Information and Cyber Security Services for local governments and behavioral health
We help you secure all your information and build a comprehensive security program.
Information Security and Cybersecurity for executives and managers
Information security isn't just for IT people. In fact, if you've outsourced or delegated your security to IT, you might be in trouble.
The conventional wisdom in many organizations is that the information technology staff should be responsible and accountable for information and cybersecurity. This theory is not supported by any standards, frameworks, or best practices for information security.
Boards, executives, and directors have critical roles in defining and overseeing an organization's security posture. Moreover, in a complex organization such as a county or city government, information security should be governed by a multidisciplinary body because the compliance aspects are complex and differ by department. The many moving parts in a comprehensive cybersecurity program are too complex to be delegated to information technology staff or contractors. A truly comprehensive approach to your cybersecurity requirements requires the collective intelligence of a broad cross-section of your staff.
Essential Components of a Security Program
Identifying whether or not your organization has an acceptable, baseline information security program is pretty simple. At a minimum you should have the following six components in place:
- Comprehensive Security Policy. In a county government or behavioral health organization, this document is probably 25 pages or more and has at least 40 policies, but probably many more.
- Acceptable Use Policy. This document describes standards for using company-owned resources, ownership, reporting requirements, etc. but may also address the use of social media, work-at-home policies, and a great deal more.
- Risk Assessment Report. Risk assessments are a requirement. All behavioral health organizations and most county governments fall under the category of a Covered Entity (CE), so if you are a CE and don't have a risk assessment report, you aren't compliant with HIPAA. HIPAA compliance notwithstanding, every framework or standard for information security requires periodic risk assessments. If you don't have a risk report, you probably don't have a very good security program.
- Documentation. Extensive documentation proving compliance with your organization's security policy should be readily available at all times. Do you have evidence that backups are validated? Are logs checked? Excellent documentation is a required component of a true information security program.
- Management participation. Participation of directors and senior managers in an information security program is a requirement.
- Asset Inventory. Your organization should have a complete inventory of all your assets including hardware, software, digital information assets, and physical instruments and this information should be prioritized according to risk.
How we can help
We offer a full range of information security services based on well-established industry standards and frameworks. Policies and procedures are the cornerstones of a solid security program, so that is our starting point. We don't sell hardware or software and have no incentive to sell you "stuff" that may or may not provide your organization with additional protection. We do work with your staff and vendors to develop a comprehensive, layered, defense in depth approach to your information security requirements.
- Risk assessments & audits
- Security policy and procedure analysis and development
- Regulatory compliance, HIPAA, 42CFR, CJIS, and others
- Security strategy, design, and architecture
Security Policy Development Workshops
If you don't have a standards-based information security policy, we'll work with your multidisciplinary team to develop one that makes sense for your unique organizational requirements. We can perform this onsite, but we can do it much more economically through a series of four or five web workshops which will result in a comprehensive security policy, a clear set of procedures, and a clear chart of responsibility and accountability. Pricing for this varies depending on the size of the organization and your actual requirements. Contact us to get a quote for your organization.
Assessments and Audits
Do you need a formal risk assessment, audit, or other assessment? We will customize and tailor an assessment based on internationally-recognized standards, frameworks, or specific regulations to your individual requirements. Contact us to get a quote for your organization.
Low-cost entry level services
If you have solicited quotes for business-process or security-related assessments before, you know they are extremely expensive. Paying five to six figures for such an assessment from a national consulting firm to provide these services has its place, but it may not be the best fit for your smaller organization. Generally, these assessments produce an overwhelming laundry list of issues to fix and remediation services are more expensive than the initial assessment.
While we provide the same services, we can also tailor our assessments for organizations that can't afford a six to seven figure budget for a large consulting firm. We can work with you to develop a program and help you grow it organically and within your means. Most of our entry-level studies are in the range of $500 - $1,000 and include a written report and so you can make rational, objective business decisions about where to go next.
Security Policy Checkup
We'll review your information security policy and make recommendations for improvement.
Is your covered entity really compliant with HIPAA security and privacy requirements? Find out with our low-cost webinar. Contact us for more information.
Additional Information and Cybersecurity Services
Ready to talk?
Enter your contact information and we'll be in touch shortly.
Or, call (607) 731-4097
e-volve Enterprise Management Services
519 Blakeslee Road
Milan, PA 18831