GRC GAP ASSESSMENT

WHAT IS A GRC GAP ASSESSMENT?

The purpose of a GRC (governance, risk, and compliance) Gap Assessment is to identify missing elements of a security program as compared to a specific framework.  Gap Assessments are typically conducted to compare the implemented administrative, physical, and technical controls of an organization with the standards depicted in an established framework.  

Gap Assessments are conducted for your benefit, to allow you to establish a baseline or understand how you would score in an audit against a specific governance framework.  Upon completion, your organization will have an understanding of what aspects of the assessed framework are implemented and operating effectively, and what aspects require additional work.

RedLegg provides Gap Assessment services for the following frameworks along with CIS 20, Privacy Shield, and Customer Sec Policy:

23 NYCRR 500

The New York State Department of Financial Services (NYDFS) has defined Title 23 Part 500 of the Official Compilation of Codes, Rules and Regulations of the State of New York (NYCRR), covering minimum cybersecurity standards designed to promote the protection of customer information and the IT systems of financial entities operating in NY state. This comprehensive regulation is a standard against which to measure the effectiveness of cybersecurity infrastructure, personnel, policies, risk assessments, and audits, ensuring that organizations keep pace with technological advancements.

RedLegg offers multiple solutions to meet 23 NYCRR 500 requirements.  The various solutions adapt to meet the needs of your organization’s size and current security posture.

  • Enterprise Security Assessment – A multi-phased approach designed to provide a holistic evaluation of security posture and risk, including review of regulatory compliance, security controls, internal and external vulnerabilities, secure code, and social engineering vulnerability.
  • vCISO – A Digital Strategic Security Program (virtual CISO) that enables small- and medium-sized organizations (SMBs) to leverage the expertise of an experienced cybersecurity team while minimizing time and resource investments.
  • Policy Framework Development – A document development methodology focusing on standards, guidelines, policies, and procedures that inform users of their responsibilities, define the security protection program, and implement appropriate protection initiatives.
  • Application Security – A methodology, based on proven industry best practices, to determine whether your organization’s applications are secure, including network review, system testing, application testing (threat modeling and secure code review), risk analysis, and IoT configuration review (if needed).
  • Secure Code Review – A process for assessing the risks to your applications, including review of customer-specific applications and verifying code, line-by-line, to ensure that every aspect is secure.
  • Penetration Testing – A determination of exposure to risk and vulnerabilities as well as the identification, definition, and creation of a specific, actionable remediation plan, including internal testing (threat vulnerabilities of your internal resources) and external testing (vulnerabilities in your systems due to actors outside your security perimeter).

The following table lists the RedLegg solutions that address the NYDFS:

Solution 23 NYCRR 500 Section Coverage
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20
Enterprise

 

 

     

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

vCISO  

 

 

 

 

Policies  

 

 

 

 

 

 

 

 

 

 

 

 

Applications  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Secure Code

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Pen Testing

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

COBIT

The Information Systems and Audit Control Association (ISACA®), recognizing the need for executive oversight and business governance of IT operations, introduced the Control Objectives for Information and Related Technologies (COBIT®) framework in 1996.  The framework has since been updated to include management process controls, enabling businesses to extract maximum value from IT through:

  • Integration of business functions with IT standards
  • Guidance of enterprise architecture
  • Integration of organizational controls with external standards and frameworks
  • Improvements in technological communications and information dissemination

COBIT is formulated to be an accepted global standard which ensures that an IT organization is operating under effective governance.  The framework assists all business stakeholders by providing a common language to communicate goals, objectives, and expected results.  The IT governance roadmap does this by integrating standards and business best practices through:

  • Strategic alignment of IT operations and business goals
  • Value-added delivery of services and projects
  • IT risk management
  • IT resource management
  • IT performance measurement

Organizations using the framework implement a defined relationship among processes, goals, and metrics:

PROCESS TYPE DESCRIPTION
Define goals Business goal Maintain enterprise reputation and leadership.
IT goal Ensure IT systems resist and recover from attack.
Process goal Detect and resolve unauthorized access to all systems.
Activity goal Understand security requirements, vulnerabilities, and threats.
Measure achievement Business Number of incidents impacting business reputation (public perception).
IT Number of incidents impacting business operations.
Process Number of incidents of (or due to) unauthorized access.
Activity Frequency of security incident monitoring and review.
Indicate performance [All] Outcome measures
IT-specific metrics
KPIs
Improve and realign [All] Apply performance results for each goal/measurement type to lessons learned and improvements to the preceding goal and achievement measurement.

