Reduce Risk and Cost of Security and Compliance by Aligning Business and Technology Information Protection Strategies

The Challenge: Effectively Address Security Threats and Compliance Obligations with Limited Resources

The challenge of security in an information centric society is increasing rather than diminishing. Sharing information and collaborating using new technologies such as Web 2.0 creates a tension between the requirements to protect privacy and the need to control information assets. The concern is amplified as external compliance requirements, fostered by government, industry, and customers, spread limited resources even thinner.

Many organizations continue to struggle to protect their organizations from information security threats while simultaneously working to meet external compliance obligations. They typically react to this situation with many disparate programs, leading to inefficiency, duplication of effort, gaps in coverage, and significantly higher costs.

The Solution: Reduce Costs, Increase Visibility, and Improve Both Security and Compliance Through a Single, Comprehensive Program  Information technology governance, risk management, and compliance (IT GRC) is a coordinated program that enables you to reduce information security risk and reduce the cost of regulatory and industry compliance by aligning your business and technology strategies for protecting information. Business strategy must account for the regulatory and industry requirements for information protection, while technology strategy must create effective infrastructures for managing those risks and uncertainties. If these efforts are not properly aligned, you are vulnerable to security incidents, data loss, and regulatory scrutiny. When properly aligned, the results are improved customer satisfaction, increased revenue, and competitive differentiation.

Nanjgel Solutions can help you implement and maintain your IT GRC security program through a comprehensive suite of services and security products designed to guide you through the following four phases:

Define: Define the controls needed to protect against security threats and meet compliance obligations Assess: Assess the existing implementation of security controls to identify gaps and vulnerabilities and to recommend prioritized actions that address themRemediate: Address the high-priority control gaps by developing or enhancing policy and technology
Maintain: Operate and evolve the controls to meet changes in threats, compliance requirements, and business objectives

Service Overview:

While Nanjgel Solutions has a comprehensive portfolio of products and services to assist you with all of your IT GRC security program needs, the Nanjgel Solutions®  IT GRC Security Assessment Service has been

specifically designed to guide you through the define and assess phases using the following four activities:

• Common control framework definition

• Security policy review
  

• Security architecture assessment
  

• Security posture assessment
  

Common Control Framework Definition
The Nanjgel Solutions IT GRC Security Assessment Service begins by helping you to establish a common control framework, which is a single, unified set of security controls allowing you to efficiently meet your external compliance obligations and protect your organizations from information security threats.  This activity begins by identifying and consolidating your security control objectives. These control requirements may be mandated by government regulation such as Sarbanes-Oxley, by industry standards such as the International Organization for Standardization (ISO) 27000 series and the Payment Card Industry (PCI) data security standard, and even by your own security best practices.

Controls are then mapped between individual standards to eliminate overlaps. The remaining controls are then reviewed against your organization’s risk and security strategies to remove any that are not appropriate for your environment. Finally, the common control framework is prioritized based on your assets and risk tolerances, allowing for more informed decisions regarding appropriate next steps, including follow-on service and product solutions.

The resulting common control framework becomes the basis of your IT GRC program and represents the minimum set of security controls needed to meet your security and compliance needs. Deliverables from this part of the service include a statement of applicability that documents your common control framework and the justification for control selection, as well as a list of highly critical controls that require priority during follow-on assessments and remediation efforts.

Security Policy Review
The security policy review compares your existing policy infrastructure against the controls necessary to achieve the compliance requirements mandated in the common control framework. Nanjgel Solutions experts use a variety of policy review techniques to determine the accessibility, enforceability, and governance of the policy architecture. The security policy review deliverables include a report documenting strengths and weaknesses of your existing policies, along with recommendations for improvement.

Security Architecture Assessment
The security architecture assessment provides a detailed evaluation of your organization’s technical infrastructure, based on the requirements of the common control framework. The evaluation identifies gaps that put critical assets at risk and provides recommendations to implement or strengthen security controls. The security architecture assessment is appropriate for both Nanjgel Solutions and multivendor networks because it is rooted in a vendor-independent common security framework that is aligned to the ISO 27000 series security model and to industry best practices. The assessment is supported by best-in-class tools and methodologies and superior access to Nanjgel Solutions product development and support resources.

Security Posture Assessment
After the policy and technical controls in your common control framework have been assessed, it is important to determine how well those controls have been implemented and operate to provide protection and compliance. The security posture assessment therefore provides a point-in-time validation of the effectiveness your security policies, designs, and architecture through a safe and controlled simulation of malicious attacks through your perimeter, internal, and wireless network and through social engineering that may be used to gain physical access to your facility. Identified vulnerabilities are correlated against Nanjgel Solutions’s Security Intelligence Operations database, maintained by over 500 security analysts to weed out false positives and provide you with proven mitigations to the confirmed vulnerabilities.

Table 1 describes the Nanjgel Solutions IT GRC Security Assessment Service activities and benefits.

Table 1.    Nanjgel Solutions IT GRC Security Assessment Service Activities and Benefits Summary 

Nanjgel Expertise:
The Nanjgel Solutions IT GRC Assessment Service is delivered by Certified consultants and certified vendor solutions with extensive security experience. The consultants and partners have expertise in a variety of vertical industries and government agencies and offer both engineering and management perspectives. Their expertise is supported by best-in-class tools, best-practice methodologies, and superior access to product development and support resources. Working with Nanjgel Solutions experts and partners to define security controls and identify potential vulnerabilities can help you create multilayer “defense-in-depth” network protection, avoid unexpected costs, and satisfy compliance needs across the enterprise.