NOTE: CyberCecurity offers a full range of both assessment and technical testing services that examine your governance of risk management. We utilize automation wherever practical to increase accuracy and reduce the cost of assessments. We offer verified, unverified, and certified assessments. The available assessments are described below.
Our TECHNICAL TESTING follows ethical hacker best practices.
For more information about our TECHNICAL TESTING services please go to:
https://www.cybercecurity.com/it-tech-testing
(Our risk assessments are listed in alpha order. See our list of AUDITS at # 21 below)
All applications have bugs in them; most have architectural flaws, design flaws or configuration issues that create security vulnerabilities in the application and potentially the host network. The question is how easy is it for attackers to discover and exploit these vulnerabilities? According to the Verizon Data Breach Investigations Report, application attacks account for 35% of all breaches. It is critical that the software development process takes security into account at every step of the process. Recently Juniper, the security products company (firewalls), announced that someone inserted unauthorized code into their software library that allowed attackers to take over any network behind that Juniper hardware. Our application assessment can evaluate the software development process, developer training, quality assurance processes, code checking process and review code to identify the vulnerabilities. Learn more...
As smart devices (devices with a processor and storage) proliferate, it is important that businesses are able to track those assets - what they are used for - by whom - and in what context. Those devices can be the source of an attack or the vehicle for a breach. Businesses need to have a formal process for tracking these assets. We break assets down into hardware, software and cloud assets.
The Board of Directors is ultimately responsible for mitigating cyber risk inside the company. As we have seen in recent legal cases, how active the Board is in overseeing the mitigation of that cyber risk can affect the outcome of lawsuits. Our assessment reviews the Board's current level of oversight in this process and makes recommendations, if appropriate, for reducing Directors risk in the case of a breach related lawsuit. We turn boards into valuable strategic assets exercising cybersecurity oversight. Learn more...
If you are a cloud SaaS provider that lets clients put their sensitive data into your Azure, AWS, or other cloud...then you want something better than a SOC 2 done by an accountant to prove to your clients that you care about security.Whether you need a CSA STAR pre-assessment, self-guided assessment, Level 1 or Level 2, we've got you covered. Learn more...
DoD will shortly require that any contractor who wants to work on DoD contracts must be certified as meeting DoD 800-171 cybersecurity requirements. CyberCecurity, LLC will provide such certification services. But for now we can provide CMMC pre-assessments and other services to prepare contractors to compete in this new environment. Learn more...
Many organizations have some form of cyber insurance. Whether that insurance will actually pay out in case of an incident is a different story. Insurance carriers are becoming more cautious in paying claims and in some cases, will attempt to get out of paying a claim, based on what a company said they were doing in the application documentation. Our assessment improves the likelihood that, in case of a breach, your company will have the appropriate coverage and will be successful in any claims for reimbursement under the terms of the policy.
(For DoD contractors and sub-contractors working with classified information) The Defense Counterintelligence and Security Agency (DCSA) is responsible for the mission of "industrial security oversight." Contractors and sub-contractors who deal with federal classified information must comply with the provisions of National Industrial Security Program Manual (NISPOM). Today, it is no longer acceptable to process classified information on unaccredited information systems and non-compliance can mean loss of government contracts. We can help you comply with NISPOM.
(For DoD contractors and sub-contractors working with un-classified information) Contractors and sub-contractors who deal with federal un-classified information must comply with the provisions of SP 800-171. As with classified information, today it is no longer acceptable to process un-classified information on unsecured information systems and non-compliance can also mean loss of government contracts. We have a great deal of experience in this area and can help you comply with SP 800-171.
We use a slightly different approach when assessing vulnerabilities for individuals. Their networks, digital assets, and vulnerabilities are different in some respects than companies. Additionally, these folks need to assess physical threats to themselves and their families.Learn more...
(For brokerage firms and registered securities representatives)
The Financial Industry Regulatory Authority, Inc. (FINRA) is a private
corporation that acts as a self-regulatory organization. It is a
non-governmental organization that regulates member brokerage firms and
exchange markets. The government agency which acts as the ultimate
regulator of the securities industry, including FINRA, is the Securities
and Exchange Commission (SEC).
FINRA's mission is to protect
investors by making sure the United States securities industry operates
fairly and honestly. FINRA oversees about 4,250 brokerage firms, 162,155
branch offices and 629,525 registered securities representatives (2017).
Cybersecurity and the protection of client data has become a
critical mission of FINRA and the SEC. Various state agencies that
regulate financial services take their cues from the SEC and FINRA.
Denver Cyber Security, LLC is well-versed in FINRA, SEC, GLBA, and various state
regulations as they pertain to cybersecurity. Our assessments are fully
aligned with these regulatory body's requirements.
(For banks, securities companies, insurance companies, and other financial services companies) The Gramm-Leach-Bliley Act (GLBA) regulates many activities of financial institutions, including the privacy of consumer data. To correctly protect consumer data, financial insitutions must have robust cybersecurity programs and GLBA establishes specific cybersecurity requirements related to this issue. Our GLBA assessment can tell you whether your organization complies with the GLBA cybersecurity requirements.
