It is mandatory for organizations to establish and maintain a comprehensive and proactive Risk Management Program. Such a program can be a challenging and costly endeavor. Information technology (IT) environments are very dynamic, where changes and requirements to the hardware, software, communications, network infrastructure, etc., are often required. These changes could have a significant impact to the IT security posture. It is this dynamic nature, with the need to process, store and transmit sensitive and critical information, which causes continued and considerable concern to the security posture of an organization while it attempts to protect its IT assets. The need for proactive security is even more important.
Based on industry’s “best practices” for organizations to create and maintain a Risk Management Program, the Morningtown Group LLC (MTG) created the “Mentor/Protege Risk Management ProgramO, which establishes a risk management program in close partnership with the organization, by providing all requisite methodology documentation and tools, training materials, templates, and other documentation which enables entities to internally conduct security assessments. It is well understood that creating a comprehensive risk management program helps ensure compliance with all applicable regulations and industry “best practices” in an ongoing manner.
This service has been designed for an organization’s designated staff to have the MTG “Mentor-Protege Team” resources to conduct a comprehensive assessment of the organization’s IT environment. Collecting this requisite information will serve to perform an analysis of the Risk Management compliance posture. The Mentor-Protege Team will work jointly with the client during each task of the assessment, including the project preparation/initiation, data collection, analysis, report preparation, and management presentation. The project will result in a written report containing specific findings, associated recommendations (with priority implementation guidance and estimated costs) and a compliance status on each application compliance regulation. Additionally, this offering will enable the necessary transfer of knowledge to the organization to ensure their ability to successfully maintain the Risk Management Program and regulatory compliance as well as having the Team to conduct subsequent assessments.
The “Mentor/Protege Risk Management ProgramO will address the following security control areas, to include but not be limited to:
- Media Security – protection of all forms of physical storage media including paper documents
- Hardware Security – hardware maintenance and change controls, anti-theft, anti-tampering
- Software Security – software maintenance and change controls, software integrity, software copyright/licensing compliance, privileged program controls, anti-virus and related malicious software safeguards, database security, security design on new systems
- Network Security – network device security, communications security, network access controls, Internet/Web security, intrusion detection, vulnerability testing, PBX/voice system security, network change controls, firewalls & proxy servers, dialup access security, encryption, e-mail security
- Host (System) Security – multi-user and single-user (workstation) computer operating system access controls including: user authentication, data access authorization, audit logs; application security
- Procedural Security – information security charter, policies and procedures, organization, roles & responsibilities, auditing, awareness, IT change controls
- Personnel Security – background checks, non-disclosure agreements, training, professional development, terminations & transfers, contracts
- Disaster Recovery/Business Resumption Planning – Fault tolerance/redundancy, data backup, recovery/continuity planning
- Physical Security – facilities access control, security cameras, location and marking of facilities
- Environmental Security – disaster/interruption avoidance, safety, air conditioning and temperature controls, electrical power and utilities
- Regulatory Compliance – Assess compliance vis-a-vis applicable security regulations, intermal policy and procedure, as well as industry-wide standards for acceptable best practices, as proferred in the security standard ISO 17799.
The overall goal of the “Mentor/Protege Risk Management ProgramO is to provide the organization with a comprehensive and cost-effective assessment of its IT security and regulatory compliance posture. Specifically, the following objectives will be achieved:
- Identify existing and potential risks/vulnerabilities to the confidentiality, integrity, and availability of the IT environment;
- Identify the technical, administrative and physical risks that may result in potential losses caused by unauthorized uses and disclosures, loss of data integrity, loss of data availability, and the magnitude of vulnerabilities;
- Provide reasonable and cost-effective recommendations to mitigate the risks identified;
- Provide prioritization guidance to assist in deciding the order of effecting the implementation of adopted recommendations;
- Prepare a written report that will present the findings, recommendations, costing, prioritization, and regulatory compliance gaps; and
- Providing a complete set of customized tools, processes, methodologies, training materials, and templates needed to enable the organization to perform Risk Management and Risk Analysis activities as required by regulatory compliance and Industry’s “best practices”.
To ensure that each organization has the highest level of confidence, each written “Mentor/Protege Risk Management ProgramO security assessment report will contain a separate section that includes security regulation Compliance Matrix. This matrix will enumerate each of the applicable security regulation provisions and include a compliance rating of “Compliant”, “Partially Compliant” and “Non-Compliant. For each provision that is assessed as being non-“Compliant”, the reason will be stated, a rationale given and a direct mapping to the specific Finding(s) that was the basis for the assessment.
MTG has developed a cost-effective, comprehensive approach that will facilitate the data collection, analysis and report development process, which will require only minimal involvement from the organization. Additionally, MTG will utilize only Senior IT Security Professionals who have extensive experience in conducting such assessments. |
