Information and Cyber Security Services for local governments and behavioral health

We help you secure all your information and build a comprehensive security program.

Information Security and Cybersecurity for executives and managers

Information security isn't just for IT people. In fact, if you've outsourced or delegated your security to IT, you might be in trouble. 

The conventional wisdom in many organizations is that the information technology staff should be responsible and accountable for information and cybersecurity. This theory is not supported by any standards, frameworks, or best practices for information security.

Boards, executives, and directors have critical roles in defining and overseeing an organization's security posture. Moreover, in a complex organization such as a county or city government, information security should be governed by a multidisciplinary body because the compliance aspects are complex and differ by department. The many moving parts in a comprehensive cybersecurity program are too complex to be delegated to information technology staff or contractors. A truly comprehensive approach to your cybersecurity requirements requires the collective intelligence of a broad cross-section of your staff.

Essential Components of a Security Program

Identifying whether or not your organization has an acceptable, baseline information security program is pretty simple. At a minimum you should have the following six components in place: 

  1. Comprehensive Security Policy. In a county government or behavioral health organization, this document is probably 25 pages or more and has at least 40 policies, but probably many more.
  2. Acceptable Use Policy. This document describes standards for using company-owned resources, ownership, reporting requirements, etc. but may also address the use of social media, work-at-home policies, and a great deal more.
  3. Risk Assessment Report. Risk assessments are a requirement. All behavioral health organizations and most county governments fall under the category of a Covered Entity (CE), so if you are a CE and don't have a risk assessment report, you aren't compliant with HIPAA. HIPAA compliance notwithstanding, every framework or standard for information security requires periodic risk assessments. If you don't have a risk report, you probably don't have a very good security program. 
  4. Documentation. Extensive documentation proving compliance with your organization's security policy should be readily available at all times. Do you have evidence that backups are validated? Are logs checked? Excellent documentation is a required component of a true information security program.
  5. Management participation. Participation of directors and senior managers in an information security program is a requirement.
  6. Asset Inventory. Your organization should have a complete inventory of all your assets including hardware, software, digital information assets, and physical instruments and this information should be prioritized according to risk. 

How we can help

We offer a full range of information security services based on well-established industry standards and frameworks. Policies and procedures are the cornerstones of a solid security program, so that is our starting point. We don't sell hardware or software and have no incentive to sell you "stuff" that may or may not provide your organization with additional protection. We do work with your staff and vendors to develop a comprehensive, layered, defense in depth approach to your information security requirements.

  • Risk assessments & audits
  • Security policy and procedure analysis and development
  • Regulatory compliance, HIPAA, 42CFR, CJIS, and others
  • Security strategy, design, and architecture

Security Policy Development Workshops

If you don't have a standards-based information security policy, we'll work with your multidisciplinary team to develop one that makes sense for your unique organizational requirements. We can perform this onsite, but we can do it much more economically through a series of four or five web workshops which will result in a comprehensive security policy, a clear set of procedures, and a clear chart of responsibility and accountability. Pricing for this varies depending on the size of the organization and your actual requirements. Contact us to get a quote for your organization.

Assessments and Audits

Do you need a formal risk assessment, audit, or other assessment? We will customize and tailor an assessment based on internationally-recognized standards, frameworks, or specific regulations to your individual requirements. Contact us to get a quote for your organization.

Low-cost entry level services

If you have solicited quotes for business-process or security-related assessments before, you know they are extremely expensive. Paying five to six figures for such an assessment from a national consulting firm to provide these services has its place, but it may not be the best fit for your smaller organization. Generally, these assessments produce an overwhelming laundry list of issues to fix and remediation services are more expensive than the initial assessment.

While we provide the same services, we can also tailor our assessments for organizations that can't afford a six to seven figure budget for a large consulting firm. We can work with you to develop a program and help you grow it organically and within your means. Most of our entry-level studies are in the range of $500 - $1,000 and include a written report and so you can make rational, objective business decisions about where to go next.

Security Policy Checkup

We'll review your information security policy and make recommendations for improvement.

HIPAA Workshops

Is your covered entity really compliant with HIPAA security and privacy requirements? Find out with our low-cost webinar. Contact us for more information.

Cyber Risk Assessments

Cyber Risk AssessmentsWe've developed proprietary, unaudited cyber risk assessments based on internationally recognized standards and best practices. In this two-hour cyber risk webinar, we'll identify and document major cyber risks you are facing. The deliverable is a color-coded risk report with actionable information for remediation.

IT Services Assessment

Our two-hour IT services assessment is based on widely accepted standards and best practices, We'll help you assess your IT services, identify gaps and areas for improvement, and make recommendations for improving quality, lowering costs, mitigating risk, and aligning your services with your business objectives.

Security Policy Workshop

In this multi-session workshop, we work through the process of developing a comprehensive security policy, a set of procedures, and a RACI matrix so that responsibilities for information security are defined at every level of your organization.  We recommend a multidisciplinary team attend the workshops.

Additional Information and Cybersecurity Services

HIPAA Workshops

 Many county governments and all behavioral health organization should have a HIPAA compliance program. Most organizations think they are compliant, but they rarely are. Take our HIPAA Workshop and find out where you are missing the HIPAA boat. 

Cybersecurity Report Card

After our two-hour workshop, you'll be able to identify your major cybersecurity risks and you'll get a report with an action plan for remediation. Our objective assessment is based on international standards and widely-accepted frameworks like NIST CSF and ISO/IEC 27001. 

Security Policy Checkup

Does your security policy contain all the elements recommended by NIST (National Institute of Standards and Technolgy) and ISO/IEC 27001? Find out with our Security Policy Checkup Workshop.

 

Ready to talk?

Enter your contact information and we'll be in touch shortly.

Or, call (607) 731-4097

e-mail: jmorgan@e-volvellc.com

e-volve Enterprise Management Services
519 Blakeslee Road
Milan, PA  18831

Call (607) 731-4097