Governance, Risk & Compliance

What can I do to prevent a cybersecurity breach? How do I know if my information is secure? Information security deals with my internal network, but cybersecurity risks are lurking in the external, where I have little visibility. How do I know if my organization is secure at all, let alone work toward a mature security posture?

Image of MANAGEMENT CONSULTANTS

Security with a business focus

IT Governance, Risk and Compliance (GRC) focuses on the disciplines for protection of IT assets and efficiency of IT operations. In turbulent times… like now, when cybersecurity is at the forefront, GRC strengthens compliance and overall security posture through the implementation of preventative controls.

What are your organization’s mission and goals? Are IT risks understood by the business? Is your organization facing changes through mergers and/or acquisitions? Are there compliance requirements you must meet? Our approach begins with your business, takes a holistic risk-based approach to management of information security and protection against cybersecurity threats. We focus on establishing a sound security posture while reducing the cost of containment.

Our services support business processes to enable the alignment of business with IT. Our management and technology consultants address the complexity of this area while balancing security with business needs and overall compliance. Our processes analyze threats, vulnerabilities and impact to determine important risk factors, then identify cost-effective mitigation strategies and establish ways to monitor ongoing progress.

 

How We Do This:

We combine a blend of best practices, industry frameworks and project management discipline. From strategy to risk management to security transformation, !m can help protect the confidentiality, integrity and availability of your organization’s valuable information assets.

 

 

Information Security Program
  • Strategy and Enterprise Strategic Alignment
  • Security Roadmap
  • Governance Framework and Structure
  • Policies, Standards, Processes, Procedures and Guidelines
  • Security Architecture
  • Security Roles and Responsibilities
  • Security Awareness and Training
  • System and Data Classification and Criticality Analysis
  • Security Program Management
Risk Management
  • Risk Management Framework and Program Development
  • Security Maturity Assessment
  • Business Impact Analysis (BIA)
  • Risk Assessment (RA)
  • Vulnerability Assessment
  • Penetration Testing
  • Business Resilience/Continuity Planning
  • Disaster Avoidance/Recovery Planning
  • Incident Management Program Development
  • IT Security Audit
Compliance
  • HIPAA Privacy, Security and Omnibus Rules
  • HITRUST Self-Assessment Guidance
  • Commonwealth of Virginia IT Security Policy (SEC519)
  • Commonwealth of Virginia IT Security Standards (SEC501)
  • Commonwealth of Virginia IT Audit Standard (SEC502)
  • Commonwealth of Virginia Hosted Environment Security Standards (SEC525)
  • National Institute of Standards and Technology (NIST) Computer Security (800-53)
  • Industry Specific “Best Practices”
  • Reports and Metrics Guidance
  • Compliance Assurance
We Gave the DMV a Security Tune-Up
View Case Study
Past Performance

Virginia Department of Social Services (VDSS)

  • Re-authorization to operate (ATO) with the Centers for Medicare & Medicaid Services (CMS) federal system
  • Security Controls and Privacy assessment using the CMS Framework & Procedures and the Minimum Acceptable Risk Standards for Exchanges (MARS-E)
  • Provided plan of actions & milestones (POAM)
  • Provided traceability matrix linking compliance requirements to the plan of actions & milestones (POAM)

Virginia Department of Health (VDH)

  • Conducted a Business Impact Analysis (BIA)
  • Conducted an enterprise Risk Assessment (RA) of common controls

Virginia Information Technologies Agency (VITA)

  • Facilitated development of statewide IT Security Policies and Procedures based on the NIST 800-53 Risk Management Framework.
  • Provided a common set of IT Security standards and associated Policies and Procedures for Executive Branch departments and agencies across the Commonwealth of Virginia

Virginia Department of Education (VDOE)

  • Conducted an IT Application Audit assessing the effectiveness of the IT security controls and compliance with COV Security Policy (SEC519-00) and Standards (SEC501-07.1)
  • Provided a report on compliance and recommendations of remediation of identified compliance issues.
Industry-Leading Expertise

Qualifications

  • DoD Cleared & Experienced Staff
  • DoD 8570 Certifications
  • IT System Risk Assessment
  • IS Policy & Procedures Development
  • Independent Verification & Validation
  • Security Assessment & Authorization
  • Enterprise Security Architecture Design

Certifications

  • Certified Information Systems Security Professionals (CISSP)
  • Certified Information Systems Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified Internal Auditor (CIA)
  • Certified Public Accountant (CPA)
  • Certified in Risk and Information System Controls (CRISC)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified Ethical Hacker (CEH)
  • Project Manager Professional (PMP)

Company information

  • SEAPORT-e – N00178-14-R-4000
  • DUNS – 796778046
  • SAM CAGE code – 4YKK2
  • SWAM – 660781
  • Certified State of Virginia Small Business
  • Certified B Corporation
  • Virginia Benefit Corporation
  • NAICS codes:
  • 541519
  • 541511
  • 541613