Solutions

managing risk through plans, policies and processes to optimize your organization’s resources, protect systems & information

Managed Planning & Prevention (MPP)

Outsourced cybersecurity program for risk management and breach prevention.

Governance, Risk & Compliance (GRC)

Structured approach to manage risk and meet compliance requirements aligning business objectives and IT operations.

 

cybersecurity risk identification

Discover unknown risk that could adversely impact your organization and define recommendations to manage that risk.

incident response and mitigation

Forensic, investigative and recovery services to limit damage, reduce down time & reduce costs following an attack or breach.

Managed Planning and Prevention (MPP)

A solution to co-source your cybersecurity program; our Co-Sourced Services (MPP)  are designed to provide proactive planning and prevention, aligning with your business objectives, to ensure your organization is protected.  MPP provides a customized modular approach to developing a complete cyber program.

Key benefits:

  • Appropriate and flexible co-sourced cybersecurity program.
  • Continuity of executive scoring demonstrating  improvement in cybersecurity posture.
  • Budget friendly and customizable.
  • Multiple billing options, allowing for OpEx categorization (annually, quarterly, or monthly).
  • Comprehensive, allowing for many different elements in the program based on your risk profile and requirements.

Any component can be incorporated  into your MPP program. Engage with one of our cybersecurity solution consultants for a complimentary meeting to build your custom program.

atStrategy will produce a formal document containing executable initiatives within a plan to identify and manage cyber security risk. The plan will be based on data collected about your organization, such as current state, threat information and financial parameters. An analysis will be performed and your data will be applied to industry best practices around protecting organizations against modern cyber security threats and managing risks those threat create. The plan development will be conducted in three parts. An initial interview process will be performed to collect data about your organization. The second part of the project will be to analyze the data and outline a draft plan. The final part of the project is to develop the plan document.

The atCISO offering provides a highly experienced and skilled resource to oversee the development and implementation of your cybersecurity strategy and program but most importantly, at a level which best suits your needs. From full-time to long-term to temporary support, we can customize the offering. Periodic reviews of security issues, implementation and maturity are available as well. The teammates which deliver the Chief Information Security Officer level services each have over 20 years of cybersecurity leadership experience.

atAssess is designed to provide a snapshot of your organization’s current implementation of security controls and policies as it relates to the Center for Internet Security’s (CIS) Critical Security Controls (CSC) for Effective Cyber Defense version 7.0 published April 2018. In addition, atAssess provides a Comprehensive Internal & External Vulnerability Assessment which conveys a snapshot of internal and external vulnerabilities that your organization is exposed to.

atAttack, or Penetration Testing, is an exercise designed to replicate the activities a computer attacker would take to compromise a system or network. The goal is to identify specific exploitable weaknesses in the organization’s computer systems, exploit the weaknesses through the same methodologies and tools attackers use, and gain access to the internal network. Penetration testing is performed from two perspectives; first to evaluate the infrastructure, following a formalized methodology called The Penetration Testing Execution Standard (PTES) and secondly the testing reviews up to two applications using the OWASP Top 10 testing methodology.

atComply delivers a compliance gap analysis and assessment. Several standards can be selected from as a base for comparison against your environment, such as NIST Cybersecurity Framework, Center for Internet Security 20 Critical Security Controls, ISO 27001,  NIST 800-171, and HIPAA.

atPlan offers an option to develop or update several key governance documents which many organizations should have supporting their cybersecurity program. The documents may include: Information Security Policy, Business continuity Plan, Disaster Recovery Plan, Incident Response Plan and/or Crisis Communications Plan, among others. Whether compliance driven or best practice motivated we can help mature and/or create these most important documents.

Governance, Risk & Compliance (GRC)

Complying with Federal, State, industry or customer mandated regulations or standards can be a confusing, complicated process. Our compliance engagements help you to define where you stand currently and provide a roadmap to address any gaps in your compliance. Our engagements can help you implement the required pieces to comply as well, such as preparing proper plans and documentation as well as building out a process and procedures to remain compliant.

Key benefits:

  • Easy to digest gap analysis reporting.
  • Compliance Scorecard.
  • Budget friendly and customizable.

The NIST CSF risk and compliance analysis(atComply|CSF) is designed to provide a snapshot of your organization’s current implementation of security controls and policies as it relates to the NIST Cyber Security Framework. Each control will be enumerated, documented and scored against eight characteristics generating thousands of data points detailing your current level of compliance and implementation.

This engagement (atComply|ISO) provides a risk assessment according to ISO 27005, a roadmap assessment according to ISO 27003 and a controls compliance analysis according to ISO 27002. Deliverable includes a strong overview of your current state of Information Security Management System (ISMS) completeness.

The CIS CSC risk and compliance assessment (atComply|CIS) is designed to provide a snapshot of your organization’s current implementation of security controls and policies as it relates to the Center for Internet Security’s (CIS) Critical Security Controls (CSC) for Effective Cyber Defense version 7.1. Each control will be enumerated, documented and scored against eight characteristics generating thousands of data points detailing your current level of compliance and implementation.

 A Risk and Compliance review (atComply|HIPAA) that meets the HIPAA requirements for an annual risk assessment. It provides a current state assessment of compliance with the HIPAA security rule expectations with a comprehensive internal and external vulnerability assessment and compliance roadmap to address identified gaps. Deliverable includes a HIPAA compliance scorecards and recommendation roadmap.

