Information Security Assessments

What is the point of an Information Security assessment?  To obtain an informed understanding of your firm’s exposure to hackers and other events that can drive your business out of existence.

Regardless of all the different Information Security Framework below, an assessment comes down to validating how well an organization follows Information Security best practices based on the information being used.

In an increasingly complex regulatory environment, this risk management is essential, whether to meet statutory compliance requirements, adhere to best practices in corporate governance, or reduce your reputational risk.

Peak InfoSec has experience and expertise supporting:

  • Defense Security Service Assessments and Authorization Process Manual (DSS-AAPM)
  • European Union (EU) General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
  • International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27000 Series
  • NIST Cyber Security Framework (CSF)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley Act of 2002 (SOX) Assessments

Peak InfoSec also provides Cloud Service Provider (CSP) & Supply Chain Assessments:

Our 3rd Party Assessments for your Cloud Service Providers (CSP) and other vendors in your supply chains will provide your risk exposures associated with your different vendors.  For organizations that are required to comply with GDPR & NIST 800-171, this is a mandatory requirement.

If your organization isn’t sure which, if any, apply to your business, we will assist your leadership to identify which ones apply or help to draft a tailored framework.

Information Security for Small Businesses

Small businesses are more prone to being hacked and unaware because of three simple reasons:

  • Business owners believe “We are so small, hackers won’t target us.” Frankly, hackers in another country don’t care how big you are.  They may wonder after they have gained control of your information and systems to figure how much to gouge you for.
  • Small Businesses generally don’t budget for Information Security.  If you don’t spend on physical security…what happens?
  • Small businesses either do “Information Technology” in house or have another small business provide them basic services.  Information Technology professionals are not Information Security experts

Right Sized Small Business Support

At Peak InfoSec, we want to help the small business community by scaling the services we provide to match your business size.  We recommend our Small Business clients:

  • Start with an Initial Information Security Assessment.  This will give your business a macro level view of your risks and a plan to move forward on.
  • Based on those results, we (your firm, IT staff, and us) will address people-centric, physical, & technical vulnerabilities in your environment.
  • From there, we will provide support to your business either on a flat level of support or on-call basis.

We are passionate about supporting Small Businesses, so please contact us so that we can help get you protected.

Government Security Services

For our government clients, Peak InfoSec offers IT Compliance support for:

  • Defense Information Assurance Risk Management Framework (DIARMF)
  • Federal Information Security Management Act of 2014 (FISMA)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
  • Payment Card Industry Data Security Standard (PCI DSS)

Technical Assessments

Often bundled into our normal Information Security Assessments are technical assessments of an organization’s Information Security posture.  These assessments include:

Penetration Testing

Our Comprehensive Penetration Testing services mimic an attacker seeking to access sensitive assets by exploiting security weaknesses existing across multiple systems.   In our penetration testing, we can mimic an external hacker, someone who is an insider threat, or both.

This service not only identifies individual vulnerabilities, but also reveals how networks designed to support normal business operations can provide attackers with pathways to backend systems and data.

We begin by assessing your network or application infrastructure’s “weakest links,” as well as other possible venues of attack. We then determine the impacts of each compromise by attempting to escalate privileges on the entry points and pivoting the assessment to determine whether any other systems can be subsequently targeted and breached.

This service can be customized to include:

  • External or Internal network penetration tests to assess operating system and services vulnerabilities
  • Client-side penetration testing to assess end-user susceptibility to phishing & other social engineering threats
  • Wireless penetration testing
  • Cross-vector testing to reveal attack paths across multiple infrastructure layers

Vulnerability Scanning

Hackers seek to exploit vulnerabilities in your architecture.  Vulnerabilities come from two main sources:

  1. Software that has a vulnerability that can be exploited. This includes software an organization develops or purchased from vendors.  “Patch Tuesday” releases from vendors are filling these holes.
  2. Information systems that are not architected and configured securely make it easy for a hacker to exploit.

At Peak InfoSec, we identify these issues by scanning for vulnerabilities in your exposed web-sites, PCs, servers, and other infrastructure items in your network.  Once we identify your vulnerabilities, we will provide a prioritized patching strategy to reduce your risks.

Static Code Testing

If your firm develops software, one of the critical steps in the Secure Software Development Life Cycle is static code analysis.  Peak InfoSec can provide this service by scanning your source code for vulnerabilities due to poor programming and prioritizing the problems we identify.

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)