The first step in getting an information security program off the ground (and in meeting many regulatory requirements) is to perform some type of assessment to determine your starting point. Rather than simply providing a “checklist” of items your program is missing, the MRK team believes a risk assessment should provide actionable findings which directly tie to your business objectives.
Our process leverages the ISO 27000 family of international security standards to provide consistency and easy benchmarking against other security programs, or mapping to regulations such as PCI and HIPAA. In addition, our team will work with yours to develop definitions for the types of security risks which are impactful to your business, and then to identify the ones which fit your definition. Items become “red” in a heatmap like the one below based on your business priorities…not just a consultant’s.
Finally, our team will work with you to build a list of proposed security projects based on these same business objectives, as well as the resources and funding you actually have available to execute. We will work with you to build project timelines that are attainable, not simply aspirational. And if needed, we will then work with you to ensure those timelines are met.