Protecting data integrity is essential for organizations to meet today’s business demands.

Governance, Risk and Compliance (GRC) are the three most important components in managing your security program. Often confused as a being a security tool, is the practice of defining the security governance within your organization (policies, standards and procedures), identifying and determining the risks that may be found within the environment and ensuring that the organization is compliance with its own governance as well as any laws and regulations that the business may be required to comply with. Without an even balance of these three pieces, security programs simply turn cycles putting out fires. With a strong GRC in place, the security program is running more efficiently and effectively. .

Our GRC Compliance services include:

Acceptable Use Policy

  • Defines the acceptable and unacceptable uses of an organization’s computer systems, networks, and information assets
  • Provides guidance and best practices in areas including: email communication, encryption, equipment security, information security, Internet access, network access, password security, physical security, remote access, social media, and wireless access.
  • Establishes awareness and an expectation of responsibility when using an organization’s technology and information resources.
  • Requires acknowledgement of understanding and acceptance via sign-off by internal and external parties who use or access an organization’s information and technology assets

Backup and Recovery Plan

  • Defines the objectives, accountabilities, and backup and recovery steps that are necessary to prevent loss of data and enable timely restoration
  • Enables recovery of critical data that is essential for business operations
  • Establishes a process to recover loss of data resulting from file corruption, human error and threats to the confidentiality, integrity, and availability of critical information and systems

Change Management Procedures

  • Outlines orderly and effective steps to govern the planning, coordinating, implementing, and monitoring of changes affecting production related systems.
  • Establishes the ability to track the submission, coordination, review, evaluation, categorization, and approval for release of changes to the IT production environment.
  • Defines how the change process is implemented across the IT production environment
  • Ensures that the required level of technical and management accountability is maintained for every change

Data Discovery and Data Classification

  • Conducts data discovery through interviews with data custodians and using technology tools such as Varonis to search structured and unstructured data for sensitive and critical data
  • Conducts a risk assessment based on the data’s classification, data location, and security controls
  • Recommends data leakage protection controls to monitor and control the movement of sensitive data

Disaster Resiliency Plan

  • Develops and documents a disaster resiliency program that can be used to identify, assess, prioritize, manage, and control risks as part of the business continuity process
  • Provides procedures that will reduce the risk of interruption to normal operations and enable the resumption of business processes in a timely manner
  • Provides practical, actionable guidelines for emergency response, extended back-up operations, and post-disaster recovery activities

Incident Response Plan

  • Provides guidelines on responding to an incident in a consistent manner, with appropriate leadership and technical resources
  • Outlines specific courses of action to be taken during an incident to enable timely restoration of operations impacted by the incident
  • Includes roles and responsibilities and contact information

Information Handling Policy

  • Establishes requirements and expectations for handling printed information, electronically stored information, and electronically transmitted information
  • Defines the security criteria for viewing, using, updating, deleting, and destroying information
  • Outlines procedures for protecting against unauthorized access, disclosure, modification, or other misuse to avoid the consequences of breaches of confidentiality, loss of integrity, interruption to availability, and non-compliance with regulatory requirements

Information Security Management Program

  • Documents guidance in the development, appropriate use, and maintenance of security controls necessary to ensure the protection of the confidentiality, integrity, and availability of information assets and supporting infrastructure
  • Includes the development of the following governance related functions:
    • Security Leadership – addresses establishing a management focus for information security and aligning the security management program with business objectives
    • Security Strategy – addresses the security vision and initiatives needed to affect improvement and change enterprise-wide over one to three years
    • Policy Management – lists key policies needed in the Information Security Program and how they should be structured and when they should be updated
    • Organizational Security Roles and Responsibilities – addresses security related roles, and responsibilities that are essential to the success of the Information Security Management Program
    • Third Party Security Management – addresses the information security requirements expected of third parties who have access to information during the provision of contracted services to      
    • Security Awareness – addresses the behavioral processes needed to educate and increase user awareness in regards to securing and protecting information and technology assets

Information Security Maturity

  • Evaluates the current state of security against the desired maturity and capability to translate actions into goals that can be modeled and presented to stakeholders and senior management
  • Conducts interviews with a key stakeholders to identify current and desired security posture
  • Assesses the maturity of key security measures, practices, and policies, currently in place
  • Builds an Information Security Capability Maturity Model that benchmarks current information security achievements and illustrates goals for increasing levels of security improvements overtime a given timeframe

