We specialize in delivering professionally-written cybersecurity documentation that enables businesses to expedite the process of getting & staying compliant with cybersecurity requirements.
Quite simply, we are a business accelerator - we take care of the tedious and time-consuming work that is associated with writing comprehensive cybersecurity documentation. By doing this, we offer a unique service to businesses - we can provide you with semi-customized IT security documentation, based on industry-recognized leading practices that include ISO, NIST, OWASP, CSA and others. This allows you to quickly obtain professionally-written IT security documentation and you have the ability to edit this documentation for your specific needs, since it comes in Microsoft Office formats. This is beyond buying an "IT security policy template" online - these products allow you to have the same level of professional quality documentation that you would expect from hiring an IT security consultant to write it for you. Please take a few minutes and look at the examplesto see for yourself!
Our comprehensive written information security documentation includes the policies and standards that businesses need to meet common information security requirements, such as PCI DSS, HIPAA, FACTA, GLBA, as well as unique requirements like FedRAMP and NIST 800-171 compliance. We've been doing this since 2005, so we have a long track record of successfully writing IT security policies and other compliance-related documentation, such as risk assessments, vulnerability assessments and audit templates. Everything we do centers around providing your company a solid set of cybersecurity policies and standards to use as a foundation to build from!
Our Digital Security Program (DSP) offers the most comprehensive information security documentation we provide. Our DSP and Written Information Security Program (WISP)documents are delivered in Microsoft Office formats, so you can edit the documents to your specific needs. The footnotes for industry-recognized leading practices and common legal requirements makes it easy for users to understand their compliance requirements.
Our Security & Privacy By Design (SPBD) is very unique and is based on customer needs to become compliant with the EU General Data Protection Regulation (EU GDPR), as well as other regulations that stress the need to demonstrate that security and privacy practices are "baked in" day-to-day processes and system development efforts. The SPBD leverages several leading frameworks to provide a "paint by numbers" approach to being able to ensure security and privacy principles are embedded into operations and to overall build a security culture that values security and privacy by design.
In 2016, we added risk management solutions to our product line-up - one is a comprehensive Cybersecurity Risk Management Program (RMP) framework document and the other is an IT Security Risk Assessment Template. Based on customer-demand, we now offer these so companies can have professionally-written documentation to establish a risk management program. The Risk Management Program (RMP) is designed to be the source document for how risk is defined and managed in your organization. This answers the question of "how is risk managed?" that is scalable and applicable to any business. The Information Security Risk Assessment Template enables you to perform your own information security risk assessments and have professional-quality reports, without having to rely on external consultants or blindly trying to create your own risk assessment methodology. If you can use Microsoft Office, then you can perform an information security risk assessment by simply following the instructions and editing the template to suit your specific requirements. While this is a template - we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be assessed, and we built the calculations. Your work is as simple as selecting from a few drop-down answers in Excel and "cutting & pasting" your responses into Word! The end result is a professional-quality risk assessment report - you can see an example risk assessment report to evaluate it for yourself.
For businesses in scope for NIST 800-171 compliance, we also launched our NIST 800-171 Compliance Criteria (NCC) product to jump start efforts to comply with this new regulation. The NCC is essentially a "consultant in a box" to provide requirement-by-requirement recommendations, which is exactly what a dedicated consultant would provide if you contracted a consultant to provide guidance. This is available for immediate download and is a fraction of the cost, as compared to hiring a consultant.
If you are specifically concerned with PCI DSS v3.2 compliance, we offer the PCI DSS Information Security Policies & Standards. This solution is purely focused on providing you an easily-implemented set of policies and standards so that your company can meet and stay compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements. This is an editable Microsoft Word document that is comprehensive of PCI DSS requirements, but is written in a concise manner that makes it easy to implement. The PCI DSS Information Security Policies & Standards document is updated to address the latest version of the PCI DSS version 3.2 that was released earlier this year. Our PCI DSS Information Security Policies & Standards can provide you with the crucial evidence of due care and due diligence so that you can prove your state of compliance with the PCI DSS.
In a further effort to help clients reduce risk, we offer the Vendor Compliance Program (VCP) that is an editable Microsoft Word document that addresses information security risks posed by service providers. PCI DSS v3.2 requires that companies manage the security risks associated with vendors / service providers, so this is an affordable and easy way to publish best practice information security requirements to companies that support your business operations. The VCP is based on ISO 27002, so it is firmly rooted in industry-recognized leading practices for information security. Our VCP can provide you with crucial documentation to show evidence of the due care and due diligence you've taken with your service provider relationships.
