ACSG Virtual CISO Consulting consist of the following services
Governance, Risk and Compliance
- Identifying regulatory requirements
- Determination of inherent risk score of organization
- Selection of security controls as per inherent risk
- Development and implementation of controls
- Assess controls
- Risk Management strategy – Identify and Manage risk
- Compensating controls – Risk exceptions
- Security Control assessments based on regulatory framework that involves NIST CSF and SP 800-53 along with FFIEC control framework
Policy development and reviews
- Development of corporate policies and governance strategy
- Development of Control standard and aligning technical solutions under each control standard
- Information Security Governance framework that involve adherence to policies and standards
- Information Security and Privacy framework
IT Audit technologies based on regulatory frameworks *NIST, ISO , COBIT, FFIEC, FISMA, FINRA
- IT audit and controls review
- SOC reports (SAS70 SOC1 SOC2 , SOC3 using SSAE methodology) internal controls review
- SOX audit testing
- Third party assurance techniques using BSIMM model- Software security assessment for Vendors BSIMM
- Healthcare regulatory experience
- HIPPAA , FDA CFR part 11, HITRUST
Privacy (EU Laws, GDPR framework and mandates) including review of privacy laws and how these should be adopted
- Data Subject Access requests development and review of DSARs for GDPR (Information gathering, data erasure requests )
- Data mapping
- Treasury controls NIST SP800-53
- Performing Privacy Impact assessments
Technical Testing
- Security gap assessments , compliance assessments based on CIS benchmarks
- Vulnerability assessment and scanning (review vulnerability results and advise on remediation techniques)
- Cloud security assessment (based on CCM Cloud control matrix from CSA)
Secure SDLC Techniques
- OWASP Top 10
- SANS Top 25
- Security principles
- Incorporating SDLC into development phase gates
- Secure software testing and reviews