|
Risk Management and Compliance
Risk Management
Risk management is the process of examining the
strategic and tactical approach to your business,
identifying points of risk and developing strategies
to reduce the risks to acceptable levels (level
of assurance). Risk management can be a stand-alone
engagement if your goal is to jump start the policy
development process or it can be one of the first
steps in the development of a ISO 27001-conformant
Information Security Management System (ISMS).
Risk management and security reviews
should also be a part of the due diligence process
in investigating a particular business opportunity.
Opportunities include;
• New Product Development
• Creating an Internet Presence
• Networking to a Third-Party Vendor Partner
(B2B)
• Outsourcing to a Third-Party Vendor Partner
• Connecting Remote (autonomous) Company
Divisions
• Due Diligence as part of a Merger or Acquisition
JBW Group International’s top-down
approach to managing risk to your company’s
critical information assets is the focus, not
just the patches, installed on systems in the
network.
Compliance
Analysis
Organizations today face compliance with multiple
legal, regulatory and industry standards requirements
that significantly affect their use and management
of information and information systems. Compliance
may require protecting the confidentiality of
certain categories of personal or sensitive information,
or may be dependent upon the availability and
integrity of information systems and networks,
and complete, accurate and relevant information
necessary for documenting and reporting compliance.
To ensure the optimal business use
of their information assets while meeting these
requirements, organizations must develop and implement
compliance processes that effectively harmonize
multiple requirements and seamlessly integrate
with business objectives. Often these objectives
must be accomplished over multiple business environments
and multiple jurisdictions.
ISO 27001 provides a comprehensive
framework and management system for implementing
business-driven, coordinated and integrated compliance
with multiple information security and privacy
requirements.
- The ISO 27001 Plan-Do-Check-Act
methodology requires capture and analysis of
all relevant legal, regulatory, industry standards
and contractual requirements that affect the
business use of information assets (people,
processes, technologies, data) within scope
of implementation.
- The management system requirements
specification requires harmonization of the
information security compliance processes with
the character and objectives of the business.
- As an international standard
for information security management, ISO 27001
provides a cross-jurisdictional framework for
coordinating multiple information security and
privacy compliance requirements.
The identification of legal, regulatory,
industry standards and contractual information
security and privacy requirements can be provided
as a stand-alone service or as part of a full
implementation of the ISO 27001 standard. Our
team of consultants can assist your organization
with:
- Requirements Identification
and Impact Analysis:
We will identify the applicable legal, regulatory,
industry standards and contractual requirements
that affect information assets within a defined
scope of operations. Our impact analysis identifies
administrative, policy and process impacts across
four dimensions: Governance (organization, policies,
training, reporting, improvement), Information
Security (confidentiality, integrity, availability),
Information Privacy (data subject rights and
protections) and Documentation (documentation
and retention) requirements
- Controls Assessment:
Based on the requirements identification and
impact analysis, our consultants will perform
a controls assessment to determine the current
level of compliance readiness, identify potential
control gaps and recommend improvements to address
those potential gaps.
- Compliance Strategy Development:
Following the controls assessment, our consultants
will prepare a compliance strategy document
that will include:
- Identification of agreed-upon information
security and privacy compliance objectives
for the organization and identified assets
within the defined scope of assessment;
- Recommended improvements for information
security and privacy management processes
as well as for controls relevant to compliance
with identified legal, regulatory, industry
standard and contractual requirements; and
- A roadmap for the prioritization of project
objectives and task areas, and criteria
for the effective cross-functional integration
of information security and privacy controls
implementation
Information
Security Profiling
The typical service offering of many security
companies begins and ends with an Information
Security Profile. This exposure assessment, also
called "Penetration Testing" is a tactical
snapshot in time of your company’s network
and system security profile.
The JBW Group International’s approach to
profiling is holistic, reflecting industry standards
and best practices. Using commercial and "Black
Hat" tools, vulnerabilities are identified
inside your network and from the outside (Internet)
looking in.
Results are delivered in a professional
report containing an executive summary and a detailed
technical list of discovered disadvantages with
a strategy for remediation. This report is the
starting point for implementing solutions. Areas
of focus can include:
• Operational Security Review
• Network Security Profiling
• System Security Profiling
• Internal Network Security Assessment
Information
Security and Privacy Policy Development
After identifying risks to your business and profiling
the infrastructure, an assessment of your company’s
Information Security Policy is the next logical
step. Information Security Policy is the documented
direction given by management to guide employees
in the protection of information assets. Reviewing
your policy documentation will identify gaps both
within the implementation of controls and in the
policies themselves. Your Disaster Preparedness,
Business Continuity and Incident Reponses plans
may be included in the assessment.
The JBW Group International’s
assessment will provide your organization with
a "blueprint," based on an internationally
recognized standard that can guide development
and execution of policy as part of a sound Information
Security Program.
Due Diligence
for Mergers and Acquisitions
Most due diligence activities focus on a financial
analysis of profit/loss and the bottom line. Experts
from accounting firms, venture capital companies
and law firms are very good at assessing the profitability
and potential synergies of a merger/acquisition.
But frequently, little, if any, attention is paid
to the security posture of the organization under
scrutiny, often with disastrous results. An Information
Security and Privacy Assessment should be part
of any M&A activity to fully understand the
risk of the transaction.
New Product
Development
JBW Group International has provided Information
Security consulting for dozens of Internet-based
products to assure that security is built in from
inception to exit strategy. We can provide risk
assessment for existing products and help to design
security into new products and services.
Remediation
JBW Group International can provide the expertise
necessary to tactically address identified gaps
whether in a project that is just getting started
or addressing issues with existing infrastructure.
The goal is to successfully complete the engagement
in an expedient and cost effective manner, whether
it involves system integration, network deployment,
project management or other technical assignments.
|
