Risk management for local governments and behavioral health

Risk assessment and management for counties and behavioral health

When was your last risk assessment and what level of cyber risk and liability is your organization facing?

A periodic risk assessment is an integral component of a comprehensive, standards-based information security program. If you aren't performing risk assessments and aren't routinely following up on remediation tasks as part of a continuous improvement program, your security program almost certainly has significant flaws.

Are all your departments with high-risk data in compliance with relevant federal and state regulations as well as best practices? 

In local government, the standard model used makes the Information Technology department almost entirely responsible and accountable for information and cybersecurity. The CIO or IT Director becomes the defacto risk manager and takes on risk without the informed consent of the governing body and executive management. This is not a good practice and it is not recommended by any accepted security standard, framework, or set of best practices. Oversight of cybersecurity and responsibility for determining risk appetite belongs to the governing body and executive management, not an IT Director, CIO, or mid-level staff members.

We have developed proprietary risk assessments that measure your enterprise policies, procedures, and practices against HIPAA, ISO/IEC 27001, and the NIST Cybersecurity Framework as well as CJIS for law enforcement operations in addition to other frameworks and statutory requirements.

Entry level risk assessments

If your organization has never gone through a risk assessment, we recommend you begin with an entry-level risk assessment. Why? If you have ever gotten pricing for information risk assessments you will find that a regional consulting firm will charge a five-figure fee for this service while a national consulting firm will likely charge a six-figure fee. The problem with these assessments is that if you don't already have a standards-based information security program in place, you are likely to get a daunting list of items to fix. We have found that these kinds of reports are so overwhelming that they tend to sit on a shelf because the mitigation is so extensive that organizations don't know where to begin. If you use the same firm for mitigation services, the fees will run into six figures even if you are working with a regional consulting firm.

We take a different approach. Information and cybersecurity programs are not built overnight and the work of developing an effective program has to come from organizational staff and management. While consultants can help expedite the development of a solid program, your staff will have to do the work over time. With an entry-level approach, we will help you identify major problems with a low-cost unaudited risk assessment and then help you build a baseline set of policies and procedures. We will also help you establish a multidisciplinary information security team that will use their collective intelligence and deep understanding of your organizational culture to build a program that is a perfect fit for your organization.

Down the road, and after you have developed comprehensive policies, procedures, and practices a comprehensive, audited risk assessment is appropriate, but it may not be the most effective point of departure.

Our entry-level risk assessment is $500 and consists of walking you through a proprietary questionnaire based on accepted best practices. The deliverable you receive is a color-coded report that identifies major areas of information risk with specific references to standards and regulations which with you aren't compliant. We run the assessment as a two-hour team workshop over a webinar, but it's also available on-site for an additional fee. We also have run a free version of the assessment if your organization needs to try it out before you commit. There is no deliverable with the free version, and a senior executive must participate in order to qualify, but you'll get a good idea of where you stand and what level of risk you're facing.

Audited Risk Assessments

If you already have a standards-based cybersecurity program, we'll be happy to provide a quote for an information security audit. These studies have to be carefully scoped in order to keep the costs reasonable. You can read Jeff's article, Risk assessments for local governments and SMBs on CIO.com for more information on scoping risk assessments. If you would like assistance with scoping an assessment, get in touch and we'll be happy to help.

Network Scans?

There are vendors and managed service providers who perform network scans and sometimes claim that these scans identify risk and compliance in some way. For the most part, the vendors actually believe this because they don't have trained security professionals on staff who can correct them. Reputable managed service providers have staff members who are often expert in network security but they are rarely trained in risk management, organizational security policy, and procedures, etc. They are great at configuring firewalls, endpoint protection, and other devices that are necessary components of a cybersecurity program, but these devices are only components; they are not a substitute for a standards-based program.

Network scans and penetration testing are also components of a comprehensive security program, but a network scan cannot measure risk and compliance in any meaningful way. There are no substitutes for standards-based risk assessments, a comprehensive security policy, a governance committee, and executive oversight of information security. This is why risk assessments are required components of every framework or standard for information security.


Contact us to discuss risk assessment and mitigation in your organization!

Call (607) 731-4097


Related Services

 If you are interested in risk assessments, you may find the following related services to be of interest.

IT Services Assessment

Our two-hour IT services assessment is based on widely accepted standards and best practices, We'll help you assess your IT services, identify gaps and areas for improvement, and make recommendations for improving quality, lowering costs, mitigating risk, and aligning your services with your business objectives.

Security Policy Workshop

In this multi-session workshop, we work through the process of developing a comprehensive security policy, a set of procedures, and a RACI matrix so that responsibilities for information security are defined at every level of your organization.  We recommend a multidisciplinary team attend the workshops.

Custom Workshops

Don't see what you're looking for here? We'll create a custom workshop for your team. We can help you and your team with business process analysis, visioning and brainstorming, resource and capacity planning, hiring, gap assessments. We'll be happy to come on site and work with your team in-person.


Ready to talk?

Enter your contact information and we'll be in touch shortly.

Or, call (607) 731-4097

e-mail: jmorgan@e-volvellc.com

e-volve Enterprise Management Services
519 Blakeslee Road
Milan, PA  18831