Measures Strong Enough to Meet Mandates
Every organization — large or small, heavily regulated or independent of governmental oversight — benefits from a planned and organized security program to align IT assets and data with broader business goals. Acting accountably, breaking through silos, minimizing exposure risk, and safeguarding privacy, data and assets is key for every organization – and is the essence of governance, risk management and compliance (GRC). Information technology infrastructure is a 24/7 resource that must remain available and secure for your customers and employees.
Solutions for Governance, Risk & Compliance
As network perimeters change with the addition of each new IoT technology and evolution of internet service, it is important to periodically review equipment configurations and solution effectiveness. For many, this kind of review is mandatory to comply with regulatory requirements.
Structured’s GRC offerings:
- Help you identify regulatory compliance needs or gaps.
- Provide objective evaluations of your security controls, mechanisms and goals in comparison to best practices.
- Give you actionable recommendations for optimizing IT resources and managing compliance.
Threats arise in real-time and are constantly evolving. Structured’s GRC services can be narrowly focused on a type of technology or segment of infrastructure.
Risk & Compliance Assessments
Standards-based Risk Assessment: These assessments are based on compliance requirements such as PCI, HIPAA, NERC CIP, or GLBA, or best security practice frameworks such as NIST, CIS Controls, or ISO 27001. Prioritized and prescriptive, they identify any control gaps that may exist. Culminating the assessment is a fully documented report, including an executive summary, detailed technical description of the findings, and remediation recommendations.
Security Controls Validation: Going beyond identifying control gaps, these compliance or security-oriented assessments test the effectiveness of controls. Structured GRC engineers measure the controls through rigorous testing techniques and identify the residual risk to the organization in a comprehensive report. This service is especially effective prior to an audit to reveal actual or potential weaknesses in your security program.
Policy Gap Analysis: This service analyzes existing policies for deficiencies in requirements or security controls. Recommendations or edits are made to policies to reduce risk and maintain compliance.
Data Classification Review: Closely aligned with data identification, the classification review ensures that all sensitive data is correctly labeled. Per compliance requirements, validations ensure required technical and administrative processes are in place as well as necessary breach notification measures.
Sensitive Data Identification: A critical step in information security is properly locating all systems and flows where data resides. This process is used to map data flows for all sensitive information that the security program protects.
Data Loss Prevention (DLP) Assessment: This assessment reviews data loss prevention systems for proper identification of datasets that must be protected under compliance or regulatory requirements.
Policy and Procedure Development: Whether developing a security program or implementing a new line of business, situations arise that require policies to be created from scratch. Structured GRC engineers can assist with complete policy development, using either existing formats or providing new ones.
Incident Resilience Assessment: IRAs gauge readiness to withstand cyberattack, providing executive and board-level risk findings that can be used to make critical decisions about cybersecurity spending, workforce levels, and other areas of impact.
Security Consulting Services
Penetration Testing: Structured offers penetration testing services based on industry standards such as NIST SP 800-115 and other framework-specific requirements. This includes testing in white/gray/black box formats, and for the internal and/or external environments. The penetration test verifies compliance-required segmentation of network infrastructure.
Social Engineering: The social engineering portion of testing comprises phishing attacks to end users, vishing (voice phishing) attacks to IT functions and end users, and physical entry testing to verify facility controls. Strict adherence to documented Rules of Engagement agreements is always maintained.
Vulnerability Management: Identifying and properly remediating vulnerabilities is a critical part of a robust security program. Structured GRC engineers assist with scanning techniques and deploy tools that track and manage vulnerabilities over time.
Structured’s GRC engineers are learned in all the governing frameworks and can help customers improve security by addressing critical gaps or maintain compliance by conducting necessary third-party audits.
- Center for Internet Security (CIS) Controls
- GDPR / CCPA
- ISO 27001/27002
- NERC CIP / FERC
- NIST 800-53 / Cybersecurity Framework / CMMC
- GLBA, NCUA, CJIS, FERPA
- Sarbanes-Oxley, SOC2
- Cloud Security Alliance
Want more information? Get in touch!
Structured Professional Spotlight
Rob Wayt, Director of Governance & Compliance, CISSP-ISSEP, HCISPP, CISA, CISM, CRISC, CEH, QSA, CDPSE
As Director of Governance & Compliance for Structured, Rob applies his 25 years of critical experience in IT security, compliance and networking to design and implement comprehensive security programs, focusing particularly on compliance assessment and audits. With core competencies in PCI, HIPAA, ISO 27001, FIPS/FISMA, FERC/NERC CIP, FERPA, GLBA/FFEIC/NCUA and Governance, Risk and Compliance (GRC) solutions, Rob is an incredible asset both to Structured and to its customers.
But while it’s clear he has a slight interest in GRC, he’s hardly one-dimensional. Rob also is an avid cyclist and outdoor enthusiast who enjoys life wherever it takes him. For 26 years it was Japan, but he and his family currently reside in Alaska.
Plan and Protect
By Rob Wayt, CISSP-ISSEP, HCISPP, CISA, CISM, CRISC, CEH, QSA Sometimes we could all use a little privacy. Some downtime to unwind without being bothered by phone calls, emails and…