Assessments|Strategy|Program Management|Communications|Awareness & Training|Policies and Standards|Virtual CISO
CIMA has been helping clients build Data Privacy, Information Security and Business Continuity Management Programs since its inception in 2005, and our staff has been building these in and outside organizations for over 20 years.
Let us show you how to transform your program into a high-performing business enabler. We have the expertise to provide on-site training for your employees, identify your gaps against established standards and regulations, build a mitigation plan, and help you build your program from the ground up, or take an existing one to the next level. We’re proud to help shape how leading companies structure and manage the protection of information assets.
Our staff has been working on ISO 27001 projects for 20 years. Let us show you how to transform your Information Security Program into a high-performing business enabler. We have the expertise to identify your gaps, build a mitigation plan, and help you build your program from the ground up, or take an existing one to the next level. We’re proud to help shape how leading companies structure and manage the protection of information assets.
To help understand where your organization’s operational control posture is, compared to a specific standard or regulation, we conduct assessments of management and technical controls. In addition to identifying what is and is not in place, we also work with our clients to understand the depth of control implementation through the creation of, or use an existing capability maturity model (CMM) in the client environment. This approach provides far greater value to clients to help understand the full and true effort needed achieve program goals.
We have also extended this to the level of working with client operational areas to perform an impact assessment of gaps, to ensure we are able to help clients develop a qualified program budget proposal.
To help our clients achieve focus and ensure the success of business goals, we offer management consulting services to help you build a winning strategy and supporting business case for your standards and regulatory driven program. This is done in a collaborative approach between the our engagement team and your key leadership stakeholders, following a gap assessment.
Where not in place, we help clients design an enterprise steering committee, establish the committee’s charter document and engage target participants from the organization’s management team.
Many of our clients are already inundated with existing operational commitments and are understaffed, however customer, business partner, or regulatory expectations dictate the compliance with one or more standards or regulations that are currently not aligned with the business operations.
CIMA provides the resource support you on the ground to help manage the implementation of an ISO 27001 or other standards or regulatory-based program. Our Program Management support will work with you and other leaders in your organization from start to full implementation, and as required, assist you during a formal program certification process i.e. ISO 27001 certification.
In most cases, you have one shot at presenting your business case to top management for support and sponsorship. CIMA provides management consulting support to help you design and develop a winning business case and supporting presentation package for your leadership presentation.
Every program that is driven by standards and regulations, introduces significant change in the way technology and business employees perform their jobs.
Managing change is a critical activity of any information security program effort. The most effective tool to manage change is an organized, structured, and focused communication plan for employees across all lines of business. CIMA provides clients with consulting support to help build effective communication plans and supporting tools.
Awareness & Training
Standards and regulatory-based information security program frequently mandate the need for an effective organzational-wide awareness and training program to raise awareness of important issues, transfer knowledge on given topical areas or develop skills to help manage various elements of the program. We help clients build awareness and training programs using our ACADEMICS methodology. Some of the areas of focus include:
- Performing an Awareness & Training Needs Analysis
- Development of the Awareness & Training (multi-year) Plan
- Development of Awarness campaign material
- Development of custom internal information security training based on the organization’s policy & standards
- Development of process and procdural training
- Development of information security management and technical training courses
All of our training development services include classroom-based or e-Learning options.
Information Security Governance
Many companies jump into developing their governance documentation without establishing a clear understanding of their governance scope. By way of example, ISO 27001 has a mandatory requirement that the organization perform a Legal and Regulatory review and encompass all such requirements into their governance framework. In order to achieve ISO 27001 organizational certification, the organization must provide evidence they have performed this review and incorporated all requirements into their new governance framework. CIMA has experience working collaboratively with client legal, business and technology leaders to help them accomplish this and yield a structured governance framework, from which all other governance can begin to be developed. The framework model approach that CIMA uses to assist clients, provides a hierachal structure allowing various author and approving authorities at different levels of the framework. As part of the deliverables we yield first and foremost a control catalog, and from there construct the framework in a logical and structured fashion. As needed we also assist clients in the development of a process to develop and approve governance components.