The CMMC risk and compliance analysis (atComply|CMMC) is designed to provide a snapshot of your organization’s current implementation of security controls and policies as it relates to the current version of CMMC. Each control will be enumerated, documented and scored against eight characteristics generating thousands of data points detailing your current level of compliance and implementation. The CMMC is new and still in draft format, but this engagement can prepare your organization with a roadmap to your gaps allowing you to be ready in 2020 with the requirements become mandidated.

atPlan offers an option to develop or update several key governance documents which many organization should have supporting their cybersecurity program. The documents may include: Information Security Policy, Business continuity Plan, Disaster Recovery Plan, Incident Response Plan and/or Crisis Communications Plan, among others. Whether compliance driven or best practice motivated we can help mature or create these most important documents.

atComply delivers a compliance gap analysis and assessment. Several standards can be selected from as a base for comparison against your environment, such as NIST Cybersecurity Framework, Center for Internet Security 20 Critical Security Controls, ISO 27001,  NIST 800-171, CMMC, HIPAA and many others.

Cybersecurity Risk Identification

How do you effective and affordably identify cybersecurity risk in your organization? Generally, there are two approaches, assess or test. Assessments are more comprehensive but are broad and include theoretical vulnerabilities. A test proves a focused set of vulnerabilities. Each have their value.

Key benefits:

  • Reviews IT architecture and data flows from a security prospective.
  • Enumerates technical vulnerabilities and sensitive data matrix.
  • Assess technical and physical controls.
  • Delivers scorecard for each control and overall score..
  • Identifies Urgent Points of Risk

atAssess is designed to provide a snapshot of your organization’s current implementation of security controls and policies as it relates to the Center for Internet Security’s (CIS) Critical Security Controls (CSC) for Effective Cyber Defense version 7.0 published April 2018. In addition, atAssess provides a Vulnerability Assessment which conveys a snapshot of internal and external vulnerabilities that your organization is exposed to.

atVuln is an investigative process to identify and review any technical vulnerabilities that are found on the network. Focusing on both an external (Internet) and internal perspectives, ATI will review all IP addresses on the network including the DMZ, data center and workstations to identify and report current weaknesses and attack avenues. The vulnerability data is presented with dashboards in a PDF report and a searchable Microsoft Excel worksheet.

atArch is an Architecture Review which evaluates an organization’s networks and relationship among them from a security perspective. It also reviews the various security zones and the data flows among them. The architecture analysis involves four key areas including building a network map, enumerating the security zone architecture, mapping key data flows between those security zones and defining the location and type of sensitive data worth protecting within the environment.The goal of this review is to identify weaknesses being created or exacerbated by network architecture elements.

Technical Controls Review, atTech, focuses on your technical security controls and systems including firewalls, intrusion detection/prevention systems, anti-malware, mobile device management systems and endpoint protection solutions. This review provides a detailed look at the quality of the implementation of that control through eight areas: Appropriateness, Completeness, Configuration, Current Patch Set, Current Version, Local Security, Solution Maturity and Support Contract. These eight items are individually reviewed and scored allowing for a rollup scoring of the complete set of technical controls.

atAttack, or Penetration Testing, is an exercise designed to replicate the activities a computer attacker would take to compromise a system or network. The goal is to identify specific exploitable weaknesses in the organization’s computer systems, exploit the weaknesses through the same methodologies and tools attackers use, and gain access to the internal network. Penetration testing is performed from two perspective;, first to evaluate the infrastructure, following a formalized methodology called The Penetration Testing Execution Standard (PTES) and secondly the testing reviews up to two applications using the OWASP Top 10 testing methodology.

atSocial discovers the human security risk in your environment and offers planning to address these vulnerabilities along with security training to educate all members of your organization around human risk. Realize the level of susceptibility of employees through email phishing and spear-phishing attacks with a Social Engineering or Phishing Assessment.

Incident Response & Mitigation

There are two approaches to incident response, pro-active and reactive. In the event of an incident, do you have a documented company course of action? An Incident Response Plan accounts for organizational structure, IT infrastructure, compliance requirements and organizational needs to develop a clear plan detailing roles, responsibilities, communication and actions in the event of an incident.  If you find you have been compromised we offer organized forensic, investigative and recovery services to limit damage, reduce down time and lessen costs following an attack or breach.

Key benefits:

  • Provides effective plan for crisis communication and actions during incidents.
  • Identifies indicators of compromise and causes of incident.
  • Provides recommendations to prevent future incidents.
  • Discovery of malicious or unauthorized software or actions.
  • Remediation of intrusions.

atResponse is a pre-negotiated agreement that can be utilized in a qualifying emergency situation in which a cyber breach or incident has been suspected or has occurred and an emergency response team is required.

atInvestigate is Incident Response services for any security event that negatively affects the confidentiality, integrity and/or availability of your data or systems. atResponse can include identification of the root cause and extent of the incident, containment of the consequences, remediation of any malicious software or configuration elements, recovery of the system to a stable operating state and documentiation of the response process, its origin and lessons learned.

atForensics is an Internal Forensic Investigation engagement that examines insider misconduct, computer & network misuse and insider hacking incidents.

atRemediation…we need text.

Recent Engagements

Anchor provides a full spectrum of cybersecurity services assisting our clients with all aspects of cybersecurity risk planning, identification, management, and monitoring.

Penetration Testing

from $15,000

Providing ethical hacking to test an environment’s susceptibility to a breach using real-world hacking techniques against infrastucture, application or wireless.

Incident Response and Remediation

from $2,800

Providing security incident response to determine the current state, investigation and shut down. It can also provide remediation to help clean up after an attack.

Cyber Program Maturity Assessment

from $16,500

Cybersecurity program and best practice analysis includes a score card indicating implementation level of the standard offered in the Center for Internet Security’s 20 Critical Security Controls.

Start Your Path to Protection Today

True cybersecurity is a journey. Threats and vulnerabilities are ever evolving. Define your strategy, identify your risk, and manage that risk today — before its too late.