WHAT IS THE BUSINESS CHALLENGE?
Organizations that are void of a Chief Information Security officer (CISO)or an IT Security Manager typically means they are void of a comprehensive network security posture assessment aligned to compliance requirements.
Each industry vertical has a speciﬁc compliance law or standard that deﬁnes speciﬁc requirements for network security, use of IP stateful ﬁrewalls, use of VPN technology for sending conﬁdential data through the public Internet, IT security operations and management, and IT security testing where applicable.
WHO DOES THIS IMPACT?
|Industry Vertical||Compliance Law or Standard||Compliance Scope/Checklist|
|K-12 / Higher-Educationg||FERPA||FERPA Data Security Standard|
|Federal Government||FISMA||FISMA IA Cert. & Accreditation|
|Federal Government||Fed RAMP||Federal Risk and Authorization Management Program / Checklist|
|Federal Government – DoD||DIACAPS||DoD Information Assurance Certification and Accreditation Process|
|Financial (Banking/Insurance)||GLBA||GLBA Privacy & Safeguard Rules / Checklist|
|Healthcare||HIPAA.||HIPAA Security Rule, Privacy Rule, & Business Plans / Checklist|
|Retail/e-Commerce/Other||PCI DSS||PCI DSS Merchant / Service Provider SAQ – A/B/C/D|
|Publicly Traded Company||SOX||SOX – Section 303 & Section 404 – Security Controls & Safeguards / Checklist|
WHY IS IT IMPORTANT?
In concert with performing a security risk assessment or compliance gap analysis, drilling down to the your IP data network infrastructure and locking it down according to your required security baseline deﬁnition requires a thorough and complete analysis of all internal and external network connection and access points.
Some of the business challenges facing both private sector and public sector organizations include:
- Updating Layer 2 and Layer 3 network documentation for both physical connections and logical conﬁgurations (e.g., IEEE 802.1q VLANs, Layer 3 switching/routing, etc.) as part of the overall network security posture assessment’s Discovery Phase
- Maintaining air-tight conﬁguration change management throughout the IP data network infrastructure so as to ensure if any critical or major change occurs in the IP data network that proper documentation, testing, and validation are all up to date and accurate
- Identifying and prioritizing network remediation or security hardening requirements for identiﬁed gaps that are found as part of the overall network security posture assessment’s Assessment Phase
- Budgeting CAPEX and OPEX to remediate risks, threats, and vulnerabilities that are found within the IP data networking infrastructure will be incorporated as part of the overall network security posture assessment’s Recommendation Phase based on the deﬁned security baseline deﬁnition
- Ensuring that the organization’s internal and external layered security solutions work according to the deﬁned requirements, policies, and standards to maintain compliance (e.g., this may require performing IT security testing, veriﬁcation, and validation, etc.)
HOW DOES ITPG’S NETWORK SECURITY POSTURE HELP YOU?
ITPG’s Network Security Posture Assessment will drill down to your organization’s compliance requirements, required security controls, and implementation of needed safeguards.
This will typically include a thorough review, assessment, and security testing within the 7-Domains of a Typical IT Infrastructure framework deﬁnition: User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain, WAN Domain, Remote Access Domain, System/Application Domain.
- Breakdown of the complex compliance laws into real-world implementation requirements and map them to your IP data networking and IT operations and IT security operations environment
- Incorporate compliance requirements into a qualitative assessment tracking tool or spreadsheet organized per the network and network security baseline deﬁnition that will be deﬁned during the Deﬁnition Phase of the network security posture assessment
- In-depth interview of your IT, IT security, and IP data networking personnel and perform on-site inspections and reviews of your current Layer 2 and Layer 3 IP data networking implementation. This will include a review of policies, standards, procedures, and guidelines as it pertains to a layered security implementation to validate security controls and implementations throughout the IP data networking infrastructure
- Perform a high-level, qualitative compliance gap analysis & network security posture assessment mapped to your organization’s compliance requirements and network security baseline deﬁnition
- Delivery of gap remediation recommendations aligned to CAPEX and OPEX cost magnitude estimates and prioritized according to the network security posture assessment ﬁndings, assessments, and recommendations mapped to your organization’s compliance requirements.
ITPG has successfully delivered 100+ Compliance Gap Analysis and Posture Assessments covering every vertical industry and compliance law currently enacted within the USA.