Similar to its use in the Project Management world, a Program Charter establishes the mandate for the program, as well as, fundamental roles and responsibility for its development and maintenance. Through a collaborative approach, we help clients develop the organization’s Program Charter to ensure it has a solid foundation, and inter-departmental support is assured. One of the critical aspect of the Program Charter is the demonstration of alignment to the business’ critical objectives. When we work with client, we ensure a clear demonstration of Program to Business goals is articulated so the Program’s value is understood all the way up to and including the organization’s Board.
Information Security Policy & Standards
Every program has various moving pieces, some of which are similar from one standard or regulation to the next, and some are very unique. We help clients design and develop any and all components of their program. Areas include:
It is well understood by today’s business community that a policy is a statement of management’s expectations. Across the board, ISO standards and regulations dictate the development of a policy to communicate to the body of the organization and other stakeholders, the need for and adherence to a set of controls related to the mandating standard or regulation. We help clients collaboratively draft and socialize a policy document to ensure stakeholder buy-in.
Standards are, in their simplest form, a collection of theme-based controls. We work with clients to follow on from the work in the Governance Framework effort to develop individual heterogeneous policy standards, meaning they are technology agnostic. During this work, once we have developed a satisfactory draft standard, we facilitate an internal client focus session to review the document based on three factors, namely that each control statement in the document is:
- responsible; and
Technical Information Security Standards
For an organization’s operational technology teams to understand how to configure and maintain technology solutions in a standardized fashion that meet stated expectations of a standard, organizations must develop technical standards articulating how the requirements of a given standard are to be achieved. We work with client technology teams and empower them to develop technical standards for individual technology environments through the development of standardized templates and offering facilitation approach.
Information Security Process Development and Re-engineering
Processes are an organized set of actions designed to achieve a specific outcome. All standards and regulations, either implicitly or explicitly mandate specific processes in order to achieve compliance. CIMA helps clients in a collaborative fashion to develop process documentation to meet the spirit and intention of standards and regulations.
Procedures are detailed sub-activities of a process that drill down into one area of a process, which are a set of integrated tasks. CIMA helps organizations develop both information security-based procedures, as well as, business and IT operational procedures that support the organization’s information security program.
In many cases, organization must reach to technology to help solve stated control requirements from standards, legal and regulatory requirements. CIMA helps clients define technology requirements before its technology staff begins solution evaluation to help ensure appropriate alignment with the requirement. Typical engagement activity, provides for the client’s technology teams selecting evaluating and selecting solutions autonomously, with CIMA’s team validating it meet the stated requirements.
Many of today’s standards and regulations mandate the implementation and maintenance of a performance management program to ensure the ongoing measurement and evaluation of the information security program’s control. This effort is designed to identify weak, ineffective or ineffecient controls and enhance them over time as a measure of continual improvement.
CIMA offers an integrate approach when helping clients build their entire information security program, or as a standalone approach for existing information security programs. Now matter what your situation is, we work with our clients and their internal and 3rd party managed security service provider teams to identify operational measurements for each of the controls implemented in your organization.
We also provide ongoing support through an outsourced information security performance management service offering.
Virtual Chief Information Security Officer (vCISO) / Data Protection Officer (vDPO)
The roles of the Chief Information Security Officer (CISO) / Data Protection Officer (DPO) is a high-visibility and sensitive role. On occasion changes put organizations in a situation when they have to operate for a period of time in the absence of an internal CISO / DPO. This can be as a result of the establishment of a new role in the organizatino or the departure of a former employee occupying it . We provide clients with interim executive level resources to fill this gap and allow data protection programs to continue with experienced resources. We also assist clients in the evaluation of new candidates during the search process while we provide interim services.
Internal Audit Program Development
ISO 27001 among other standands and regulations, require organizations to institute an internal program and perform audits of it’s information security program controls, commonly referred to as Internal Audits.
Depending on the maturity stage or size of the organization, many companies don’t have either the internal expertise to audit information security controls, or an Internal Audit to perform this service.
CIMA helps organizations to build an internal audit program from the ground up, including all mandatory documentation and audit test procedures for it to operate. We also provide outsoruced Internal Audit services focused on established data privacy and security controls.