At BARR Advisory, we believe in determining the why before proposing the how, and that careful planning is imperative to help our clients achieve their business objectives. That’s why, when developing your security program with one of our virtual Chief Information Security Officers (vCISOs), the first step is to perform a gap assessment to identify gaps getting in the way of your cybersecurity goals and initiatives..
This is the first blog in a two-part series breaking down what it’s like working with a vCISO at BARR. First, we’re highlighting Phase 1 of our CISO Advisory proven process, otherwise known as the gap assessment. Next, we’ll feature the remediation process of Phase 2 and what it looks like when you reach continuous management.
During the gap assessment phase, which typically takes 1-2 months to complete, BARR:
- Determines the scope of your organization;
- Assesses your organization against your cybersecurity goals or industry frameworks and standards; and,
- Provides you with a list of specific gaps and recommendations to prioritize, helping you remediate along the way.
Let’s explore the steps we take when conducting your gap assessment.
Step 1: Determining Your Scope
After onboarding with BARR, your vCISO will work with you to determine the technical scope of your organization. Your scope is defined within an initial kickoff meeting, during which your vCISO will discuss your goals with you and take note of information such as your:
- Business processes;
- Technology and data;
- Physical locations; and,
- In-scope standard(s) and framework(s).
Step 2: Assessing Your Organization
Once your scope is determined, BARR will assist you in identifying systems and controls within your security program and can map those controls to cybersecurity best practices and multiple frameworks and standards including, SOC 2, ISO 27001, NIST CSF, CSA STAR, HITRUST, NYDFS, 18 CIS Controls, and more.
Since you know your organization best, you’re encouraged to choose which framework works for your needs. Not sure which framework is best? No problem. As your trusted partner, we’ll use our insight and expertise to guide you through the security and compliance process, tailoring our services to meet your organization’s specific goals.
In this step, BARR will assess your organization against specific controls based on your environment, systems scope, and in-scope frameworks. In order to ensure these controls are in place, your vCISO will conduct the following required procedures:
- Walkthroughs and interviews
- System observations
- Document reviews
BARR combines all the information gathered above, analyzes that information, and compiles a list of gaps and specific remediation recommendations.
Step 3: List of Gaps and Recommendations
For each identified gap, your vCISO will include a recommendation for remediation. Recommendations are prioritized based on the level of impact a gap might have on your cybersecurity goals and in-scope frameworks. This deliverable is reviewed by a designated BARR engagement manager and compiled into a report which includes the following:
- A clear documentation of each gap
- Resources and recommendations for gaps that your organization can remediate
- Prioritization of gaps
- Ownership and timeframe for each remediation
Step 4: Debriefing and Planning for Phase 2
Next, your vCISO will debrief with you through a walkthrough of deliverables, including a detailed discussion of the gaps and recommendations for remediation. We’ll work with your team to assign responsibilities, including which remediation activities BARR and your team will own. We’ll also provide an estimate of the fees required to get through Phase 2 and onto the rest of your cybersecurity journey.
During Phase 2, which typically takes 1-3 months, your vCISO will provide a roadmap toward successful remediation and continuous management, turning what were gaps in your security program into competitive advantages.
Interested in learning more about working with a vCISO at BARR? Contact us today.