RiskMax™

Although each of our services is customized to meet our clients’ unique requirements, The RiskMax™ process can be broken down into the following three categories:

 

Program Assessment

  • Regulatory Compliance Assessment _ Readiness Reviews
  • Gap Analysis _ Program Maturation Assessment
  • Risk Assessment
  • System _ Information Characterization Assessment
  • Current Controls Analysis _ Recommendations

 

Program Development

  • Strategy Development
  • Program Definition
  • Plan Documentation
  • Control Implementation
  • Establishing a Security Control Testing _ Evaluation Program
  • Analysis _ Recommendations

 

Program Operations

  • Change _ Configuration Management Integration
  • Security Control Monitoring
  • Security Awareness _ Training Program Development
  • Periodic Program Review

 

Our philosophy involves examining the business drivers for information systems. Determining the relationship between the information within the system and the business needs the system fulfills, is the foundation of a solid and secure information security program. This relationship dictates the controls necessary to protect the system. These controls can then be tailored to achieve a level of security which is robust, flexible, and secure.

This holistic approach involves understanding the business drivers, the organizations culture, and legal and regulatory requirements to form a comprehensive program that encompasses policy, procedure, user awareness and training, and technical controls. The aim is to support the mission of business through a comprehensive and collaborative information risk management program.

 

Service Highlights

 

Regulatory Compliance - Governance and Regulatory Compliance issues involve how an organization deals with the regulatory environment that exists today.  Ascension Risk Management can help organizations address the following:

  • ISO 17799/27002
  • COBIT
  • Sarbanes-Oxley (SOX);
  • Gramm Leach Bliley (GLBA);
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Payment Card Industry (PCI) Data Security Standard (DSS);
  • Federal Information Security Management Act (FISMA);  
  • Federal Educational Rights _ Privacy Act (FERPA);
  • Federal Rules of Civil Procedure (FRCP) (eDiscovery); and
  • Federal Financial Information Examination Council Guidelines (FFIEC)

 

 

RiskMax Diagram

System _ Information Characterization

This service involves an assessment of the hardware/software and information within a given information system or environment to determine its criticality to your organization.  Once the level of criticality is determined security controls can be chosen to appropriately secure the system

Information Risk Management Program

 

Development

Putting together an Information Security Program is to consider many different controls within an organization.   A comprehensive Information Security Program must include technical, operational, and managerial controls and include an active tie into an organizations business risk management program.

 

Security Awareness and Training Program Development

Implementing a Information Risk Management program can only go so far in addressing issues if no one outside of information security knows about it.  The Security Awareness and Training services offered by Ascension Risk Management tie organizations overall business objectives with role base security training.  This training focuses on what various roles within an organization need to know about information security.  While every organization varies the typical roles addressed are general user, privileged user, and executive level training.  

 

While many service providers offer security training they do not offer a way to measure long term comprehension.  A survey is typically given at the end of training but these surveys can be misleading.  They measure comprehension immediately after learning the material.  While this is useful in providing a baseline, it is not a real measure of comprehension.   Ascensions approach utilized targeted focus groups to gauge each roles comprehension over a period of time.  These focus groups can be conducted prior to training to help the customization process as well as three to six months after training to gauge long term retention.  No other company provides this level of comprehensive security awareness training.