Services

Compliance
Readiness

Do you know what security compliance regimes you should follow and how to achieve compliance?

Kaliber helps companies implement a comprehensive Information Security Program which provides the dual benefit of improving our clients’ security posture while positioning them to meet the compliance guidelines of:

SOC
ISO
PCI
GDPR

While we are knowledgeable in the control requirements of the compliance regimes, the first step when working with our clients is to fully understand their businesses and the services that they offer. Only after we define the scope of the information assets (of their organizations, their employees and their customers) can we build a relevant, risk-based approach to protecting those assets.

Once the assets, processes and systems are established, the next step is to pinpoint key controls and, even more importantly, any control gaps – controls that are not in-place (and should be) or controls that are ineffective.
Kaliber then works with our customers to build an effective program:

  • Develop clear policies communicated to and acknowledged by the team
  • Establish strong HR programs to assign, revoke and review access credentials
  • Ensure that technical controls such as anti-malware and device encryption are in place
  • Identify proper segmentation between internal and external networks
  • Establish proper encryption methods for sensitive data
  • Oversee penetration tests to assure that network perimeters are strong and that intrusion attempts create appropriate alerts
  • Ensure that access logs are in place, protected and reviewed regularly
  • Review Disaster Recovery and Resiliency Plans

 

Once controls are in place and audit trails can be produced, then our clients can feel confident that their data, and that of their employees and customers, is well protected and that those protections will be validated by outside auditors trained to validate their controls.

Risk
Assessments

Do you know how to perform a Cyber Risk Assessment?

All effective information security programs begin with a candid risk assessment. This is underscored by the fact that all compliance regimes generally establish risk assessment as the first step towards certification. Risk assessments are used to identify, estimate, and prioritize risks to an organization’s mission, assets, functions, employees, partners, and reputation resulting from the operation and use of information systems.

 

If you are a financial services firm, risk assessments are mandated by the SEC and require the use of the NIST Cybersecurity Framework. If you are a firm that stores medical information and are subject to HIPAA, likewise, a risk assessment is required.
So, what are the steps to performing a risk assessment and how does Kaliber help?
Step 1 – Identify relevant Threats to your organization
Step 2 – Identify how your organization could be Vulnerable to those threats
Step 3 – Assign a value to the Impact that a successful attack would incur
Step 4 – Establish the Likelihood of the attack being successful
Step 5 – Review Controls that might be put in place to limit the success of an attack
Step 6 – Decide if the cost of the controls is consistent with the level of risk and decide to accept risks that do not meet organizational thresholds
Step 7 – Repeat annually:
a) Have the controls been implemented?
b) Are they working as intended?
c) What new threats and vulnerabilities need to be evaluated?
d) Re-assess

Kaliber has worked with many organizations to help them identify threats and vulnerabilities, assign impacts and likelihoods and develop controls to limit a firm’s risk.

Incident Response
Planning

Do you know how to properly report a Data Breach?

A data breach is any instance in which there is an unauthorized release or access of confidential information not suitable for public release. This definition applies regardless of whether an organization stores and manages its data directly or through a contractor, such as a cloud service provider. Data breaches can take many forms including:

  • hackers gaining access to data through a malicious attack
  • lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.)
  • employee negligence (e.g., leaving a password list in a publicly accessible location
  • technical staff misconfiguring a security service or device, etc.)
  • policy and/or system failure (e.g., a policy that doesn’t require multiple overlapping security measures—if backup security measures are absent, failure of a single protective system can leave data vulnerable).

In some cases, an organization may discover that control over personally identifiable information, medical information, or other sensitive information has been lost for an unspecified period of time, but there is no evidence that data has been compromised. In such an instance, unless applicable federal, State, or local data breach notification laws would define this as constituting a breach, it would be up to the organization to determine whether to treat the incident as a full-scale breach or as inadequate security practice requiring immediate correction.

Kaliber can you help you construct a relevant, usable, compliant Data Breach Response Plan as part of a comprehensive Information Security Management System.  Further, Kaliber can work with your team to perform a “table top test” to simulate the required actions in case of a real data breach. In this way, your organization will know how to react properly given the circumstances of the breach.

In an article in Computer Reseller News, Kaliber’s President, Ken Leeser, said, “People want sunshine and insist that the breached organization shed light with clear and concise information about the matter. People accept the bad things that happen, but it’s how you respond that ultimately determines public opinion in the marketplace.”

Virtual CISO

Virtual, shared services have proliferated in the last few years. Many organizations use a Managed Service Provider (MSP) to support their IT installation, configuration and support needs. Many use CFO and HR for hire services to get higher qualified individuals at a more affordable price. Similarly, many of these same organizations are now outsourcing their CISO.

A Chief Information Security Officer (CISO) establishes and maintains an enterprise’s security vision, strategy, and programs. The role ensures that information assets and technologies are appropriately protected.
Kaliber Virtual CISO services are designed to provide expert security guidance through:

  • Understanding the organization’s strategy and business environment
  • Discovery, triage, remediation and evaluation of threats
  • Providing threat analysis and strategy updates
  • Anticipating future security and compliance challenges
  • A Virtual CISO from Kaliber
  • We will work to understand your business environment, culture and objectives.
  • Among the projects we can help with include;
  • Starting a cybersecurity risk assessment based on your organization’s assets
    Establishing the organization’s cybersecurity strategy
  • Building a cybersecurity plan and program
  • Building a Governance, Risk and Compliance (GRC) program
  • Maintaining core security operations