Cyber Security Report Card for counties, municipalities, and behavioral health
The Cyber Security Report Card Service
Our Cyber Security Report Card is a detailed, holistic study that covers the following:
- Executive and Management Interviews
- Questionnaires & Surveys
- Review of security policies, procedures, guidelines, and standards
- Compliance with other best practices
- Infrastructure review
- The final deliverable is a report that provides an assessment of your organization's security program against industry standards as well as recommendations for remediation.
We provide a detailed analysis of your entire information security stance based on NIST, HIPAA, or ISO/IEC 27001 standards and guidelines depending on your organization's industry.
We don't sell any hardware or software and we don't receive commissions from any third-party vendors, so we're not going to propose to sell you anything as a result of the study.
If you are interested in this service, e-mail us or schedule an appointment to discuss your requirements in greater detail and we will develop a proposed study that is designed specifically for your organization's unique requirements.
Can free network scans validate compliance?
A disturbing trend in the IT industry is that many vendors offer dubious Network Security Assessments for free! Even worse, many IT vendors are selling canned network scans and external penetration tests and some claim that the results can show you are compliant with some regulation like HIPAA. In many cases, the technicians performing these scans have never read a federal regulation and have no concept of how to build a security program based on standards, regulations or generally accepted frameworks. They just don't have the background, education, and training. A solid security program based on standards and regulatory compliance can't be evaluated with automated network scanning tools.
While your network or server technician may know how to configure a firewall or server security, he or she probably hasn't been trained extensively in information security policies, procedures, and processes to the extent required for compliance with complex regulations. Developing security policy for a county government, for instance, may require knowledge of regulations like 42 CFR Part 2, the HIPAA Security Rule (45 CFR parts 160, 162, 164), CJIS (Criminal Justice Information System), as well as additional requirements from CMS, other regulatory bodies like OMH, OASAS, DOH, State Archives retention policies, and a great deal more. A typical IT vendor simply isn't up to these tasks.
Moreover, most security problems don't come from the network and more than 60% of all security breaches are a result of people, policies, and procedures rather than network problems. As an experienced business person, you know that nothing is free and our service shouldn't be confused with these free services.
Schedule a meeting, e-mail, or call us to discuss your comprehensive security requirements:
Read Jeff's publications on information security:
- How to use the NIST cybersecurity framework. Security Magazine, April 2018.
- Board and management responsibilities for information security. CIO.com, February 2018.
- 5 things J.S. Bach can teach you about information security. CIO.com, December 2017.
- Risk assessments for local governments and SMBs. CIO.com, May 2017.
- HIPAA as an umbrella for county/municipal cybersecurity. CIO.com, April 2017.
- County and municipal cybersecurity – Part 2. CIO.com, April 2017.
- County and municipal cybersecurity – Part 1. CIO.com, March 2017.
- May I see your comprehensive security policy, please? CIO.com, October 2016.
- The ACA and the death of medical privacy. CIO.com, August 2016.
- Why should county commissioners and executives care about HIPAA? Careers in Government, February 2018.