- How do I determine what my organizational threats and risks are and how do I go about prioritizing and mitigating them?
- How do I implement sustainable governance processes that ensure my Intranet or Content Management system remain relevant, optimized, and effectively managed?
- How do I know that my business can continue to operate in the face of a significant service interruption?
- I manage protected health information (PHI) or conduct credit card transactions - what are my obligations to comply with HIPAA Privacy and Security laws and PCI Data Security Standards?
- I provide third party processing/hosting services for a customer and must go through a SAS-70 audit - how can I make sure that I am prepared to receive a favorable opinion?
- What is the Sarbanes-Oxley Act and how does it impact my business?
- My company is private or non-profit, but I would like to make sure that we have the right corporate governance and internal controls in place for my customers and to keep up with industry standards. What controls do I need to put in place and how do I implement and ensure they are operating effectively?
- How do I know that my public facing web sites and web-based applications are secure?
- How can I gain efficiencies with oftentimes laborious and inefficient compliance assessment initiatives?
- How do I effectively manage the provisioning, update, and revocation of user rights and privileges in a distributed environment?
Everything about information assurance can be daunting and overwhelming. Whether you are a security-minded organization that needs a fresh and independent perspective or a company that is living on borrowed time from relentlessly emerging threats, we understand that risks cannot be eliminated, but they can be managed. The Ironworks Information Assurance practice has proven risk-based assurance methodologies that have been forged from numerous and varied client engagements to make security a business enabler rather than a cost center.
Enterprise Security Assessment and Strategy
Every company should have a current and holistic view of their security posture and threat landscape. Ironworks starts with the factors that drive security: laws and mandates, company policy, contracts, customer needs, service level agreements, industry best practice, and good business sense. We perform a comprehensive analysis of how you respond to those drivers and how you prioritize the efforts to remediate.
Risk Assessments/Business Impact Analysis
Risk Assessments and Business Impact Analysis set the foundation for so many downstream mitigation activities, but many organizations don’t make a concerted effort to perform these crucial tasks regularly. We take time to understand your business processes and supporting assets so that risks, threats and controls can be quantified for tactical and strategic decision making.
Disaster Recovery/Business Continuity
How long is it until a service interruption or disaster impairs your ability to do business and affects your bottom line? We do the legwork to find out what makes your organization tick and determine how you can continue operations in the midst of a service interruption and get back to business as usual.
Internal Controls Assessment and Optimization
Every company is different and yours is no exception. So, of course your needs around compliance mandates such as Sarbanes-Oxley are different too. Your questions may be around the entire Compliance Process from the Risk Assessment to the Final Assessment, or it may be just one piece of the process. You may need help with all areas of internal controls, or you may just need help with corporate governance, finance internal controls, or information technology general controls. You may have new systems in design and implementation phases and want to ensure that these systems when implemented will not negatively impact your Sarbanes-Oxley attestation.
In any case, our methodologies are risk and process-based to minimize the work-load and provide a value-added assessment. We tailor our methodology to meet your business' individual needs and provide you with a balanced, value-added internal controls assessment.
Compliance Strategy and Readiness
With the litany of compliance laws, regulations and other demands, companies need to make sure they understand what is expected of them and how to get there. We can provide interpretive guidance on vague and confusing mandates including the HIPAA security and privacy rules, Payment Card Industry data standards (PCI DSS), and Statement of Auditing Standards No. 70 (SAS-70) attestations.
Assurance Solutions
Sometimes building a process to monitor internal controls is not enough. The larger and more complex your business is, the greater the need for Internal Controls software to help to manage the documentation requirements and keep a pulse on the status of various moving parts.
We have developed solutions with core functionality that can be custom tailored to your compliance and business processes:
- Centralized Control Management database allowing for control modifications and automatic updates to disparate compliance documentation
- Workflow processes for documentation review and approval as well as deficiency management
- Dashboards enabling managers to capture test activity completion and areas of focus at a glance
- Customizable documentation templates to ensure consistency and reflect your attestation process
- Automatic archival of yearly compliance documentation making prior year information read only while pulling forward control and test information that can be leveraged in the following year
Web Technology Governance
Intranets, Portals, and Content Management Systems oftentimes become a dumping ground for organizational content with limited processes to prevent redundant, outdated, and trivial material. Additionally, political agendas and lack of management empowerment create ambiguous roles and responsibilities between business owners and IT support staff, fostering a lack of accountability for these crucial communication tools. Ironworks can bring an independent viewpoint that leverages countless web technology implementations paired with governance know-how to ensure your investment is optimized.
Website/Application Threat Modeling and Security Assessments
With the increasing deployment of cloud computing services and web-based technologies, resources can be accessed and attacked from anywhere. This shift negates the traditional perimeter security model and requires multi-layered security countermeasures, especially at the site and application level. Ironworks can evaluate the assets and find vulnerabilities that traditional security appliances cannot mitigate against to ensure holes don’t go unplugged.
Identity Management
An information asset without considerations for end user provisioning, role interaction, and information confidentiality takes away from the ability to fulfill its objective. Ironworks can quickly understand how user roles should be defined, entitled, and managed while adhering to the concept of least privilege.
- We understand that addressing the litany of emerging threats, mandates and organizational risks can put a significant strain on business resources and utilize a risk-based, common-sense approach to minimize the strain on our clients.
- We use qualified and experienced resources that "get it" and are typically from Big 4 consultancies.
- We are a cost-competitive alternative to large accounting and consulting firms like the Big 4 for attestation preparation assistance.
- We view security and risk management as a process, not a project, and utilize methodologies that are sustainable over time.
- We understand that Compliance can put a significant strain on business resources and utilize a risk-based, common-sense approach to minimize the strain on our clients. We understand the concept of "Key Controls".
The Ironworks Information Assurance practice delivers experience and know-how each time. Our teams are staffed with consultants who focus only on what they know best and have significant experience and excellent client recommendations.