Information Security Policy

  • Specifies how an organization plans to protect its physical and information technology assets and mitigate associated risks
  • Provides guidance with respect to the management and secure use of information and technology resources by IT, users, and an organization’s third party providers of services and products
  • Defines information security so that supporting procedures and policies can be written, standards created and enforced, and technology put in place in support of the objectives of information security

Overarching Information Security Policy

  • Creates an all-encompassing Information Security Policy that provides guidance with respect to the management and secure use of information and technology resources by IT, users, and third party-service providers
  • Includes security policy statements that provide a consistent approach for protecting business and personal information and the systems that are used to create, process, transmit, and store the information.
  • The policy statements set the foundation for the subsequent development of detailed policies and standard operating procedures 

Policy Development

  • Creates security and/or compliance related policies that include:
    • Email Policy
    • Password Policy
    • HIPAA Policy
    • PCI Policy
    • Business Continuity Plan
    • Other IT Policies/Procedures

Risk Assessment and Gap Analysis

  • Conducts one risk assessment based on an industry accepted standards/ framework (NIST, ISO 27001/2, COBIT, SANS Critical Security Controls, HITRUST CSF, PCI DSS, etc.)
  • Performs a Gap Analysis that presents the variance between security posture and the requirements set forth in an industry accepted standards/ framework
  • Creates a Remediation Roadmap that establishes a foundation for setting priorities, assigning ownership, and determining remediation timeframes for improving compliance with the requirements of the standards/framework and provides a corrective action plan

Risk Management Policy

  • Provides steps for identifying and mitigating risks to the confidentiality, integrity, and availability of an organizations information and technology assets
  • Establishes an approach for defining, assessing, and managing risks
  • Documents the roles and responsibilities needed to address and minimize the impact of risks

Security User Awareness Program Development

  • Creates and document a security awareness strategy that includes the components needed in an Information Security Awareness program
  • Creates a slide based information security awareness presentation that can be used to provide training to current employees and new hires
  • Addresses the behavioral processes needed to educate and increase user awareness in regards to securing and protecting information and technology assets

Third-Party Contract Considerations

  • Assesses current vendor contract and SLAs to ensure security and compliance requirements are sufficiently specified
  • Encompasses the security and privacy controls and best practices that a company should require of third-party providers
  • Provides data security and protection topics that a company should consider for inclusion in third-party supplier contracts and Requests for Proposals

Third-Party Provider Policy

  • Establishes security guidelines, requirements, and procedures for third-party providers in order to reduce risk and provide for the confidentiality, integrity, availability and privacy of an organization’s information technologies and assets
  • Outlines information security requirements for inclusion in third party agreements and contracts

Third-Party Validation Security Assessment

  • Assesses the security posture of a company’s third-party provider to validate third-party security practices effectively protect the confidentiality, integrity, and availability of a company’s information
  • Evaluates the security posture of a third-party provider through the assessment of the third party’s security controls, security policies, and continuity plans
  • Verifies that the third-party provider’s practices comply with regulatory and industry-accepted security and data privacy standards

Virtual CISO

  • Leverages the experience and business acumen of Towerwall’s pool of security experts to perform tasks typically assigned to an in-house Chief Information Security Officer such as:
    • Oversight, direction and support in the implementation and management of the Information Security Program
    • Building structure, governance and process to risk management, data privacy and compliance initiatives
    • Establishing and assigning security roles and responsibilities
    • Providing technical and security consultancy for IT, business units, senior management and/or Board of Directors
    • Assisting with the development, maintenance, and enforcement of information security policies, processes, and controls
    • Promoting and reinforcing security awareness goals and initiatives
    • Establishing an evaluation and procurement process for new technology
    • Assessing change control procedures and practices
    • Transferring knowledge to IT Director/Manager or newly hired CISO

Written Information Security Program (WISP)

  • Creates a WISP that includes administrative, technical, and physical security requirements that must be in place to minimize risks to personal information.
  • Creates a Written Information Security Plan (WISP) that complies with the requirements of Massachusetts Regulation 201 CMR 17.00
  • Provides guidelines for the protection of “Any information that includes the first and last name or first initial and last name of an individual in combination with a social Security number, driver’s license number, or state-issued identification card number, financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.”