Information security is increasing in importance, but not all organizations can afford to hire a chief information security officer or experts in security. RADKRICS has focused on information security and we have a team of experienced security experts who can be a virtual Chief Information Security Officer (vCISO) to bridge this gap
A vCISO is a service wherein RADKRICS' security professional will perform the duties of CISO in the client organization. vCISO will help in identifying and analyzing threats, devising strategic security plans, establishing compliance with industry standards, and conducting vendor risk assessments as well as fulfilling other information security needs.
With the experience and skills that a vCISO has, vCISO can help your company plan, define and execute an appropriate security strategy
Information security is one of the strategic goals. The continuously changing threat landscape and sophistication of threat actors impacts the timing of decision making and readiness of security teams, creating huge challenges even for fulltime staff. CISOs are on the frontline of cyber defense. A failure at the frontline can lead to a data breach and have a catastrophic impact on business operations.
Review the existing security strategy and framework
Prepare a security strategy in consultation with the CISO or CIO
Review the existing information security policies and procedures
Manage the risk register
Provide a security implementation roadmap
Build a governance and compliance program
Be an auditee of the external audit
Be an information security advisor to the senior executives
The vCISO service can be availed in terms of number of hours in a year. For an effective outcome of the service, the vCISO shall be engaged for a minimum of 35 hours in a month.
There are two levels of engagement; Level One and Level Two
In a Level ONE engagement, the vCISO acts as a strategic information security advisor and performs the below activities with the help of your information security team
# | Activity | Outcome |
---|---|---|
1 | Plan information security strategy | Strategy Document |
2 | Oversee the implementation of the information security initiatives | Support and recommend solutions |
3 | Manage the compliance program | Quarterly Compliance Dashboard |
4 | Chair the steering committee meetings | Setting the direction and re-alignment, provide expert suggestions to enable executive decisions |
5 | Yearly review of the Information Security Policies and Procedures | Reviewed policies with closure of identified documentation gaps |
6 | Review and track the closure of vulnerabilities | Monthly Vulnerability Dashboard |
7 | Review and track the closure of Risks | Monthly Risk Dashboard |
Some of the above activities require the necessary initial steps to be completed by the engaging organization so as to achieve the mentioned outcome.
In a Level TWO engagement, the vCISO acts as a strategic information security advisor and performs the below activities with the help of RADKRICS information security team
# | Activity | Outcome |
---|---|---|
1 | Perform information security gap assessment to determine the inherent risk and the current state of the organization | Gap assessment report and the roadmap for the closure of the risks identified |
2 | Perform vulnerability assessment and penetration testing | VA and PT report |
3 | Plan information security strategy | Strategy Document |
4 | Implement the closure of gaps identified (closure of technology gaps is dependent on the organizational spend on the information security program) | Weekly project update towards closure of the gaps |
5 | Oversee the implementation of the information security initiatives | Support and recommend solutions |
6 | Derive compliance checks and perform monthly compliance assessment | Compliance reports |
7 | Manage the compliance program | Quarterly Compliance Dashboard |
8 | Chair the steering committee meetings | Setting the direction and re-alignment. Provide expert suggestions to enable executive decisions |
9 | Yearly review of the Information Security Policies and Procedures | Reviewed policies with closure of identified documentation gaps |
10 | Review and track the closure of vulnerabilities | Monthly Vulnerability Dashboard |
11 | Review and track the closure of Risks | Monthly Risk Dashboard |
Some of the above activities require the necessary initial steps to be completed RADKRICS so as to achieve the mentioned outcome.