Option 1 Full FISA with Gap Analysis
Our Full Information Security Assessment (FISA) leverages and references current security frameworks and standards found in ISO/IEC 27001:2013 and the NIST Cybersecurity Framework (CSF), both of which map to the NIST SP 800-171 security requirements.
The four phases of a FISA are:
- Phase 1:Administrative Controls The people part of security, including risk management, security governance, policies, standards, training and employee awareness.
- Phase 2:Physical Controls How much does your anti-virus protection mean to you if someone steals your server? Physical controls are an essential and often overlooked part of your security strategy.
- Phase 3: Technical Controls (Internal) We affectionately call this the gooey center. Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometime neglect the controls that are essential for an effective defense-in-depth strategy.
- Phase 4:Technical Controls (External) This category covers how effective your organization is at keeping the bad guys out of your network.
The FISA assessment is comprehensive. From that, FRSecure will map the relevant NIST controls and provide a gap analysis.
Your organization will receive all our standard FISA deliverables, which includes the executive summary, the full report and the action plan. You will also receive an additional report that will map the FISA result to the NIST 800-171 controls. The gap analysis and the FISA action plan can be used to build your remediation plan. This option provides both an overall security assessment against industry best practices and the information needed to begin addressing gaps in your CUI protection measures.
Option 2 Gap Analysis
Your other option is a more narrowly scoped assessment of how well your Information Security Program meets the security requirements outlined in the NIST 800-171 controls. Your organization will receive a report displaying each control and your level of compliance with that control. While this option will get you a final gap analysis to build your remediation plan from, it does not assess your full information security program against industry best practices.
With a completed NIST SP 800-171 gap analysis FRSecure can help your organization develop a System Security Plan (SSP), Plan of Action & Milestones (POA&M) and help remediate gaps in policy, process and/or training. Our expert team has proven experience in establishing effective, measurable and enforceable organizational controls in support of DoD, federal, financial and healthcare compliance frameworks.