is the process for tracking cloud service usage and access? What policies and procedures are in place to track cloud service usage and ensure that appropriate controls are in place?
  • Hardware Inventory. For most companies, hardware is the easiest asset to track; it is often tied into the purchasing or capital acquisition process. But as the business model changes (for example, BYOD), that tracking process has to morph as well. Just because an employee or vendor owns the asset that connects to your data does not make it any less of a threat.
  • Software Inventory. With the ability for anyone with an Internet connected device to download almost any piece of software (legal or bootleg), the process of managing what software is being used by the organization, by whom and under what license becomes dramatically harder. In addition, where that software stores its data may not be so obvious. The company's software inventory process needs to change to accomodate this and ensure that the company is compliant with each software license and that data is being tracked and managed.

(3) Board of Directors Risk Assessment

The Board of Directors is ultimately responsible for mitigating cyber risk inside the company. As we have seen in recent legal cases, how active the Board is in overseeing the mitigation of that cyber risk can affect the outcome of lawsuits. Our assessment reviews the Board's current level of oversight in this process and makes recommendations, if appropriate, for reducing Directors risk in the case of a breach related lawsuit. We turn boards into valuable strategic assets exercising cybersecurity oversight. Learn more...

(4) CSA STAR Cloud Risk Assessment

If you are a cloud SaaS provider that lets clients put their sensitive data into your Azure, AWS, or other cloud...then you want something better than a SOC 2 done by an accountant to prove to your clients that you care about security.Whether you need a CSA STAR pre-assessment, self-guided assessment, Level 1 or Level 2, we've got you covered. Learn more...

(5) Cybersecurity Maturity Model Certification (CMMC) Risk Assessment

DoD will shortly require that any contractor who wants to work on DoD contracts must be certified as meeting DoD 800-171 cybersecurity requirements. CyberCecurity, LLC will provide such certification services. But for now we can provide CMMC pre-assessments and other services to prepare contractors to compete in this new environment. Learn more...

(6) Cyber Insurance Risk Assessment

Many organizations have some form of cyber insurance. Whether that insurance will actually pay out in case of an incident is a different story. Insurance carriers are becoming more cautious in paying claims and in some cases, will attempt to get out of paying a claim, based on what a company said they were doing in the application documentation. Our assessment improves the likelihood that, in case of a breach, your company will have the appropriate coverage and will be successful in any claims for reimbursement under the terms of the policy.

(7) DoD NISPOM Risk Assessment

(For DoD contractors and sub-contractors working with classified information) The Defense Counterintelligence and Security Agency (DCSA) is responsible for the mission of "industrial security oversight." Contractors and sub-contractors who deal with federal classified information must comply with the provisions of National Industrial Security Program Manual (NISPOM). Today, it is no longer acceptable to process classified information on unaccredited information systems and non-compliance can mean loss of government contracts. We can help you comply with NISPOM.

(8) DoD NIST SP 800-171 Risk Assessment

(For DoD contractors and sub-contractors working with un-classified information) Contractors and sub-contractors who deal with federal un-classified information must comply with the provisions of SP 800-171. As with classified information, today it is no longer acceptable to process un-classified information on unsecured information systems and non-compliance can also mean loss of government contracts. We have a great deal of experience in this area and can help you comply with SP 800-171.

(9) Executive and High Net Worth Personal Risk Assessment

We use a slightly different approach when assessing vulnerabilities for individuals. Their networks, digital assets, and vulnerabilities are different in some respects than companies. Additionally, these folks need to assess physical threats to themselves and their families.Learn more...

(10) FINRA Risk Assessment

(For brokerage firms and registered securities representatives) The Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization. It is a non-governmental organization that regulates member brokerage firms and exchange markets. The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission (SEC).

FINRA's mission is to protect investors by making sure the United States securities industry operates fairly and honestly. FINRA oversees about 4,250 brokerage firms, 162,155 branch offices and 629,525 registered securities representatives (2017).

Cybersecurity and the protection of client data has become a critical mission of FINRA and the SEC. Various state agencies that regulate financial services take their cues from the SEC and FINRA. CyberCecurity, LLC is well-versed in FINRA, SEC, GLBA, and various state regulations as they pertain to cybersecurity. Our assessments are fully aligned with these regulatory body's requirements.

(11) GLBA Assessment

(For banks, securities companies, insurance companies, and other financial services companies) The Gramm-Leach-Bliley Act (GLBA) regulates many activities of financial institutions, including the privacy of consumer data. To correctly protect consumer data, financial insitutions must have robust cybersecurity programs and GLBA establishes specific cybersecurity requirements related to this issue. Our GLBA assessment can tell you whether your organization complies with the GLBA cybersecurity requirements.

(12) GRC Solutions Assessment

We aim to simplify your journey through the world of Governance, Risk, and Compliance (GRC) solutions. Navigating the vast array of options can be overwhelming, but fear not - our intuitive assessment is tailored to guide you through the process of selecting the perfect solution to suit your unique needs. Whether you are a small business or a large enterprise, we've got you covered. With expert insights, comprehensive comparisons, and user-friendly tools, finding the ideal GRC solution has never been easier. Let us empower you to make informed decisions and enhance your organization's risk management and compliance efforts. Start your GRC transformation today!

Check out our GRC Solutions Assessment for 2023 page here

(13) HIPAA/HITECH Assessment

(For healthcare organizations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit. Since our pre-audit is an informal review, many items may be fixable on the fly, reducing later exposure to a real audit. The advantage of doing this is that an actual audit will come out cleaner and will show fewer violations. Our pre-audit and assessment can be done at any time and even more frequently than the HIPAA/HITECH required audit frequency.

