Information technology (IT) environments are very dynamic, where changes and requirements to the hardware, software, communications, network infrastructure, etc., are often required and could have a significant impact to its security posture.  It is this dynamic nature that causes continued and considerable concern to the security posture of the organization the IT assets it needs to protect.  Thus, the need for proactive security is even more important.  In response to the intensified need of organizations for proactive Risk Management, the Morningtown Group LLC (MTG) has developed the “Ad Hoc” O System Security Assessment program, which has been designed to conduct on an as needed (“Ad Hoc”) System/Application Security Assessments triggered by IT operational changes such as purchases of new software/hardware, plans to establish connectivity with a third party network and significant upgrades to existing systems/applications that involves new features or functionality that may present security risks or considerations.  Such systems/applications include, but not limited to those that are inter/intra-facility-wide, department-level, ASP-based, hard/software systems, etc.  The objectives of these assessments are to:

• Identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of the new/upgraded IT systems, as it pertains to applicable regulations as defined by other Federal and State regulations and industry “best practices”;
• Identify risks and potential losses caused by unauthorized uses and disclosures, loss of data integrity, loss of data availability, and the magnitude of vulnerabilities;
• Identify administrative, technical and physical safeguards and provide reasonable and cost-effective recommendations to mitigate the risks identified;
• Identify risks thus allowing the organization an opportunity to decide if the procurement is sound based on the potential security issues, if any;
• Prepare a written report that will present the findings, recommendations, costing, prioritization, and compliance gaps; and
• Deliver the written report within five (5) business days upon receipt of the requisite information.

The overall goal of the “Ad Hoc” O System Security Assessment program is to provide the client with the requisite security assessment prior to the procurement or upgrade of an individual IT application to ensure the integrity of the existing IT environment.To ensure that each organization has the highest level of confidence, each written “Ad Hoc” O security assessment report will contain a separate section that includes security regulation Compliance Matrix.  This matrix will enumerate each of the applicable security regulation provisions and include a compliance rating of “Compliant”, “Partially Compliant” and “Non-Compliant.  For each provision that is assessed as being non-“Compliant”, the reason will be stated, a rationale given and a direct mapping to the specific Finding(s) that was the basis for the assessment.  MTG has developed a set of concise, yet comprehensive, tools that will facilitate the data collection, analysis and report development process that will require only minimal involvement from the organization.  An additional benefit obtained will be a thorough security assessment of each prospective new system that will ensure the compliance with applicable security regulations and “best practices”.By enabling covered entities to proactively and comprehensively provide security manage of the IT procurement process, the “Ad Hoc” O System Security Assessment program is a cost-effective solution that will provide a solid operational and financial return on investment year after year.