Fortified Cyber Defense programs and assessments are designed for companies with up to 200 users.
The Information Security & Policy Subscription provides nonexclusive, nontransferable customizable information security policies and procedures to fit your industry and compliance requirements. Including documents such as general data security policies and procedures, information technology security policy, incident response plan, document retention policies and many more. An attorney will meet with you for up to a couple of hours to refine the templates. Periodic updates will be provided during the yearly subscription as needed.
The Breach Help Desk provides a support line for pre-breach and breach questions. The best response is a prepared response. Kick off the subscription with a discussion about risks and considerations in preparing for a breach. When you are in the throes of an incident, there is great peace of mind to know who to call and obtain triage assistance.
Often what companies may think is a breach is defined as a security incident and the two are treated very differently from a legal perspective. Experts are available to help you take the right steps.
The Essential Security Best Practices guide is a yearly subscription service providing tips and best practices on optimal security tactics. Not only is it important to understand the layers needed to ensure well-rounded protection, but the tools, systems, and equipment must be configured properly to minimize vulnerabilities. Periodic updates to the Essential Security Best Practices guide are distributed during the subscription period to keep you informed.
Ongoing scans reveal network risks that could lead to security breaches. During the subscription period, detailed reports will be generated on a monthly basis and reviewed quarterly by a security team member who will assist in prioritizing the risks and present a course of action. Reports include network risk assessment, asset detail, network management plan, changes from the last scan, progress showing improvements made over the last reporting period, and more.
The security scanning and reporting subscription is the sibling of the networking scanning and reporting. Similar to its counterpart, ongoing scans occur monthly during the subscription period and are reviewed quarterly by a security team member who will assist in prioritizing the risks and present a course of action. Reports include security risk, security management plan, login report, external vulnerabilities, outbound security report, security policy assessment, share permission by computer and user, login failures, user behavior analysis, data breach liability, progress showing improvements made over the last reporting period, and more.
The services included in the vulnerability scanning and reporting subscription include weekly scans searching for threats and creating alerts that can be addressed quickly to close the exposures. The built-in breach detection often catches lingering malware, keyloggers, trojans, spyware, and other malicious activity that antivirus programs may miss. Using a combination of machine learning and intelligent tagging to identify uncharacteristic activity, suspicious changes, and misconfigurations along with quarterly reviews by a security team member, this service provides another important layer of security to help protect against cyber threats. For those organizations requiring even greater security requirements, an upgrade to daily scans is available.
As a greater number of organizations experience cybersecurity breaches, an increased amount of data is compromised by cybercriminals and is sold or shared on the Dark Web. Chances are high that some of your data lives on the Dark Web. Unfortunately, many employees use the same user id and password or a variation of their password for many of the websites they visit for shopping, banking, applications, and information, whether business or personal. The Dark Web scanning and reporting subscription offers daily scanning for an organization’s domain and provides notification when compromised data is found so the employee can take the steps to prevent unauthorized access and increase security.
Today’s most successful cyber-security breaches are often the result of end-users responding to phishing, spear phishing, or other similar schemes. These ploys continue to become more sophisticated, creating a need to build a “human” firewall by providing ongoing testing, training, and education to enable end users to recognize and avoid these attacks. The subscription includes the setup and configuration of ongoing testing, training, and licenses for each email user in a domain.
The Compliance as a Service offering continues to grow in the number of options available. Select from Cyber Insurance, HIPAA, GDPR, NIST CSF, and CMMC or select multiple frameworks. Even if the compliance you desire is not specifically listed, we can often utilize one of the current options and map the additional requirements.
Compliance as a Service provides a collaborative architecture, a workflow process automation engine, automated and recurring scanning of the environment, the ability to generate and record evidence of compliance for “due care,” as well as obtain assistance from a knowledgeable compliance security team member. All subscriptions require a yearly commitment.
Even the best cybersecurity prevention strategies cannot prevent all attacks, and business interruption, recovery costs, and/or ransom payments incurred from a breach response can be catastrophic. Because of these and other factors, cyber insurance becomes another important layer of protection to reduce the financial impact of a breach.
However, many businesses are finding that their coverage may not be what they thought or is denied due to insurance applications not being filled out accurately; lack of preparation and readiness to provide evidence of the application answers; and not exhibiting due care on a continuous basis in both security and insurance coverage.
Cyber Insurance Compliance as a Service is a monthly subscription service that allows you to obtain great-value cyber coverage and a greater likelihood of a claim being paid to protect your organization should a breach or other incident occur.
