WHAT IS THE BUSINESS CHALLENGE?
Organizations that are void of a Chief Information Security Officer (CISO) or an IT Security Manager typically means they are void of a comprehensive security risk management plan to address compliance. ITPG’s Compliance Gap Analysis Solutions drill down to the law’s compliance requirements, required security controls, and implementation of needed safeguards. In essence, ITPG can help fulfill your compliance assessment initiatives.
To streamline our solutions offering, ITPG incorporates its proprietary information gathering questionnaires and automated compliance tool checklists to verify and validate as part of the overall Compliance Gap Analysis and overall qualitative assessment maturity posture assessment. These unique and complex information gathering questionnaires and automated compliance tool checklists include the following verticals and compliance laws:
WHO HAS TO MAINTAIN ANNUAL COMPLIANCE?
| Industry Vertical | Compliance Law or Standard | Compliance Scope/Checklist |
|---|---|---|
| K-12 / Higher-Educationg | FERPA | FERPA Data Security Standard |
| Federal Government | FISMA | FISMA IA Cert. & Accreditation |
| Federal Government | Fed RAMP | Federal Risk and Authorization Management Program / Checklist |
| Federal Government – DoD | DIACAPS | DoD Information Assurance Certification and Accreditation Process |
| Financial (Banking/Insurance) | GLBA | GLBA Privacy & Safeguard Rules / Checklist |
| Healthcare | HIPAA. | HIPAA Security Rule, Privacy Rule, & Business Plans / Checklist |
| Retail/e-Commerce/Other | PCI DSS | PCI DSS Merchant / Service Provider SAQ – A/B/C/D |
| Publicly Traded Company | SOX | SOX – Section 303 & Section 404 – Security Controls & Safeguards / Checklist |
WHY MUST YOUR ORGANIZATION MAINTAIN ANNUAL COMPLIANCE?
As mandated by recent compliance laws and standards, organizations in many verticals are required to maintain annual compliance. This means an annual compliance gap analysis is needed as a road-map for what the scope of your organization’s security risk assessment should be.
Many organizations opt to perform a high-level, compliance gap analysis first, as a precursor to performing a security risk assessment. Some of the business challenges facing both private sector and public sector organizations include:
- Lacking stringent configuration change management procedures makes it difficult for organizations to identify what elements must be assessed to ensure if compliance requirements are impacted
- Maintaining annual compliance is a burden that typically requires a crisis mode of operation and support by all IT and IT security personnel to meet the annual deadline
- Identifying and prioritizing gaps found that require remediation to mitigate high risk exposure
- Budgeting CAPEX and OPEX to remediate risks, threats, and vulnerabilities that contribute to the IT infrastructure’s non-compliance
- Ensuring that the organization’s work-force has been properly trained on organizational policies, operational procedures, and security awareness to maintain a tight security baseline definition
HOW DOES ITPG’S COMPLIANCE GAP ANALYSIS HELP YOU?
- Breakdown the complexity of compliance laws into real-world implementation requirement
- Incorporate compliance requirements into a qualitative assessment tracking tool or spreadsheet organized per the law’s safeguard categories (e.g., administrative, physical, technical, etc.)
- IN-DEPTH interview of your IT, IT security, and management personnel and perform on-site inspections and reviews of your current layered security implementation to validate security controls and implementations
- Create a high-level, qualitative compliance gap analysis & posture assessment mapped to your organization’s compliance requirements
ITPG has successfully delivered 100+ Compliance Gap Analysis and Posture Assessments covering every vertical industry and compliance law currently enacted within the USA.
