Governance, Risk, & Compliance (GRC)

Business Impact Analysis (BIA)

Provides a Foundation for the Availability Requirements of the Organization’s Business Continuity and Information Security Programs. 

What does the BIA accomplish?

• Details recovery requirements of business functions and IT systems.
• Provides impact information that can be utilized by various risk management functions within the organization.
• Identifies which organizational units, operations, procedures, and processes are essential to stakeholders following a severe operational disruption, such as a disaster or data breach.

What value does the BIA deliver to the organization?

The analysis identifies the business units, operations, and processes essential to the recovery and security of the organization following a business disruption or disaster. This information is critical for developing Continuity Planning, IT Disaster Recovery, Crisis Management, and Information Security Incident Response Plans.

Data classification

Data Classification and System Sensitivity Analysis Identifies the Information Created and Managed by your Organization. 

This classification and analysis also includes the data protection requirements related to confidentiality, integrity, and availability.

What value does Data Classification deliver to the organization?

• Allows you to understand what data it stores, transmits, or processes.
• Classifies your data’s sensitivity as it relates to confidentiality, integrity, or availability.
• Provides a process and structure for evaluating future data to ensure you have positive control over all its information.
• Helps to right-size the controls for the data so that it meets the needs of the organization while being sensitive to system performance, resources, and cost.

Policies, standards, and guidelines

Includes all Activities to Develop, Refresh, or Refine Information Security Policies, Standards, and Guidelines with Supporting Procedures (PPSGs).

This effort brings everything into full compliance with ISO 27001, FFIEC, GLBA, FISMA, HIPAA, NIST, PCI DSS, and others as required or desired.

What value do policies, standards, and guidelines deliver to the organization?

PPSGs are the foundation of any information security program and must be completed first when an organization establishes a program.

Assura works with organizations to ensure:

• PPSGs reflect the decisions made by the organization and not just a generic collection of requirements.
• Any existing policies and procedures are utilized if possible to reduce the number of new materials introduced.
• If existing policies and procedures carry over, they are compliant with standards and regulatory requirements.

Security Plans

Planning That’s Focused on Developing Security Capabilities within the Organization. 

Security Plans consist of documentation detailing the strategies, roles/responsibilities, actions, security/recovery controls, and resources necessary to meet security and resiliency requirements.

What value do Security Plans deliver to the organization?

Assura performs planning activities that result in many deliverables as listed below:

• Auditable Event Plans
• Backup and Restoration Plan (if not included in Information Technology Disaster Recovery Plan)
• Change Management Plan
• Configuration Management Plan
• Continuity of Operations Plans
• Continuous Monitoring Plans
• Incident Response Plan
• Information Technology Disaster Recovery Plans
• Key Performance Indicators Plan
• Media Sanitization and Destruction Plan
• Policies, Standards, and Guidelines
• Ports, Protocols and Services Plan
• IT Operations and Security Procedures
• Secure System Acquisition Plan
• Software License Management Plan
• Software Vulnerability Management Plan
• System Hardening
• System Security Plans
• Ad Hoc Plans as Needed

Incident Response

Developing an Incident Response Plan for Information Security that Ties to the Organization’s Continuity and Crisis management Capabilities. 

Assura tests the capabilities of this program by utilizing testing strategies aligned with the organization’s risk profile, maturity of the program, and experience level of participants. We develop planning and exercise requirements with supporting documentation. These requirements are consistent with the selected program framework, Continuity Planning, and Information Security Planning for all legal, regulatory, contractual, and stakeholder requirements.

What value does Incident Response deliver to the organization?

As recent data breaches have shown, it rarely just affects the Information Security Program when an incident occurs. These types of events require coordination and input from various stakeholders. Incident response planning and exercise management create a powerful capability within your organization. You’re able to respond to any disruption or incident affecting information security and the organization’s continuity.

Risk Assessment

Providing a Structured and Systematic Analysis that Details the Hazards, Impact of Threats Realized, and Risk Mitigation Recommendations with Prioritization of Activities. 

Assura performs various risk assessments, such as:

• Information Security Programs
• Information systems/applications
• Data centers
• Network and infrastructure
• Physical security
• Third-party vendors

What value does Risk Assessment deliver to the organization?

• Presents leadership with quantitative and qualitative risk information regarding information security risk.
• Allows leadership to make informed decisions regarding the treatment of risk.
• Provides resources to address the risk if it poses too much for the organization.