(Source:  COBIT Overview presentation: 2009, p. 12.  Accessed March 6, 2018.)

FFIEC

The Federal Financial Institutions Examination Council (FFIEC) is a federal interagency body, comprised of five (5) regulatory agencies plus a state liaison committee, that provides government oversight of US financial institutions.  FFIEC prescribes cybersecurity standards to reduce vulnerability in the financial industry, including third-party service providers.  Compliance with the guidelines requires comprehensive internal assessment and solutions implementation, including ongoing risk assessments, to identify security weaknesses and address threats.

Cybersecurity Assessment Tool

The FFIEC Cybersecurity and Critical Infrastructure Working Group has created a Cybersecurity Assessment Tool that “provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time”.  The assessment tool maps to the NIST Cybersecurity Framework and consists of two (2) parts: Inherent Risk Profile and Cybersecurity Maturity.

Inherent Risk Profile

The Inherent Risk Profile enables financial institution managers to identify inherent organizational risk (least, minimal, moderate, significant, or most), absent implemented controls.  The profile assesses five (5) main categories, with the number of items assessed for each:

  • Technologies and Connection Types (14)
  • Delivery Channels (3)
  • Online/Mobile Products and Technology Services (14)
  • Organizational Characteristics (7)
  • External Threats (1)

Cybersecurity Maturity

The Cybersecurity Maturity portion of the assessment covers “domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices”.  Institution managers evaluate organizational maturity level (baseline, evolving, intermediate, advanced, and innovative) across each of five (5) major domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

GDPR

Go deeper into our GDPR-related services here!

ISO 27001/27002

The International Organization for Standardization (ISO), based in Geneva, Switzerland, develops voluntary international standards intended to protect consumers and end users of products and services.   ISO has developed a set of information security management best practices known as the ISO 27000 family (also referred to as ISO27k), facilitating global trade and product safeguards for organizations and managing risk using information security controls.

ISO 27001

This Requirements standard is, according to ISO, a generic standard for implementing a sound information security (IS) program across an organization, including risk assessment requirements and management of non-IT information assets, including:

  • Organizational needs and IS scope
  • Leadership, policy, and responsibilities
  • Risk-oriented objectives and planning
  • Operational control and risk assessment
  • Monitoring, audit, and review
  • Nonconformity, corrective actions, and improvement
  • Support resources, communications, and documentation
  • Controls and objectives reference

Organizations apply the ISO 27001 standard to ensure that information security and any existing point solutions are stabilized under management control, and achieve accreditation by successfully completing an external audit.  The audit generally does not cover basic cybersecurity controls (firewalls or antivirus/antimalware applications), and organizations may choose to certify only one operational area or business unit as ISO compliant.

ISO 27002

This standard, entitled Code of practice for information security controls, is a guideline that provides best practice recommendations on information security controls for initiating, implementing, or maintaining an ISMS.  Information security is defined for the three (3) components of the C-I-A triad: confidentiality, integrity, and availability.  The guidelines cover:

  • Control categories
  • IS policies
  • IS organization and mobile devices
  • HR security issues
  • Asset management, information classification, and media handling
  • Access control (users and systems)
  • Cryptographic controls
  • Physical and environmental security
  • Operations (malware, backup, logging, installation, vulnerability, audit)
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Incident management
  • Business continuity
  • Compliance (legal, contractual, and IS review guidelines)

NIST Cybersecurity Framework 800-171/53

The NIST Cybersecurity Framework (CSF) was first published by the National Institute of Standards and Technology, an agency of the US Department of Commerce, in 2014.  It provides taxonomy and methodology to proactively manage and reduce risk in the cybersecurity infrastructure.  Organizations use this framework in tandem with an assessment of the specific threats and security challenges they face.  While compliance with the framework is voluntary, some organizations require that their vendors do comply, and regulators are calling for compliance, including the Federal Financial Institutions Examination Council (FFIEC).

