Assess & Audit

At the core of every good information security strategy is a process to assess an organization’s vulnerabilities, threats, and their impact on risk to intellectual property, confidential data, and business processes.  CyberTAP utilizes best of breed assessment and auditing methodologies to assist organizations in assessing their information security risk, compliance with various industry standards and regulations, and adherence to commonly accepted information technology security best practices.

Security Risk Analysis / Security Gap Analysis

The CyberTAP security team will provide a combination of on- and off-site work to complete this analysis.  Assessments can be tailored for HIPAA regulated covered entities, HIPAA business associates, PCI self-assessment requirements, Financial Services Cybersecurity Requirements (FSCR), NIST cybersecurity framework requirements, DoD DFARS, or general (ISO) security best practices.  Custom audits based on your internal, regulatory or business partner requirements are also available.  Key activities will include:

  • Remote and onsite interviews with key staff members in charge of policy, administration, day-to-day operations, software architecture, software development, system maintenance, system administration, database administration, network management and facilities management.
  • A review of key systems involved with system configuration, security procedures, backup processes, redundancies, network security and security event monitoring, etc. 
  • A visual walk through of the facilities with administrative and facilities personnel to assess operational privacy practices and physical security controls. 
  • A network scan to enumerate addressable devices and to assess each systems available network services and associated vulnerabilities. (These scans will be conducted from within the client’s network in the presence of client staff and assistance.)
  • A review of organizational, privacy and IT security policies, procedures, guidelines, systems documentation, network diagrams, and other relevant materials.
  • Completion of an assessment that determines, for each of the items above, the existing controls, effectiveness of those controls, exposure potential, risk likelihood, risk impact, and the overall risk rating.

The following items are not in this project scope:

  • A detailed source code review.
  • Social engineering to acquire sensitive information from staff members.
  • Electronic penetration attacks that intentionally damage systems, delete or modify data, cause denial of service or slow or halt services.
  • Physical penetration attacks against buildings, laboratories or facilities.
  • Active testing of Disaster Recovery Plans, Business Continuity Plans or Emergency Response Plans.

 Deliverables

  • A report outlining the results of the security risk assessment / gap analysis including the vulnerabilities identified, risks assessed, and security controls recommended.
  • The output of all technical tests performed

HIPAA Evaluation (Mock Audit)

The CyberTAP security team will execute a mock audit to assist covered entities in identifying gaps in their HIPAA privacy & security program.

  • Remote and onsite interviews with key staff members in charge of policy, practice administration, day-to-day operations, HIM, software architecture, software development, system maintenance, system administration, database administration, network management and facilities management.
  • A gap analysis of HIPAA privacy & security policies, procedures, guidelines, and processes.
  • Execution of the current OCR HIPAA audit protocol which seeks evidence of the existence of reasonable and appropriate controls for compliance with privacy requirements (81 checks), security requirements (78 checks), and Breach response & notification requirements (10 checks).  Projects after 2015 will use a combined 2012 OCR audit protocol, and the updated OCR 2015 audit protocol.

 Deliverables

  • A report outlining the results of the audit including the gaps in privacy, security, and breach requirements identified.
  • A prioritization report to assist the organization in efficiently prioritizes their remediation efforts.

DoD / DFARS

Using CyberTAP’s proven assessment process, and its partnership with Indiana’s Manufacturing Extension Partnership, CyberTAP is keenly positioned to assist organizations needing a gap assessment perform of their security practices regarding their CUI processing (NIST 800-171).

Deliverables

  • A report outlining the results of the NIST 800-171 gap analysis including the vulnerabilities identified, risks assessed, and security controls recommended.
  • The output of all technical tests performed.

Cybersecurity for Regional and Local Governments

Regional and local governments face increasingly complex cybersecurity challenges that must be addressed. Purdue will be your trusted partner for cybersecurity services. Our deep experience working with government, and world-class expertise in computer and data security provide a unique level of protection on which you and your citizens can rely. 

Trust Purdue to assist you in developing cybersecurity strategy, implementing controls, engaging vendors, building training, and building resiliency into your cybersecurity infrastructure.

Deliverables

  • Cybersecurity assessment, compliance testing, policy & procedure development, workforce training
  • Vulnerability scanning, penetration testing, configuration assessment, phishing simulation, password analysis
  • Consulting and advisory services in all areas of cybersecurity

Resources

Contact

George Bailey
George Bailey
MS, CISSP, GCIH
Assistant Director
(765) 494-7538
baileyga@purdue.edu

 

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of Corporate and Global Partnerships

Trouble with this page? Disability-related accessibility issue? Please contact Office of Corporate and Global Partnerships at ocgp@purdue.edu.