We aim to simplify your journey through the world of Governance, Risk, and Compliance (GRC) solutions. Navigating the vast array of options can be overwhelming, but fear not - our intuitive assessment is tailored to guide you through the process of selecting the perfect solution to suit your unique needs. Whether you are a small business or a large enterprise, we've got you covered. With expert insights, comprehensive comparisons, and user-friendly tools, finding the ideal GRC solution has never been easier. Let us empower you to make informed decisions and enhance your organization's risk management and compliance efforts. Start your GRC transformation today!
Check out our GRC Solutions Assessment for 2023 page here
(For healthcare organizations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit. Since our pre-audit is an informal review, many items may be fixable on the fly, reducing later exposure to a real audit. The advantage of doing this is that an actual audit will come out cleaner and will show fewer violations. Our pre-audit and assessment can be done at any time and even more frequently than the HIPAA/HITECH required audit frequency.
As organizations like Sony and The U.S. Office Of Personnel Management (OPM) discovered, the time to test the organization's incident response readiness is not during an incident. If the organization does not have a plan, we can assist in creating one. If the organization has not recently tested its plan, we can assist with the design and test of the plan. If a plan exists and is tested, then this assessment will review the scope of the plan to determine if the 'coverage' of the plan is sufficient for the organization. Coverage means that the incident response plan deals with the range of reasonably expected incident types-and how well it deals with them. If the plan has been recently tested, then this assessment can additionally review that test and help the organization enhance the plan to more effectively address future potential incidents. Learn more...
Our IS/IT (information systems/information technology) operations assessments look at the operational aspects of an IT organization. The eight sub-topics of our operations assessment include:
The Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 require that any companies or persons who store or use personal information (PI) about a Massachusetts resident develop a written, regularly audited plan to protect personal information. Both electronic and paper records will need to comply with the new law. The regulations went into effect on March 1, 2010. According to this regulation, companies will need a written security plan to safeguard their contacts' and/or employees personal information. It will need to be illustrative of policies that demonstrate technical, physical, and administrative protection for residents' information. The plan will need to be written to meet industry standards. Companies will have to designate employees to oversee and manage security procedures in the workplace, as well as continuously monitor and address security hazards. Policies addressing employee access to and transportation of personal information will need to be developed, as well as disciplinary measures for employees who do not conform to the new regulations. The requirements of the Massachussetts regulation are in line with requirements of other cybersecurity regulations and we can assess your situation and help you become compliant.
Most of the time when an investor acquires a company, it acquires both the assets and the liabilities and the value of such companies now affected by cyber risk. When it comes to cyber risk, investors, for the most part, are assuming an unknown risk - and one which is completely unbounded. The investors don't know how big a cyber risk they are assuming. And the risk may not show up for years - and then it could destroy the company. Our M&A assessment process reduces the unknown and unbounded risks investors assume. An investor would never make an investment without reviewing the finances of the target company or the sales strategy of that company, but for the most part, they do not review the cyber risk they are assuming. We help investors solve that problem.
Effective March 1, 2017, the New York Superintendent of the Department of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing Denver Cyber Security requirements for financial services companies licensed to do business in the State of New York. These regulations are very proscriptive and similar to those laid out in the Massachussetts regulation described above. Denver Cyber Security, LLC has multiple clients in the process of complying with the NY regulation and we can assess your situation and help you comply also.
(Credit card operations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit - prior to doing that audit. Since this is an informal review, many items may be fixable on the fly. The advantage of doing this is that the actual audit will come out cleaner and will show fewer violations. An assessment can be done at any time and even more frequently than PCI rules require.
Policies are a first line of defense in corporate information risk mitigation. Of course, the best policies are useless if employees don't know about them, don't understand them or don't follow them. Our policy assessment reviews the existing policies and procedures for completeness, usability, training and enforcement.
Almost all companies today have a privacy policy. Whether that privacy theology is integrated at the cellular level of the company is quite different than whether a company has a document. After the Snowden revelations, many companies expressed surprise that our government - as well as many other governments - might be eavesdropping on their digital conversations. For those companies, privacy was a document. Many companies are now looking at privacy at a whole different level and it affects every person in the organization. Our assessment and recommendations help an organization shift from privacy as a document to privacy as a fundamental, existential component of the company.
Many companies outsource pieces of their business. Whether that is a customer-facing call center, software developers, database administrators, human resources, insurance management, legal or a host of other possible outsource possibilities, these vendors, in many cases, have the keys to your universe. The Target attackers, for example, got into Target by attacking a small refrigeration maintenance company. Every company should have a vendor risk management program that reviews the exposure every vendor creates for the company and based on that level of risk, reviews the vendor's own cyber risk management program. We can help set up a VRM program if you don't have one or review and assess the one in place if you do have one. The assessment will provide recommendations to help improve the program and reduce the risk introduced by vendors.
Common question: My CIO is in favor of bringing in a consulting firm to assess our security program following a series of minor security incidents. I'm reluctant to do so because I think it will only serve as a distraction. Should I hold firm, or find a way to work with the consultants, and if so, what's the best way to do so. ANSWER. |