(14) Incident Response Readiness Assessment

As organizations like Sony and The U.S. Office Of Personnel Management (OPM) discovered, the time to test the organization's incident response readiness is not during an incident. If the organization does not have a plan, we can assist in creating one. If the organization has not recently tested its plan, we can assist with the design and test of the plan. If a plan exists and is tested, then this assessment will review the scope of the plan to determine if the 'coverage' of the plan is sufficient for the organization. Coverage means that the incident response plan deals with the range of reasonably expected incident types-and how well it deals with them. If the plan has been recently tested, then this assessment can additionally review that test and help the organization enhance the plan to more effectively address future potential incidents. Learn more...

(15) IS/IT Operations Assessment

Our IS/IT (information systems/information technology) operations assessments look at the operational aspects of an IT organization. The eight sub-topics of our operations assessment include:

  • Cloud Assessment. A cloud assessment reviews the cloud services that a company uses, how they use them, and the cyber risk implications of that usage.
  • Data Assessment. A data assessment reviews the organization's data management processes. What data it collects. How long it retains it. Where it is stored. How it is protected. When it is deleted. How all this is managed and how you are sure all this happens. Every time.
  • Malware Assessment. A professional scan of your systems looking for previously installed malware.
  • Network Assessment. A network assessment reviews the connectivity component of an organization and looks for vulnerabilities - and vulnerabilities that are exploitable - internally to the company and/or externally. Learn more...
  • Operations Assessment. An operations assessment reviews IS/IT operations - the processes and procedures that the IS/IT organization uses to manage the technology of the company. This includes everything from help desk to disaster recovery - how well it supports the company and reduces the cyber risk to the company.
  • Penetration Testing. A pen test is an authorized, controlled break-in to your system with very specifically defined requirements and goals. Learn more...
  • Phishing Attacks/Testing. A series of email and SMS tests designed to expose personnel weaknesses and vulnerabilities re: email and texting attacks.
  • Servers Assessment. A server assessment reviews the configuration, design, management, operational efficiency and, of course, how all of that impacts the security of the infrastructure, data and intellectual property of the company.

(16) Massachussetts 201 CMR 17.00 Assessment

The Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 require that any companies or persons who store or use personal information (PI) about a Massachusetts resident develop a written, regularly audited plan to protect personal information. Both electronic and paper records will need to comply with the new law. The regulations went into effect on March 1, 2010. According to this regulation, companies will need a written security plan to safeguard their contacts' and/or employees personal information. It will need to be illustrative of policies that demonstrate technical, physical, and administrative protection for residents' information. The plan will need to be written to meet industry standards. Companies will have to designate employees to oversee and manage security procedures in the workplace, as well as continuously monitor and address security hazards. Policies addressing employee access to and transportation of personal information will need to be developed, as well as disciplinary measures for employees who do not conform to the new regulations. The requirements of the Massachussetts regulation are in line with requirements of other cybersecurity regulations and we can assess your situation and help you become compliant.

(17) M&A Assessment

Most of the time when an investor acquires a company, it acquires both the assets and the liabilities and the value of such companies now affected by cyber risk. When it comes to cyber risk, investors, for the most part, are assuming an unknown risk - and one which is completely unbounded. The investors don't know how big a cyber risk they are assuming. And the risk may not show up for years - and then it could destroy the company. Our M&A assessment process reduces the unknown and unbounded risks investors assume. An investor would never make an investment without reviewing the finances of the target company or the sales strategy of that company, but for the most part, they do not review the cyber risk they are assuming. We help investors solve that problem.

(18) New York 23 NYCRR 500 Assessment

Effective March 1, 2017, the New York Superintendent of the Department of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing CyberCecurity requirements for financial services companies licensed to do business in the State of New York. These regulations are very proscriptive and similar to those laid out in the Massachussetts regulation described above. CyberCecurity, LLC has multiple clients in the process of complying with the NY regulation and we can assess your situation and help you comply also. 

(19) PCI Assessment (Audit)

(Credit card operations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit - prior to doing that audit. Since this is an informal review, many items may be fixable on the fly. The advantage of doing this is that the actual audit will come out cleaner and will show fewer violations. An assessment can be done at any time and even more frequently than PCI rules require.

(20) Policy Assessment

Policies are a first line of defense in corporate information risk mitigation. Of course, the best policies are useless if employees don't know about them, don't understand them or don't follow them. Our policy assessment reviews the existing policies and procedures for completeness, usability, training and enforcement.

(21) Privacy Assessment

Almost all companies today have a privacy policy. Whether that privacy theology is integrated at the cellular level of the company is quite different than whether a company has a document. After the Snowden revelations, many companies expressed surprise that our government - as well as many other governments - might be eavesdropping on their digital conversations. For those companies, privacy was a document. Many companies are now looking at privacy at a whole different level and it affects every person in the organization. Our assessment and recommendations help an organization shift from privacy as a document to privacy as a fundamental, existential component of the company.

(22) Vendor Risk Assessment

Many companies outsource pieces of their business. Whether that is a customer-facing call center, software developers, database administrators, human resources, insurance management, legal or a host of other possible outsource possibilities, these vendors, in many cases, have the keys to your universe. The Target attackers, for example, got into Target by attacking a small refrigeration maintenance company. Every company should have a vendor risk management program that reviews the exposure every vendor creates for the company and based on that level of risk, reviews the vendor's own cyber risk management program. We can help set up a VRM program if you don't have one or review and assess the one in place if you do have one. The assessment will provide recommendations to help improve the program and reduce the risk introduced by vendors.

Common question: My CIO is in favor of bringing in a consulting firm to assess our security program following a series of minor security incidents. I'm reluctant to do so because I think it will only serve as a distraction. Should I hold firm, or find a way to work with the consultants, and if so, what's the best way to do so. ANSWER.
z z