Protecting data integrity is essential for organizations to meet today’s business demands.

Governance, Risk and Compliance (GRC) are the three most important components in managing your security program. Often confused as a being a security tool, is the practice of defining the security governance within your organization (policies, standards and procedures), identifying and determining the risks that may be found within the environment and ensuring that the organization is compliance with its own governance as well as any laws and regulations that the business may be required to comply with. Without an even balance of these three pieces, security programs simply turn cycles putting out fires. With a strong GRC in place, the security program is running more efficiently and effectively. .

Our GRC Compliance services include:

Compliance Assessment / Compliance Management

Towerwall will help you understand the regulations that apply to your organization as well as build the components required to meet and exceed mandated standards.  Whether it’s the implementation of needed technologies or the drafting of a Written Information Security Program, Towerwall’s experienced consultants can explain the options and their implications, do the analysis, and help you make the compliance choices that are right for your organization.  Among the many regulations we can help you address are:

    • HIPAA/HITECH Act
    • Gramm-Leach-Bliley Act
    • PCI DSS 3.0
    • California SB 1386
    • Nevada SB227
    • Massachusetts 201 CMR 17.00
    • FERPA

 

 

 

Information Security Management Program

Build comprehensive governance related policies & standards that:

  • Provide key components required for structure of security functions and program
  • Set forth guidance of management and secure use of information technology resources
  • Define a framework to formulate a comprehensive program (e.g. NIST SP800-53 and ISO27001/2, UCF)
  • Define guiding principles, roles and responsibilities, metrics and implementation road map for security program

Policy Development

Using the business requirements, define framework to be used for policy development (NIST SP800-53, ISO27001/2, UCF, etc.) Develop policies to reflect regulatory requirements and business needs. Build a policy & controls matrix to ensure regulatory compliance coverage. Develop a policy review & acceptance process

Security Awareness

Develop a security awareness strategy that includes:

  • Awareness training
  • Online delivery
  • Various awareness promotions and initiatives
  • Train the Trainer (T3)
  • Monthly security awareness newsletters
  • Customized awareness for;
  • IT, Web developers, management, etc.

Vendor Risk Assessment and Management

  • Perform a risk assessment of vendor
  • Provide report rating risk and recommendations for mitigation for the customer (modification to contract, monitoring progress, etc.)
  • Management
  • Build security requirements for 3rd party vendors
  • Define a process for reviewing, assessing and managing 3rd party risk assessments

Business Continuity Plans

  • Create new plan to define and identify
  • Mission critical business functions
  • Continuity tasks
  • Tie into the IT disaster recovery plans
  • Communication flows and timing
  • Oversight for crisis communications
  • Perform annual table top exercise of existing BCP
  • Modify & update existing plans

Gap Risk Assessment

The activities associated with the Compliance Gap Analysis consist of comparing your current security posture and associated evidence to the requirements set forth in a security framework selected by you. NIST SP800-53 & SP8000-66 provide a consistent and methodical approach when evaluating security controls in relation to people, process and technology.