Our cybersecurity documentation products cover a wide variety of leading security frameworks and requirements:
NIST 800-53 NIST 800-171 NIST Cybersecurity Framework (CSF) National Industrial Security Program Operating Manual (NISPOM) Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) Federal Acquisition Regulation (FAR 52.204-21) FedRAMP Fair & Accurate Credit Transactions Act (FACTA) Financial Industry Regulatory Authority (FINRA)
ISO 27002 ISO 27018 Generally Accepted Privacy Principles (GAPP) Payment Card Industry Data Security Standard (PCI DSS) Control Objectives for Information and Related Technology (COBIT 5) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) Gramm Leach Bliley Act (GLBA) NY DFS 23 NYCCRR 500
American Institute of CPAs (AICPA) Service Organization Control (SOC2) Center for Internet Security Critical Security Controls (CIS CSC) Cloud Security Alliance Cloud Controls Matrix (CSA CCM) European Union Agency for Network and Information Security (ENISA) European Union General Data Protection Regulation (EU GDPR) United Kingdom Data Protection Act (UK DPA) Massachusetts 201 CMR 17.00 Oregon Identity Theft Protection Act (ORS 646A)
In our experience with helping clients since 2005, the most common pitfalls in the compliance space deal with the following topics:
Vulnerability & patch management
This is not due to a lack of technology, but a lack of processes and the documentation to support it. Generally, these topics arise when a client, partner, insurer or other interested party is conducting their due diligence and asks for evidence of risk management, patching, incident response training, etc. It comes down to a disconnect of what the interested party is expecting to see and what the company is actually doing on a day-to-day basis. If the expectation is not met, the customer faces losing business. Our products provide the process documentation that businesses of every size can use.
Cybersecurity policies are fantastic at describing WHAT is required for the organization to do and highlight WHY it is being required. However, it is equally important for businesses to address HOW the activity in question is actually performed. This is why we put together the following products to help address "the what, why & how" when it comes to compliance needs.
Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.
The Digital Security Program (DSP) is a “best of breed” hybrid that leverages numerous leading frameworks to create a comprehensive security program for your organization! This is for organizations that do not want to be locked into alignment with ISO or NIST frameworks, but want an open framework that incorporates the best components of leading security frameworks.
What makes the DSP different from the WISP is added functionality that is only available in the DSP. The DSP comes with mapped controls and metrics, including recommended KPIs and KRIs. All of this is in Microsoft Excel so that it is easily imported into an existing or planned Governance, Risk & Compliance (GRC) solution. For many GRC tools (e.g., RSAM, Archer, MetricStream, Lockpath, etc.), this can provide you the ability to perform your customization and collaboration directly from your GRC portal.
With the inclusion of controls and metrics, the DSP can help an organization reach CMM 4 maturity. We did the hard work and can let an organization focus on implementing the controls to make the target maturity a reality.
The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework.
This is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
NIST 800-53 rev4 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based leading practices over all other frameworks, based on regulatory requirements. NIST 800-53 is arguably more robust and comprehensive in its coverage than ISO 27002.
Our NIST 800-53-based IT security policies and standards are ideal for businesses that have to stay compliant with the following requirements:
PCI DSS v3
DIACAP / FISMA / Risk Management Framework (RMF)
Contractual requirements to maintain an IT security program
You can see an example of the NIST 800-53 WISP here.
The ISO version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the International Organization for Standards (ISO) 27002:2013 framework.
Just like the NIST-based version, the ISO-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class information security program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
While NIST 800-53 is the de facto standard for many industries within scope for statutory and regulatory compliance within the US, ISO 27002 is the most widely adopted framework for information security requirements in non-regulated or international businesses. ISO 27002 provides the details for a company to implement an Information Security Management System (ISMS) based on the ISO 27001 framework.
Our ISO 27002-based IT security policies and standards are ideal for businesses that have to stay compliant with the following requirements:
PCI DSS v3
State data security & breach notification laws
International data security & privacy laws
Contractual requirements to maintain an IT security program
You can see an example of the ISO 27002 WISP here.
TheSecurity & Privacy by Design (SPBD) is program-level documentation that provides what your organization needs to comply with EU GDPR and other requirements that mandate companies demonstrate how they implement both security and privacy by design. This is a "best in class" approach to leading frameworks on the topic of secure engineering and privacy management. The goal is to operationalize both Security by Design (SbD) and Privacy by Design (PbD).
What makes the SPBD unique is that not only provide guidance at a program level in editable Microsoft Word format, but we provide an Excel spreadsheet with several editable checklists that provide a "paint by numbers" approach to being able to walk through the steps required to build systems and projects in a secure manner, which incorporates both security and privacy principles. On top of that, the secure engineering steps map to applicable NIST 800-160, NIST 800-53 and ISO 27002 controls!
The SPBD draws on expertise from NIST 800-160, OASIS, GAPP, and other leading frameworks. This enables you to point to best practices if you are ever audited, so that you can demonstrate adherence to reasonable expectations for security and privacy principles.
The NIST 800-171 Compliance Criteria (NCC) is an Excel spreadsheet that contains clear expectations and guidance on what is required to become compliant with NIST 800-171. This is NIST 800-171 Made Easy!
If you can use Microsoft Excel, then you can use the NCC to understand your requirements for compliance with NIST 800-171 rev1. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:
NIST 800-53 rev4 mapping to NIST 800-171 rev1 requirements.
Reasonably-expected criteria to address the NIST 800-53 control.
Applicable "best practice" guidance on what steps you need to take to be compliant.
