The Vanguard service here for Defensity is Virtual Security Officer – this can be either:
- A monthly retainer fee for a set amount of hours and on demand usage. – vCiSo on Demand
- A set fee to provide certain aspects of the role in a one off project. – Block Hours
On the website, I want to give this a name that is easily understood by non tech people.
This is a product that larger companies may subcontract out to companies like DCS to reduce cost the cost of having a full time cISO.
Different companies can tailor their vCiSO packages so they get exactly what they need. The role of a Chief Information Security Officer is to align security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected. The client defines a strategy and we develop an information security program that is roadmap driven which has recommendations on which investments they should make to mitigate their risk to a level within their risk appetite.
Advantages of a vCiSO:
- Access to an impartial highly knowledgeable cyber security proffesionals who will provide specialist security services
- Immediate access to the commercial and technical expertise of an experienced and qualified senior manager
- Management of a cyber security team providing strategic direction on the selection and implementation of cyber security measures
- Significant reduction in the cost of recruitment and training of a full time employed CISO
- Reduce the risk of cyber attack and protect from theft, operational disruption, loss of reputation and punitive action from regulator
- Management of IT and budgets to deliver cost-effective cyber security measures
• IT Governance
Regular reviews of security breaches and security performance
Risk Assessment Process
Review and measure effectiveness of Risk Management controls
Develop the company risk appetite statement
Evaluations of new security products, controls and processes
Guidance and Planning:
Business Impact Analysis – to determine threats / assets / mitigation controls
IT Security & Standards & Guidelines Policy build (Based upon SANS – https://uk.sans.org/security-resources/policies)
• Risk Management
Understanding the risks associated with your industry, what needs protecting, and where your threats are will allow for the proper controls to be put in place to mitigate these risks.
Provide education, assistance and help with the Risk Assessment process and Operational Owners of Risks
Review the Risk Management process and assist with guidance and help around decisions are required
Develop Data Policy with board, locations and retention process.
Develop or update Disaster Recovery Policy
• Security Testing
In order to make sure the controls that are put in place to secure an organization are providing the correct level of assurance, security testing is needed. Testing should allow for your risks to be realised, your vulnerabilities to be mitigated, and your controls ultimately becoming more effective.
Penetration Testing of the following areas: Internal / External Infrastructure & Web Applications
Regular testing provides assurance that the security posture is being maintained
Reports, Debriefs, and Remediation Advice – Help and assistance to address areas of concern and vulnerabilities
Testing strategy based on Risk Register and Threats – Guidance and assistance to develop the testing program.
• Incident Response
As the number of breaches and attempted breaches are expected to grow exponentially over time, the ways in which we prepare have to change and adapt as well. In recent times, the focus has changed from a Defense-in-Depth approach to a Response-in-Depth strategy. The idea is not, “How do we protect ourselves if we are hacked?”, but “How do we respond to an attack when it happens?” These incident response capabilities are vital to an organization that wants to have peace of mind and assurance when the worst does happen.
Incident Response Planning
Monitoring and Logging reviews and capability assessments
DCS will review your Incident Response procedures in order to design and conduct plausible simulated exercises, and evaluate your team’s performance