Assessments - RZA Consulting

RZA Consulting has expertise in delivering assessments and audit services. We audit for following industry-standard frameworks.

NIST CYBERSECURITY FRAMEWORK (CSF)

The framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.

The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.

NIST 800-53 SECURITY AND PRIVACY CONTROLS

Security controls are the safeguards or countermeasures selected and implemented within an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage information security risk. Privacy controls are administrative, technical, and physical safeguards employed within a system or an organization to ensure compliance with applicable privacy requirements and to manage privacy risks.

Security and privacy controls are selected and implemented to satisfy security and privacy requirements levied on an information system or organization. The requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission need to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted, and to manage risks to individual privacy. The selection, design, and effective implementation of controls are important tasks that have significant implications for the operations and assets of organizations.

RZA Consulting has experience in evaluating the controls in place and their efficacy and provides you with unbiased insights into how well these controls are placed and how much protection they are providing to the organization.

FISMA SUPPORT SERVICES

Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. This includes information and systems provided or managed by another agency, contractor, or other sources.

FISMA explicitly emphasizes a risk-based policy for cost-effective security. Managing Federal Information as a Strategic Resource requires agencies to:

Plan for security
Ensure that appropriate officials are assigned security responsibility
Periodically review the security controls in their systems
Authorize system processing prior to operations and, periodically, thereafter

RZA Information Security services can help with planning for security, reviewing security controls and confirming that authorization systems are in place.

ISO 27000 ASSESSMENTS

There are more than a dozen standards in the ISO/IEC 27000 family, which enables organizations to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. ISO 27001 also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

RZA Consulting leverages Information security management systems — Requirements document (ISO 27001) to do an assessment and verify that the organization is meeting the criteria for this security standard.

We work closely with leadership to review and further develop cybersecurity roadmaps. This ensures that the roadmaps are completed and meets business needs, are vetted through independent and skilled resources and are most efficient.

As a trusted partner, we establish an ongoing relationship with the client in which we develop a deeper understanding of their environment, their needs and work closely with them to see critical security initiatives to completion. We bring our knowledge, experience, and skills to the table with an arrangement that is best suited for the client.

We also work with legal teams to provide expert advice and support as needed.