Self-assessment options to track where you are compliant and what needs work.
If you also need cybersecurity policies and standards, you can purchase the NIST 800-53 Written Information Security Program to go along with this. We also offer bundles that can save up to 30%, as compared to purchasing products individually.
You can see an example of the NIST 800-171 Compliance Criteria (NCC) Template here.
The Cybersecurity Risk Management Program is a comprehensive document that establishes how risk is defined and managed within an organization. This is based on best practices from COSO 2013, COBIT, NIST 800-37 and ISO 31010.
The Cybersecurity Risk Management Framework provides industry-recognized leading practices guidance on risk management at the strategic, operational and tactical levels! This is important, since this hybrid or "best of breed" approach to risk management takes advantage of the strengths of each leading practice model (e.g., COSO, COBIT, ISO & NIST). This allows you to have a considerable amount of flexibility to conduct risk management operations.
You can see an example of the Cybersecurity Risk Management Program framework here.
Most companies have a legal requirement to perform risk assessments (e.g., PCI DSS, HIPAA, GLBA, MA 201 CMR 17.00, etc.), but they lack the knowledge and experience to undertake such risk assessments. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with that requirement. In either situation, it is not a good place to be.
The good news is that we created an affordable solution for businesses to conduct their own information security risk assessments. If you can use Microsoft Word and Excel, then you can perform a risk assessment by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be assessed, and we built the calculations to make your work as simple as selecting from a few drop-down answers!
Our latest version of the Information Security Risk Assessment Template includes:
Section for assessing both natural & man-made risks.
Section for assessing reasonably-expected cybersecurity controls (uses NIST 800-171 recommended control set) - applicable to both NIST 800-53 and ISO 27001/27002!
Section for assessing Capability Maturity Model (CMM) - built into cybersecurity control assessment portion of the risk assessment.
Fully-editable, blank templates in Microsoft Word & Excel formats. Clear documentation helps you perform consistent risk assessments.
An example assessment that is filled-out so that you can use that as an example for your own needs.
You can see an example of the IT Security Risk Assessment Template here. We even offer a discounted bundle for the Written Information Security Program (WISP) and Information Security Risk Assessment Template!
The PCI DSS Policies & Standards is a specifically-focused set of IT security policies and standards that is meant for compliance with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS).
Just like our Written Information Security Program (WISP) solutions, the PCI DSS Policies & Standards is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the necessary policies, control objectives, standards and guidelines that your company needs to establish a PCI DSS-compliant IT security program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs, based on your Merchant Level and Self-Assessment Questionnaire (SAQ) requirements.
This solution came from customer needs, since many companies have existing IT security policies and standards that they want to keep in place, but they need something to specifically address how they comply with the PCI DSS. Out of that need, we developed the PCI DSS Policies & Standards document that lays out everything you need for compliance documentation with the PCI DSS v3.2.
Our PCI DSS Policies & Standards is an ideal solution for businesses that have to stay compliant with PCI DSS:
Stand-alone solution to address PCI DSS v3.2 requirements - easy, affordable and effective way to address PCI DSS v3.2 requirements.
Solution can "bolt on" to existing IT security documentation to specifically cover the Cardholder Data Environment (CDE) if you already have existing IT security policies & standards.
Editable to address Merchant Level and SAQ category
You can see an example of the PCI DSS Policies & Standards here. We even offer a discounted bundle for the PCI DSS Policies & Standards with the Vendor Compliance Program (VCP)!
The Vendor Compliance Program (VCP) is a unique solution to help address a new requirement that businesses are facing with contractual compliance obligations. We now offer the VCP in both ISO 27002 and NIST 800-53 versions! These are the industry-recognized leading practice requirements that your vendors SHOULD be following to keep you, your partners and your clients data secure.
Just like our other products, the VCP is a customizable and easily-implemented Microsoft Word document that contains the necessary policies, control objectives, standards and guidelines that your company needs to establish a PCI DSS-compliant IT security program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
The VCP is meant to be shared with your vendors, so that they understand your requirements - that is what this document is intended to do. Make your edits, save it as a PDF, and then share it with your vendors so they can comply with your requirements. It is as easy as that!
Our Vendor Compliance Program (VCP) is an ideal solution for businesses that have to stay compliant with:
State data security laws
International data security & privacy laws
Contracts that require your vendors' information security requirements are addressed
You can see an example of the Vendor Compliance Program (VCP) here. Since this is either ISO 27002 or NIST 800-53 it goes perfectly with our Written Information Security Program (WISP). We even offer a discounted bundle for the WISP & VCP!
The NIST-based information security assessment template is meant to be a helpful assessment guide for companies to gauge where their weaknesses are in their IT security program. It is based on NIST 800-53 rev 4.
The IT security assessment template is an editable Microsoft Word document. It contains helpful guidance to address controls within the NIST 800-53 framework.
You can see an example of the NIST 800-53 information security assessment template here. Since this is Due Care template is NIST-based, it goes perfectly with the NIST 800-53-based WISP. We even offer a discounted bundle for the WISP & ISAT!