Security Program Assessment
Evaluating Information Security Program Effectiveness
1. Business Objectives and Policy
WavePort Security will evaluate alignment of the current information security program with business objectives and requirements placed on your enterprise by other governing bodies. We will evaluate the link between your strategic goals and its program components.
We will also review the mechanisms in place including policies, standards, and guidelines, that govern how your information security achieves the business objectives of the broader organization.
2. Data Protection
WavePort Security will evaluate your data protection framework to determine whether adequate data classification and identification capabilities exist to define high-target information assets. Defining these assets enables focused protective and defensive security measures. We will identify data protection techniques, such as encryption and access controls, which are used to protect data in motion, data in use, and data at rest.
3. Security Risk Management
The WavePort Security teamwill evaluate your risk management framework and process, reviewing how security risks are identified, assessed, and addressed within the organization. This assessment will ensure that risk is managed across the enterprise and that the appropriate security controls are applied based on the assessed risk.
4. Access Management
WavePort Security will review access management policy and procedures to assess whether suggested proactive security controls appear to be leveraged to reduce the risk of inappropriate access to sensitive data. Our review will include the use of directory services and identity management solutions currently in place.
5. Organization and Resources
We will review the current structure of your information security organization to determine the extent to which roles and responsibilities are clearly defined and appropriate to achieve objectives of the program. We may suggest modifications to the organization structure, alignment, focus, or capability portfolio to close the security gap created by ever-evolving adversaries.
6. Incident Response
WavePort Security will review existing people, processes, and technologies deployed to detect, analyze, escalate, respond to, and contain advanced attacks. Our incident response assessment will evaluate topics including governance, people, communication, infrastructure, visibility, and response. We will provide your leadership with a gap analysis, recommendations to address any shortcomings, and a roadmap to implement the recommendations.
7. Third Party/Vendor Management
We will evaluate the security measures in place to protect access to customer information or resources when access is provided to a third-party provider, or when information is sent to a third-party provider for business operation. We will also evaluate the processes in place to periodically review third-party access and to ensure that contractual requirements for third-party security and control are being honored.
8. Security Architecture
WavePort Security will assess the use of various tools and technologies deployed as part of the security architecture. We will review the effectiveness of the architecture in providing visibility into network-based, host-based, and application-based activities. In addition, we will look at how security is incorporated into the use of emerging technologies, such as cloud and mobile.
9. Infrastructure Resiliency
We will review your organization's ability to maintain availability to critical business operations and minimize business impact resulting from a security incident. WavePort will assess the security function’s visibility into business operations and plans for managing a high-availability environment.
10. Security Awareness Training and Communication
WavePort Security will assess the effectiveness of your current information security awareness and training program currently designed to inform end users of potential security concerns. We will also evaluate the effectiveness of communication protocols directing the distribution of information security department communication to your broader business teams.