Security Fundamentals – Risk Assessment
LMG will work with key stakeholders within your organization to assess the following:
• Existing security controls,
• Potential threats and vulnerabilities to sensitive information and system availability,
• The impact and likelihood of a threat agent exploiting a vulnerability to determine the level of risk.
Based on these determinations, LMG will provide a summary report identifying the top risks based on threats in your industry and the results of your controls assessment. The report will help you to prioritize remediation of key operational vulnerabilities, and provide recommendations to mitigate those vulnerabilities to reduce risk to the organization.
The Risk Assessment will build upon document review and staff interviews conducted as part of the Fundamentals Assessment. LMG will evaluate the most important gaps identified through the Fundamentals Assessment to assess likelihood and potential impact of an exploit based on those gaps.
• Risk Assessment summary report, visual “dashboard”, and recommendations.
Security Fundamentals – Controls Assessment
LMG will evaluate your technical and administrative security program and controls to assess your security posture and provide recommendations for reducing risk.
The assessment is based on LMG’s analysis of industry-standard best practices and cybersecurity control frameworks. The assessment will identify the most important and impactful fundamental security controls needed to produce an optimal foundation for your enterprise-wide security program.
• NIST Cybersecurity Framework
• Center for Internet Security (CIS) Critical Security Controls (aka “Top Twenty”)
• ISO 27001/27002
In support of this project, LMG will:
• Interview key staff members, such as: risk management, Information Technology (IT), executive, and workforce employees.
• Review documentation, such as:
IT and security policies and procedures
• Fundamentals Assessment summary report, scorecard and recommendations.
Security Fundamentals – Technical Testing
LMG will perform routine, automated multilayer vulnerability scans on Client’s internal and external networks, and produce a summary report.
This assessment will be performed remotely. Internal scans will be conducted using an appliance provided by LMG. The device will be shipped to one Client facility. LMG will manage scans remotely via Internet connectivity. Client is responsible for connecting the cybersecurity test device to the internal network and ensuring that it has access to communicate to LMG.
Results will be delivered via a web portal. (Client will provide the list of target IP addresses in advance as well as any other information necessary to verify that the targeted addresses belong to the Client.)
• Vulnerability scans of internal network
• Vulnerability scans of Internet-facing systems
• Raw vulnerability scan results, available via web portal
• 1-3 page report which outlines top findings and recommendations
• Scorecard with summary of findings