Information Security

Gap Assessments

ISO 27001 - NIST CSF - HIPAA / HITECT - GLBA / FFIEC - NERC / CIP 

Assessing security program elements for compliance with key standards and regulations is a foundational activity for strategic minded organizations. Our gap assessments not only provides a qualified understanding of what is and is not in place against defined requirements, but also assesses the controls that are in place against our (or your custom) capability maturity model.

Information Security Program Strategy Development

Following a structured methodology, we will work with key business and technology leaders to understand your organizational goals and develop a custom business focused information security strategy. Our approach ensures investments in information security are directed in a manner to ensure the success of the organization.

Policy & Standards Development

Using our DIRECTION Methodology, CIMA leverages your initial efforts to understand the scope of your program, and develop a custom information security policy and standards for compliance with your relevant standards and regulations. 

Awareness & Training Program Development

Leveraging CIMA's ACADEMICS Methodology, we help clients objectively assess their information security awareness, training, education and program communication needs by performing a Needs Analysis and generate a management report. Based on internal approval, we create a comprehensive Awareness & Training program plan and work your teams to build all program needs, including awareness materials, training course-ware, e-learning software solutions, and communication solutions.

Information Security Process Development

Leveraging a standards-based approach as a foundation, CIMA consultants develop information processes and supporting operational procedures to meet your organization's unique requirements. To accomplish this we start by hosting a facilitated workshop with your key stakeholders, and take an iterative approach to creating your ideal process.

Information security Incident Management

Leveraging your standards and regulatory requirements, we proactively build a custom information security incident management process for your organization, process training to educate your process users and stakeholder, and an optional information security incident exercise. 


In a reactive situation, CIMA provides information security incident management services to help clients organize and respond to incidents in a controlled fashion.

Information Security Metrics Program Development

To ensure an information security investments are optimized, strategic thinking organizations establish measurements and monitor information security control that can help them determine if the information security program is achieving defined program objectives and supporting the success of the organization's business strategy.

At a control level, establishing the measurements and performing the follow up monitoring can help information security leaders understand the effectiveness and efficiency of an individual control.

We work with clients to help define program objectives, and establish a performance management program and reporting capabilities.

Virtual & Fractional 

Chief Information Security Officer (CISO) / Data Protection Office (DPO)


On occasion clients find themselves in need of temporary assistance of a seasoned CISO / DPO to help:

   a. build their initial information data privacy & security program;

   b. fill a void for an interim period until a replacement can be found and come on board;

   c. serve as a part-time resource to represent the client in meetings and discussions with external            customers; and

   d. other reasons


CIMA has been helped clients for term roles for periods of six (6) to twenty four (24), including helping to identify suitable full-time candidates, interviewing, and controlled transitioning into their new role.

Penetration Testing

CIMA offers penetration testing services for client web presence using OWASP Top 10 and OWASP Best Practices testing.


Penetration testing is performed remotely by our team members, followed by the documentation and subsequent presentation of full findings, which includes an explanation of identified vulnerabilities and mitigation recommendations.

>