A one-time HIPAA or even a yearly assessment performed today is potentially outdated as soon as any changes to the environment occur. Changes such as new equipment or protected information added to the network; new hires, terminations, or employees changing positions; or ePHI data intentionally or inadvertently copied to unintended locations can open up vulnerabilities.
To ensure ongoing security protection, compliance, and up-to-date evidence of due diligence, HIPAA Compliance as a Service is a monthly subscription that provides a step-by-step collaborative framework, worksheets and surveys, automated scans, reporting, and review and guidance from a member of the compliance security team.
For those organizations with a requirement to comply with the European Union (EU) General Data Protection Rule, GDPR Compliance as a Service is a monthly subscription to address the rules, flag non-compliance with instructions on what to do, perform scans to uncover network issues and potential breaches, track ongoing remediation efforts, automate the assembly of mandatory reporting, and preserve and archive all compliance reports.
To help protect against fees and be proactive against the risk of not being compliant, sign up for GDPR Compliance as a Service.
While not every industry is subject to compliance requirements, participating in a voluntary risk-based Cyber Security Framework is a great strategy to manage risks to systems, assets, data, and capabilities. The NIST Cyber Security Framework consists of five functions: Identify, Protect, Detect, Respond, and Recover, along with 23 categories and 108 subcategories of outcomes and security controls.
Many organizations are finding cyber security requirements written into the contracts they sign. Should those requirements not be implemented or if the organization is unable to provide “due care” reporting, the result may involve fines, loss of contract, or attorney fees. NIST CSF Compliance as a Service is a monthly subscription offering compliance process automation and proof of due care.
By 2025, suppliers to the Department of Defense (DoD) will be required to achieve Cybersecurity Maturity Model Certification (CMMC) through a third-party assessor organization (C3PAO). While CMMC is a complex standard with five levels, the CMMC Compliance as a Service takes a staged approach to pre-audit readiness and allows each organization to select their target level and successively move up through each level.
CMMC Compliance as a Service is a monthly subscription optimized to perform the initial readiness assessment and gather up the evidence of compliance. In addition, this will provide the starting point to continue building readiness for further levels. Once certification is achieved, this service will help maintain compliance during the three-year certificate term.
A yearly IT risk assessment is an important evaluation concerning the current state of your technology, controls, and policies/procedures necessary to protect your organization’s data, intellectual property, and personally identifiable information. The assessment consists of interviews, manual and automated collection of information, analysis of the findings, and deliverables including a presentation identifying the gaps and areas of risk, recommendations, and all supporting reports and documentation.
If you are using Microsoft 365 or on-premise Exchange or are under HIPAA or PCI compliance regulations, consider adding the optional assessments as add-ons to the IT Risk Assessment. Descriptions of those add-ons are described below.
Many organizations assume that if their data resides in Microsoft’s cloud, it is completely protected. What they may not realize is that misconfigurations can lead to security incidents, improper control over content can cause HR issues and financial liability, uncontrolled growth in Teams, Groups, and SharePoint may lead to space and performance issues, and lack of permission maintenance may allow unintended access to proprietary or confidential information.
The Microsoft Cloud assessment includes evaluation, analysis and risk and management reports on Azure AD, SharePoint, OneDrive, Teams, Microsoft 365 Exchange service, Microsoft Cloud security, configuration changes, improved health over time, and more.
The Exchange assessment provides a health check, identifies email issues, lists mobile devices used to access the organization’s mailboxes, identifies users in distribution groups, access rights, mailbox permissions by user, traffic, usage, and more. If you are planning to migrate Exchange data to the cloud, this service provides valuable documentation for planning a smooth transition.
Whether you are in a health-related industry or you conduct business with these entities as a business associate (BA), this assessment, performed at least yearly, will satisfy the minimum requirements of the Health Insurance Portability and Accountability Act (HIPAA) and has successfully supported hundreds of government audits and reviews.
Featuring a central repository to collect information in a safe and secure manner, automated tools, interviews, surveys, and data collection worksheets, all data is consolidated, analyzed, and organized into HIPAA compliance reports and documents. When issues are found and remediated, an Evidence of Compliance document is provided.
Organizations accepting credit cards must comply with PCI standards. Often these organizations may be under the false impression that PCI compliance is not pertinent since the credit card numbers and personally protected information is stored at a third-party provider’s location. However, access could be gained through their unprotected local networks and systems used to access the third-party held data.
The PCI assessment includes worksheets, review of the Cardholder Data Environment (CDE), pre-audits, documentation and listing of priorities for PCI-related security vulnerabilities, sample PCI policies and procedures, risk analysis, management plan, evidence of compliance, and more. For an additional charge, ASV certified scans can be ordered.