Implementation Categories

The NIST CSF focuses on the business drivers that guide cybersecurity efficacy and includes cybersecurity risks as part of an organization’s management processes, including core, profile, and implementation categories:

  • Core – Consists of five (5) main functions: Identify, Protect, Detect, Respond, and Recover, with multiple subcategories addressing cybersecurity outcomes and controls.
  • Profile – Typically split into Current and Target Profiles, defines an organization’s baseline security and the required final configuration and outcomes, based on assessment and tailoring of critical infrastructure and processes.
  • Tiers – Aids in clarifying and communicating cybersecurity implementation across an organization.

(Source:  https://www.nist.gov/document-3764: 01/11/2018.)

NIST 800-171

This Special Publication (NIST.SP.800.171): Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, delineates requirements for the protection of Controlled Unclassified Information (CUI), including confidentiality in non-federal information systems and instances where there are no defined data protections prescribed by law, regulation, or government policy. The regulations primarily affect federal agencies employing contracts or other agreements established between those agencies and non-federal organizations, and map to the NIST CSF core implementation category.

NIST 800-53

This Special Publication (NIST.SP.800-53r4): Security and Privacy Controls for Federal Information Systems and Organizations, catalogs security and privacy controls for federal information systems and organizations (not related to US national security) to protect business operations, assets, individuals, third parties, and the nation from cyber and physical threats, as well as human error. The controls address security and privacy requirements across the federal government and critical infrastructure.  They also address security functionality and assurance to ensure that information technology products, and systems built from those products, are both soundly engineered and trustworthy.

PCI

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions, and to protect cardholders against misuse of their personal information.

The PCI Security Standards Council is a global organization that maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe.  The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, Inc.  They share equally in governance and execution of the Council's work.

The following table lists the high-level requirements used in PCI gap assessments:

GOAL PCI DSS REQUIREMENTS
Build and Maintain a Secure Network and Systems Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an Information Security Policy Maintain a policy that addresses information security for employees and contractors.

(Source:  PCI DSS Requirements and Security Assessment Procedures, v3.2 April 2016: p.5.)

 

BENEFITS

Benefits of a GRC Gap Assessment performed by RedLegg include:

INSIGHT:

Gain insight into many of the risks faced within your enterprise by identifying shortcomings in your existing security program.

EFFICACY:

Prioritize the biggest threats to the organization and strategically plan the necessary roadmap to safeguard your organization.

PROACTIVITY:

Reduce the impact and likelihood of a successful breach and data exfiltration through testing and securing of your organization.

COMPLIANCE:

Show customers and stakeholders your commitment to securing and protecting the most valuable assets against various threat actors.

GRC GAP ASSESSMENT METHODOLOGY

The RedLegg methodology for conducting GRC Gap Assessments is based on a proven track record of examining an organization’s security program through interviews and analyzing relevant documentation and materials. RedLegg has developed a robust assessment methodology that maximizes the ability of the consultant to identify gaps in the assessed framework and provide consulting to meet compliance with a specific GRC framework while improving the overall security posture of your organization.

RedLegg approaches a gap assessment by assuming your organization meets none of the requirements and requires proof to change that assessment.  RedLegg takes the following steps to obtain proof of compliance, while further analyzing controls to identify other areas for improvement to the overall security posture.

PHASE 1:
EXAMINE

RedLegg examines relevant documentation to determine if aspects of the framework are currently in place.  Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework.  Documents may include, but are not limited to:

  • Policies, Standards, Guidelines, Procedures
  • Vulnerability Scans
  • Pen Testing Reports
  • Application Assessment Reports
  • Compliance Reports
  • Network Diagrams
  • Technical Control Configurations
  • Employee Handbook
  • Organizational Chart
  • IR and BCDR Plans

PHASE 2:
INTERVIEW

RedLegg continues by conducting interviews with key stakeholders at the organization.  These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture.  Interviewees may include, but are not limited to:

  • CISO/CIO
  • Director of Security/Director of IT
  • Security Architect
  • Network Administrator/Engineer
  • Server Administrator/Engineer
  • Desktop Support
  • Legal and Compliance
  • SOC Team
  • Development Team
  • IT Operations Team
  • Senior Leadership
  • Human Resources

PHASE 3:
CLARIFY

After the interviews are complete, RedLegg will review the notes and ask for any follow-up documentation.  Additional interviews may be necessary based on clarifying documentation.  RedLegg will attempt to continue to clarify any findings to increase the accuracy of the report.

