Services
Cybersecurity Assessments
Cybersecurity is not a luxury. It’s a necessity. Cyberattacks can cause devastating damage to your business, reputation, and customers. You can’t afford to ignore the cyber risks that you face every day.
That’s why you need Apogee Defense, a team of experienced and certified cybersecurity consultants who can help you assess your cybersecurity maturity and readiness. We can help you identify and close the gaps in your security posture, comply with the relevant standards and regulations, and prepare for and respond to cyber incidents.
We specialize in defending the industries with the most to lose in the event of a cybersecurity breach. These industries handle sensitive data such as:
-
HIPAA: Health information that is protected by federal law and subject to daily penalties if compromised. 92% of businesses that suffer a HIPAA breach go out of business within two years.
-
DoD Information: Classified or confidential data that has a high value on the dark web and among nation states. Without a full assessment to NIST and CMMC standards, you could face severe consequences and lose your contracts.
-
PCI DSS: Credit card data that is a tempting target and an easily transactable commodity among criminal groups. By complying with PCI DSS and maintaining consistent audits, you can protect your business through a safe harbor and avoid the full financial impact of a breach.
Our cybersecurity assessment process is based on various frameworks such as NIST, CMMC, ISO 27001, PCI DSS, and others. Our process includes:
-
Scoping: We define the scope and objectives of the assessment based on your business context and needs. We also determine the assessment criteria and methodology that will be used.
-
Data Collection: We collect data from various sources such as interviews, surveys, documents, observations, tests, scans, audits, etc. We use state-of-the-art tools and techniques to gather accurate and reliable data.
-
Data Analysis: We analyze the data using quantitative and qualitative methods to identify gaps, risks, strengths, weaknesses, opportunities, and threats. We use industry benchmarks and best practices to measure your performance against your peers and standards.
-
Reporting: We produce a detailed report that summarizes the findings and recommendations of the assessment. The report includes an executive summary, a maturity scorecard, a risk profile, a gap analysis, an action plan, and supporting evidence.
-
Presentations: We present the report to you in a clear and concise manner. We explain the results and implications of the assessment. We also answer any questions you may have and discuss the next steps.
Security Standards – What are they and why they matter
Security standards are sets of guidelines, best practices, and requirements that help organizations manage and reduce their cybersecurity risks. Security standards can be developed by various entities such as governments, industry associations, or international organizations. Security standards can also be used as a basis for compliance audits or certifications that demonstrate an organization’s adherence to a certain level of security.
We can help you with security standards by:
-
Helping you understand the security standards that apply to your industry or customers
-
Helping you select the most appropriate security standards for your organization’s needs and goals
-
Helping you implement the security standards in your organization’s policies, processes, and systems
-
Helping you prepare for and pass security audits or certifications based on the security standards
-
Helping you maintain and improve your security posture according to the security standards
Some of the security standards that we work with include:
-
ISO 27001: This is an international standard that specifies the requirements for an information security management system (ISMS). An ISMS is a framework that helps you manage the security of your information assets in a systematic and consistent way. ISO 27001 covers all aspects of information security such as risk assessment, policy development, control implementation, monitoring, review, and improvement.
-
PCI DSS: This is a standard that applies to any organization that processes, stores, or transmits credit card data. It covers six domains of security such as network security, data protection, vulnerability management, access control, monitoring and testing, and information security policy.
-
HIPAA: This is a federal law that protects the privacy and security of health information. It covers four rules such as privacy rule, security rule, breach notification rule, and enforcement rule.
-
CMMC: This is a new certification program that applies to any organization that works with the DoD. The CMMC aims to ensure that the DoD’s supply chain is secure from cyber threats and covers the spectrum basic hygiene to advanced practices. Due to concerns regarding implementation cost to SMBs at the mid and high level, the CMMC framework has undergone multiple revisions over the last 3 years with the current set of guidelines slated for implementation this summer.
-
One thing is certain, CMMC will be required for all government contract work, the only questions are when and exactly what requirements are needed for your organization.
-
Overall the meat of the program has remained unchanged, and anyone who has already done an assessment to a prior version of CMMC will have the majority of the work completed to be in compliance, or will already be in compliance with the pending version. This means that will be able to immediately accept work upon approval of CMMC.
-
CMMC classifies a company into different maturity levels based on your organization’s implementation of controls across a number of security domains. Each CMMC level unlocks additional work for your organization, while prohibiting organizations that have not shown enough adherence to security principles. Given the flow down requirements of CMMC, all sub-contractors will be required to meet various CMMC levels.
-
The CMMC domains cover areas like access control, asset management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management, security assessment, situational awareness, system and communications protection, and system and information integrity.
-
We can help you with CMMC by:
-
Helping you understand the CMMC requirements and expectations for your organization
-
Helping you determine your current CMMC maturity level and identify any gaps or weaknesses
-
Helping you implement the CMMC practices and processes in your organization
-
Helping you prepare for and pass the CMMC audit by a certified third-party assessor
-
NIST Cybersecurity Framework: This is a voluntary framework that helps organizations manage and reduce their cybersecurity risks. The framework is based on existing standards, guidelines, and practices from various sources. The framework provides a common language and structure for organizations to assess their current cybersecurity posture, identify their goals and priorities, and implement and monitor their cybersecurity activities. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function has a number of categories and subcategories that describe specific cybersecurity outcomes and activities.
-
Many of the principles in NIST are included in the CMMC framework
-
​
Besides the above-mentioned security standards, we can also help you with other security standards that may be relevant to your industry or customers. We understand that you know your business best and we are here to support you and enhance your defenses to limit the scope and impact of cyberattacks.