Controls Gap Assessment

Governance, oversight, and regulatory compliance are key to the success of an organization. Setting expectations through policy, defined procedures, and underlying standards are critical to secure confidential information assets. To identify and resolve the risks associated with the organizations information security program, it should be assessed for adequacy and effectiveness.

Focused primarily on the design of the organization's security controls, Halock will review the organization's documented information security policies, standards and procedures. Halock will conduct interviews with key organization resources where documentation is unavailable or otherwise deemed appropriate.

The objective of the assessment is to ensure that the contents of the security program adequately address the requirements and intent of relevant compliance frameworks and/or standards, such as ISO 27002 or other suitable security frameworks applicable to the organization's requirements. Each document will be reviewed in terms of overall content, consistency with other policies and standards, effectiveness of specific language or terminology used, intended audience, methods of communication to that audience, and methods of enforcement.

Halock will conduct interviews, as appropriate, with key individuals regarding security policies, procedures, and standards to collect required data for review. Halock can perform an in depth analysis of the design and content of policies, procedures, and related standards, identifying applicability and compliance with security control objectives .

Solution At-a-Glance:
  • Fulfill regulatory and legal requirements to perform regular risk assessments of the design of information security controls
  • Identify gaps in policies, procedures, and standards that could result in regulatory issues
  • Determine if existing governance, risk management practices, and oversight of sensitive information handling adequately protects the organization from breach or incident
  • Receive recommendations for continual improvement of the security program
  • ISO 27002 is referenced as the default standard, however, mapping to additional standards is available
 

On-Demand Vulnerability Scanning:

Allows for unlimited scanning of Internet IP addresses to enable ongoing compliance with PCI quarterly vulnerability scanning requirement. Online filing allows for automatic notification to acquiring bank once compliance is achieved.

PCI Compliance Management Portal:

An online portal designed to facilitate PCI compliance efforts and to assist in managing all work efforts related to acheiving PCI compliance. Portal includes PCI related news articles with expert analysis, a comprehensive PCI knowledgebase, downloadable tools and templates, and more.