PHASE 4:
DELIVER REPORTS

Upon completion of the assessment, RedLegg will capture the results in a report, including:

  • Executive Summary
  • Assessment Findings
  • Remediation Recommendations
  • Remediation Roadmap

PHASE 5:
DEBRIEF

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

  • PHASE 1:
    EXAMINE
  • PHASE 1:
    EXAMINE

    RedLegg examines relevant documentation to determine if aspects of the framework are currently in place.  Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework.  Documents may include, but are not limited to:

    • Policies, Standards, Guidelines, Procedures
    • Vulnerability Scans
    • Pen Testing Reports
    • Application Assessment Reports
    • Compliance Reports
    • Network Diagrams
    • Technical Control Configurations
    • Employee Handbook
    • Organizational Chart
    • IR and BCDR Plans
  • PHASE 2:
    INTERVIEW
  • PHASE 2:
    INTERVIEW

    RedLegg continues by conducting interviews with key stakeholders at the organization.  These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture.  Interviewees may include, but are not limited to:

    • CISO/CIO
    • Director of Security/Director of IT
    • Security Architect
    • Network Administrator/Engineer
    • Server Administrator/Engineer
    • Desktop Support
    • Legal and Compliance
    • SOC Team
    • Development Team
    • IT Operations Team
    • Senior Leadership
    • Human Resources
  • PHASE 3:
    CLARIFY
  • PHASE 3:
    CLARIFY

    After the interviews are complete, RedLegg will review the notes and ask for any follow-up documentation.  Additional interviews may be necessary based on clarifying documentation.  RedLegg will attempt to continue to clarify any findings to increase the accuracy of the report.

  • PHASE 4:
    DELIVER REPORTS
  • PHASE 4:
    DELIVER REPORTS

    Upon completion of the assessment, RedLegg will capture the results in a report, including:

    • Executive Summary
    • Assessment Findings
    • Remediation Recommendations
    • Remediation Roadmap
  • PHASE 5:
    DEBRIEF
  • PHASE 5:
    DEBRIEF

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

DELIVERABLES

RedLegg is a Global Partner for Managed and Cyber Security Services.  RedLegg delivers Enterprise Data Governance Consulting Services and Solutions through its Advisory Services practice.  RedLegg’s approach to consultancy is based on a solid risk management foundation and strong track record of successful engagements.

Our technical scoping will help determine what information and deliverable items your organization needs.

  • BASIC
  • EXECUTIVE

BASIC

Receive a Gap Assessment Matrix and Findings List.

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

EXECUTIVE

Receive a Gap Assessment Matrix, Findings List, as well as an Executive Report.

Upon completion of your assessment, RedLegg will capture the results in a report, including:

  • Executive Summary
  • Assessment Findings
  • Remediation Recommendations
  • Remediation Roadmap

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

  • BASIC
  • Receive a Gap Assessment Matrix and Findings List.

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

  • EXECUTIVE
  • Receive a Gap Assessment Matrix, Findings List, as well as an Executive Report.

    Upon completion of your assessment, RedLegg will capture the results in a report, including:

    • Executive Summary
    • Assessment Findings
    • Remediation Recommendations
    • Remediation Roadmap

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

Tabletop-Exercise-Pillar-Banner

See how incident response tabletop exercises can take your security to the next level.

LEARN MORE

OUR APPROACH

RedLegg is an innovative, global security firm that delivers managed cybersecurity solutions and peace of mind to its clients.

RedLegg’s approach to information security protects the confidentiality, integrity, and availability of critical data based on a sound risk management framework. This approach allows organizations to engage business owners in defining acceptable levels of risk and to participate in the process for evaluating threats.

RedLegg’s ARMEE (Assess, Remediate, Monitor, Educate, Enforce) methodology institutes a lifecycle that allows for an ongoing process to continuously improve the security posture of the organization. This methodology is designed to be portable to all business, legal, regulatory, and security requirements of the organization. It is flexible enough to account for the constant flux in the market place, attack vectors, and protection mechanisms.

ARMEElogo-1

GET COVERED.

Discover the missing elements of your security program.

REACH OUT TO AN EXPERT