Our team at Orcannus can conduct a GAP assessment to analyze your current technological framework and identify any gaps that need attention or improvement.
We provide professional technical and security services to expend reasonable commercial efforts to conduct a Gap Assessment / Analysis in preparation of a SOC 2 report as prescribed below:
Administrative Policies – Review and Correct
• Access Systems – Who and what has access to internal and external systems (ex. Human Resource Software, Financial Solutions, Private Folders, Password Manager Solutions, Active Directory, etc...) We will conduct an audit for all access systems and correct any issues. Users should have just enough access to complete their daily activities.
• Disaster Recovery - In the event of any disaster, is there a plan in place to provide guidance from first responders to remediation to debriefing. If one is not currently in place, we will create one. If one is in place, we will review and update as necessary.
• Incident Response - Emergencies happen, so being proactive and knowing how to respond is key to combating the issue. This plan is used to outline; Preparation, Detection, Analysis, Containment, Recovery, and Post Investigation. This will also provide a root cause analysis for future prevention.
• Risk Assessment - Used to identify areas of vulnerabilities and threats. Not to be confused with a penetration test, the risk assessment essentially is knocking on doors to see what is open and to report back.
• Roles - Review Active Directory or like systems to determine correct access levels. Place users in operational units with specific rights for the various systems and networks.
• Training - Provide security awareness, basic IT and risk management training for all levels. This is usually done in conjunction with the HR department. Security Controls - Review and Correct
• Access Controls- Analysis of controls such as; Virtual Private Network Access, two-factor authentication, Vendor Access, Exchange Services, Web Applications, and Mobile Devices.
• Firewall - Verification of latest firmware, effectiveness, Gateway Security, and Vulnerability.
• Network - Analysis of internal wired and wireless connectivity and security. This also includes incoming public networks.
• Encryption - Analysis of all transmissions and ensuring the latest encryption methods are being utilized. This includes all transmissions and documents that fall within compliance standards (ex. HIPAA)
• Backups - Analysis of backup locations, redundancy, frequency, and testing. Assuring backups are encrypted and easily accessible.
• Audits - Review any and all outstanding Audits and take corrective actions. Conduct any necessary audits not covered in this section. Record and store in a secure location.
• Intrusion Detection - Inspecting and analyzing Intrusion Detection solutions for effectiveness and latest updates. Used to detect and remediate before harmful data and information enter the production network and systems.
• Penetration Testing - Used to actively exploit vulnerabilities and breach systems and networks. Testing also includes; Websites, dark web searches, and phishing campaigns. Documentation and Remediation - Review and Correct
• Agreements and Certifications- Review company agreements and certifications and verify validity, purpose and obtain any needed certifications to maintain standards.
• Cybersecurity Policies - Creation of a new cybersecurity policy to include overall security measures used to secure and maintain data both company and customer. It is highly recommended to obtain cybersecurity insurance through a reputable agency.
• Security Controls Documentation - A list of all controls that are implemented in the company environment. This includes all software and hardware solutions.
• Vendor and External Contracts- A list of all vendors and external contacts with any and all access to company networks, apps, and devices. This list should also include former employees from the last 3 years.
• Penetration Test and Audits Documentation - A final report of all vulnerabilities showing a “clean bill of health.” This will be a comprehensive report proving that all standards have been fulfilled and should make for a smooth SOC 2 report.
Framework Protocol Included:
NIST Cybersecurity Framework ver. 1.1
• Asset Management
• Business Environment
• Risk Assessment
• Risk Management Strategy
• Supply Chain Risk Management4
• Identity Management and Access Control
• Awareness and Training
• Data Security
• Information Protection Processes and Procedures
• Protective Technology
• Anomalies and Events
• Security and Continuous Monitoring
• Detection Processes
• Response Planning
• Recovery Planning
Contact us to learn more about our GAP assessment process and how to get started.