Managing and Improving
Your Security Program
For organizations that have established and continue to refine their information security program Assero Security provides services for IT and process oversight, information security program tracking and management, and assistance with special security projects and initiatives.
- Virtual Chief Security Officer. Assero Security tailors a package of activities and assigns an experienced information security professional to run specific program elements or take control and responsibility for your overall information security program.
- Information Security Controls Review (ISCR). Assero Security reviews the current administrative, physical, and technical security controls protecting sensitive information and critical systems to produce two reports:
- ISCR Report. This externally facing report is designed to provide your customers as a statement of the existence and effectiveness of controls.
- Action Items Report. This report documents missing or weak controls and provides a roadmap for improvements to your information security program.
- Governance, Risk and Compliance (GRC) Tools. Assero Security has a wealth of information about available GRC tools and which ones are best for your organization. Our GRC Tool services include product selection, planning, and implementation.
Why do an Information Security Controls Review (ISCR)?
Current and future customers are demanding their sensitive information is adequately protected and that you comply with minimum-security controls, regulations, and contractual obligations. Whether you need to respond to a security questionnaire, request for proposal (RFP), or prepare for an upcoming audit an ISRC can provide quick response to third party requests while planning for future improvements to your security program.
An Assero Information Security Controls Review can protect and increase your business.
What does an Information Security Controls Review provide?
An ISCR reviews your companies controls based on industry accepted standards, NIST and COBIT control sets. This review creates an industry standard report that can be shared with your current and potential customers that most RFP and Security Questionnaires require. It also provides an internal 3rd party unbiased review of your current controls and a report that can be given to service providers or internal departments to address.
What drives an Information Security Controls Review (ISCR)?
Your customer, prospect, or business partner drives the requirement of conducting an ISCR.
- Often times Requests For Proposal (RFPs) require a recent security controls review.
- Customers concerned about their sensitive data require the completion of a “security survey” or security questionnaire.
- Customers have contractually obligated you to provide minimum-security controls as specified in a Service Level Agreement (SLA).
What’s the relationship of an Information Security Controls Review to a Service Organization Control (SOC) report (e.g., SOC 1 “SSAE 16”)?Oftentimes organizations attempt a Service Organization Controls (SOC) review only to find their controls are so far from requirements that the project gets put on hold and money wasted. An Information Security Controls Review is a good first step towards a SOC report.
What are the Features and Benefits of an ISCR?
Based on NIST & COBIT
- Industry standards that are easily understood, accepted, and trusted
- Addresses 3rd party requests (RFP, SAQ, SLA’s)
- Provides organizational oversight and assurances based on regulatory requirements
- Service Providers
Internal Roadmap Report
- Supports the enhancement of the organizations security strategy and identifies gaps
- Administrative Controls
- Technical Controls
- Physical Controls
- Creates a security plan that can be implemented in a phased approach
- Shortens timeline to required compliance framework
- Redistribution of savings for improvements
- Reports can be generated in in weeks not months assisting in responding to RFP’s