Skip links

Cyber Design

The foundation of a solid security program starts with a strong base.

Security by its nature is ever-changing and evolving.  It benefits your organization to start with complete and consistent documentation.  If you are able to articulate your environments and risks, it is significantly easier to map current and future areas that you will need to prioritize.

Encryptics will assist you in scoping and creating an outline of current areas where you have opportunities for growth.

We can add insight by leveraging our broad industry experiences, helping you to prioritize and quantify your risk.  This isn’t about checking boxes and having a false sense of confidence, it is about understanding where you are and where you envision your future concerns to be. We work with you to create program that will get you there, that can be modified as your needs and risks evolve, allowing you to communicate current and emerging gaps, and the processes you will implement to meet those needs.

  • Do you know who owns and/or is responsible for your data and environments?
  • Do you know if you have policies? Are they well written, communicated and updated?
    • Do you only show people policy at time of hire?
  • Do you have a security program at this time?
    • Who owns this process?
    • Is there oversight?
    • Is there Autonomy (making decisions based on real risk, instead of “keeping the ship afloat”?)
    • Are there regular interactions between security and the rest of the organization?
    • Does your organization have dependencies for their security risks?
  • Do you currently have a good Identity and Access strategy?
    • Who should access what?
    • Where should they be allowed to access to and from?
    • Do you have a good invocation/revocation process?
    • Do you have good documentation and reporting?
    • Do you have sufficient skills overlap?
      • (if John wins the lottery, does Sally have enough knowledge to handle the work that John was responsible for? Is there documentation? Is the process consistent?)
    • Do you have a solid Data classification (Risk and protection) process in place?
      • Not all data is the same, and should not be protected equally. If you make everything high risk, then you need sufficient (and sometimes costly controls) to protect it.  If you under classify, there is risk for data loss or other unanticipated impacts.
      • Do you understand how data is used and handled within your environment? What often gets overlooked is that users may look at data differently, what is high risk to one user is low risk to another.  Define what your data is, and how it should be protected in all instances.
    • Do you have a steering committee and working group?
      • How do you currently assess and prioritize issues?
        • Do you use consistent criteria and impact as a review mechanism?
        • Do you ensure that remediation is reviewed and validated?
        • Do you follow up to ensure there were no ancillary issues created?
      • Can you report issues consistently?
        • For audit?
        • For Internal review?
        • For External review?
      • Do you ensure that security is well understood in your organization?
        • Do you conduct awareness campaigns?
          • Advertising Slicks
          • Brown bags
          • Email and Web page highlights?
        • Does your Education evolve as your needs change?
          • Do you socialize and test policy changes?
          • Do you ensure your users are current on what risks they should be aware of?
          • Do you make security part of their overall employment?