While many organizations have a mature Information Technology (IT) department, they often have understaffed or underdeveloped cyber security departments. The core function of the cyber security department is to interface with both the compliance/internal audit team and the IT operations teams to ensure security is addressed in all aspects of the corporate infrastructure and culture. ESG provides experienced C-level executives to develop and/or augment the current cyber security department. Specifically, ESG professionals will develop a corporate cyber security Governance Program tailored to fit each organization. The program includes at a minimum:

• Governance Policy Library
  • Policies, process, and procedure development
  • Information security awareness training
• Strategic Planning
  • Develop an Information Security Roadmap
  • 12, 24, and 36-month implementation plan
• Compliance Program development
  • Develop a comprehensive regulatory compliance audit schedule
  • Execute all annual audits and risk assessments
• Corporate representation
  • Serve as corporate representative on all cyber security matters
  • Interface with all regulatory bodies and vendors on all security related issues

Virtual Chief Information Security Officer

An often-overlooked tool by many IT executives and managers is to have an independent third-party review of the baseline configuration files of all network devices. ESG subject matter experts will:

• Conduct detailed Enterprise Architecture and Infrastructure reviews
  • Provide design recommendations to increase bandwidth, efficiency and maximize security
• Conduct In-depth review of system, device, application, and database security configurations
• Reviews are based on industry standard security templates
• Router, switch, firewall, Intrusion detection/prevention, load balancers
• Server: Linux, Windows
• Applications code reviews
• Database: MS SQL, MySQL
• Provide a detailed report with recommended fix actions for system administrators and security engineers.

Security Audits/Assessments

One of the first steps to reduce digital threats and provide security assurances is to conduct an audit. Through this process, a detailed investigation is carried out on the vulnerabilities of digital platform(s). From this analysis, it is not only possible to access the risks that a company is facing but it is also possible to obtain information about the strengths of its infrastructure.

Within the different audits/assessments, we can differentiate:

• External Penetration Test, for the services present on the Internet.
• Internal Penetration Test, for the local networks.
• Network Audit, to review traffic flow control and existing monitoring.
• Mobile Devices Audit, for the security management of these devices.
• Audit of existing Digital Certificates within the organization.
• Information Leakage Audit, to identify potential security holes that can potentially exfiltrate data.
• Software Licensing Audit, to control the licenses acquired and installed.
• Sector Compliance Audit, finance, health care, energy, military/government contractors

Once the audits have been carried out, a corresponding report is issued detailing the tests carried out and improvement solutions are proposed.