Assess & Audit
At the core of every good information security strategy is a process to assess an organization’s vulnerabilities, threats, and their impact on risk to intellectual property, confidential data, and business processes. cyberTAP utilizes best of breed assessment and auditing methodologies to assist organizations in assessing their information security risk, compliance with various industry standards and regulations, and adherence to commonly accepted information technology security best practices.
Security Risk Analysis / Security Gap Analysis
The cyberTAP security team will provide a combination of on- and off-site work to complete this analysis. Assessments can be tailored for HIPAA regulated covered entities, HIPAA business associates, PCI self-assessment requirements, Financial Services Cybersecurity Requirements (FSCR), NIST cybersecurity framework requirements, DoD DFARS, or general (ISO) security best practices. Custom audits based on your internal, regulatory or business partner requirements are also available. Key activities will include:
- Remote and onsite interviews with key staff members in charge of policy, administration, day-to-day operations, software architecture, software development, system maintenance, system administration, database administration, network management and facilities management.
- A review of key systems involved with system configuration, security procedures, backup processes, redundancies, network security and security event monitoring, etc.
- A visual walk through of the facilities with administrative and facilities personnel to assess operational privacy practices and physical security controls.
- A network scan to enumerate addressable devices and to assess each system's available network services and associated vulnerabilities. (These scans will be conducted from within the client’s network in the presence of client staff and assistance.)
- A review of organizational, privacy and IT security policies, procedures, guidelines, systems documentation, network diagrams, and other relevant materials.
- Completion of an assessment that determines, for each of the items above, the existing controls, effectiveness of those controls, exposure potential, risk likelihood, risk impact, and the overall risk rating.
The following items are not in this project scope:
- A detailed source code review.
- Social engineering to acquire sensitive information from staff members.
- Electronic penetration attacks that intentionally damage systems, delete or modify data, cause denial of service or slow or halt services.
- Physical penetration attacks against buildings, laboratories or facilities.
- Active testing of Disaster Recovery Plans, Business Continuity Plans or Emergency Response Plans.
- A report outlining the results of the security risk assessment / gap analysis including the vulnerabilities identified, risks assessed, and security controls recommended.
- The output of all technical tests performed.
HIPAA Evaluation (Mock Audit)
The cyberTAP security team will execute a mock audit to assist covered entities in identifying gaps in their HIPAA privacy & security program.
- Remote and onsite interviews with key staff members in charge of policy, practice administration, day-to-day operations, HIM, software architecture, software development, system maintenance, system administration, database administration, network management, and facilities management.
- A gap analysis of HIPAA privacy & security policies, procedures, guidelines, and processes.
- Execution of the current OCR HIPAA audit protocol which seeks evidence of the existence of reasonable and appropriate controls for compliance with privacy requirements (81 checks), security requirements (78 checks), and Breach response & notification requirements (10 checks). Projects after 2015 will use a combined 2012 OCR audit protocol, and the updated OCR 2015 audit protocol.
- A report outlining the results of the audit including the gaps in privacy, security, and breach requirements identified.
- A prioritization report to assist the organization in efficiently prioritizing their remediation efforts.
DoD / DFARS
Using cyberTAP’s proven assessment process, and its partnership with Indiana’s Manufacturing Extension Partnership, cyberTAP is keenly positioned to assist organizations needing a gap assessment performed of their security practices regarding their CUI processing (NIST 800-171).
- A report outlining the results of the NIST 800-171 gap analysis including the vulnerabilities identified, risks assessed, and security controls recommended.
- The output of all technical tests performed.