Cyber Risk Consulting

vCISO Deliverables

vCISO Services from Cyber Risk Consulting Services

vCISO Services provide fractional information security leadership and expertise to small and medium-sized companies and their IT teams, operational teams and senior leadership in key areas including risk management, security operations planning, security program architecture and development, risk and regulatory compliance, security strategy, guidance and education.

vCISO Services key Services

Security Infrastructure and Security Operations

  • Assessment of the existing security stack including security tools, infrastructure, access, policies, processes against industry and regulatory standards
  • Assessment of existing Security Operations including team personnel, managed services, training, certifications required to fulfill the business goals and objectives
  • Assessment of the operational processes and relationship between security operations and the other IT operational teams
  • Security budgeting planning and review

Operations Management and Framework Assessment

  • Assessment of current environment, including servers, infrastructure, and network diagrams (as needed)
  • Comprehensive documentation of network topology and application data flow (as needed)
  • Security frameworks evaluation, guidance and certification posture for ISO-27001, PCI-DSS, HITECH, SOX, GDPR, etc.

Risk and Threat Assessment and Management

  • Annual risk assessment, including as-needed physical, infrastructure, cloud, access, encryption controls analysis
  • Vulnerability scanning to identify risks, including IPs and patching compliance
  • Compliance reporting and risk mitigation plan
  • Security Risk Metric scoring
  • Routine quarterly scans to update compliance report and risk mitigation plan as needed

Security Policy Development

  • Self-administration tool-sets and acceptable use policy (AUP) recommendations
  • Phased implementation and budget planning assistance
  • IT policy review and guidance (e.g., system controls, role-based access control, backup and disaster recovery)
  • • Cross-departmental stakeholder engagement to address user policies and risks

Threat Assessment and Risk Mitigation

  • Identification and impact of risks, remediation steps, and improvement scoring
  • Security framework compliance guidance (e.g., GLBA, NIST, CIS)
  • Monthly emerging threat reporting, including common vulnerabilities and exposures (CVEs) and remediation guidance
  • Incident response plan (IRP) development, including incident criteria, roles and responsibilities,
  • Response team procedures, and legal and/or regulatory requirements

Security Training and Mentorship

  • Evaluation of existing team structure, needed staff and function recommendations, team mentorship, and threat identification training
  • In-house cybersecurity training for all staff including executive and board-level teams
  • As-needed candidate screening

Merger and Acquisitions

  • Conducting of a risk profile of the acquisition target
  • Investigate the legal standing of target acquisition
  • Manage cyber transition during the merger process
  • Creation of an integration plan for merging companies