Governance, Risk & Compliance

Risk & Compliance Assessments

Standards-based Risk Assessment: These assessments are based on compliance requirements such as PCI, HIPAA, NERC CIP, or GLBA, or best security practice frameworks such as NIST, CIS Controls, or ISO 27001. Prioritized and prescriptive, they identify any control gaps that may exist. Culminating the assessment is a fully documented report, including an executive summary, detailed technical description of the findings, and remediation recommendations.

Security Controls Validation: Going beyond identifying control gaps, these compliance or security-oriented assessments test the effectiveness of controls. Structured GRC engineers measure the controls through rigorous testing techniques and identify the residual risk to the organization in a comprehensive report. This service is especially effective prior to an audit to reveal actual or potential weaknesses in your security program.

Policy Gap Analysis: This service analyzes existing policies for deficiencies in requirements or security controls. Recommendations or edits are made to policies to reduce risk and maintain compliance.

Data Classification Review: Closely aligned with data identification, the classification review ensures that all sensitive data is correctly labeled. Per compliance requirements, validations ensure required technical and administrative processes are in place as well as necessary breach notification measures.

Sensitive Data Identification: A critical step in information security is properly locating all systems and flows where data resides. This process is used to map data flows for all sensitive information that the security program protects.

Data Loss Prevention (DLP) Assessment: This assessment reviews data loss prevention systems for proper identification of datasets that must be protected under compliance or regulatory requirements.

Policy and Procedure Development: Whether developing a security program or implementing a new line of business, situations arise that require policies to be created from scratch. Structured GRC engineers can assist with complete policy development, using either existing formats or providing new ones.

Incident Resilience Assessment: IRAs gauge readiness to withstand cyberattack, providing executive and board-level risk findings that can be used to make critical decisions about cybersecurity spending, workforce levels, and other areas of impact.

Security Consulting Services

Penetration Testing: Structured offers penetration testing services based on industry standards such as NIST SP 800-115 and other framework-specific requirements. This includes testing in white/gray/black box formats, and for the internal and/or external environments. The penetration test verifies compliance-required segmentation of network infrastructure.

Social Engineering: The social engineering portion of testing comprises phishing attacks to end users, vishing (voice phishing) attacks to IT functions and end users, and physical entry testing to verify facility controls. Strict adherence to documented Rules of Engagement agreements is always maintained.

Vulnerability Management: Identifying and properly remediating vulnerabilities is a critical part of a robust security program. Structured GRC engineers assist with scanning techniques and deploy tools that track and manage vulnerabilities over time.

Regulatory Frameworks

Structured’s GRC engineers are learned in all the governing frameworks and can help customers improve security by addressing critical gaps or maintain compliance by conducting necessary third-party audits.

• Center for Internet Security (CIS) Controls
• GDPR / CCPA
• PCI-DSS
• ISO 27001/27002
• HIPAA
• NERC CIP / FERC
• NIST 800-53 / Cybersecurity Framework / CMMC
• GLBA, NCUA, CJIS, FERPA
• Sarbanes-Oxley, SOC2
• Cloud Security Alliance
• FEDRAMP