Partner – The “all-in” approach. ProCircular acts as a complete CISO for the duration of the subscription.
Virtual CISO
ProCircular’s virtual Chief Information Security Officer (vCISO) service is a broad set of services to support a Client’s security and privacy program. ProCircular provides formality and organization of processes and practices to improve a Client’s security resilience. The principle purpose of vCISO is for ProCircular to assist in the overall security strategy, advice, and oversight for the Client. This service is available as a yearly subscription and can help an organization make rapid improvements to their cybersecurity maturity.The vCISO categories are constructed to offer varying levels of service depending on the Client’s needs.The versions of the vCISO service are listed below:
Transitional – The “interim” approach. ProCircular assumes temporary continuation of anexisting security program while a new CISO is integrated.
Supplemental – Our “support” option. ProCircular provides expert assistance to support an existing CISO, adding to the CISO’s operational reach and capabilities without adding staff.
Advisory – Security advisor for the CEO or the expert partner to the organization. ProCircular delivers security-related insight directly to executives, providing expert advice and guidance to inform strategic business decisions.
The reduction of risk is a transformation process and requires measurement and monitoring.
Data Scanning & Classification
We scan your repositories of information, whether database, in file systems or on the cloud, and help you to identify cyber, legal and regulatory risks. We work with you to classify the various types of data. At the end of the day your organization will understand their data, define its owners, determine the importance of the information, and reveal retention and regulatory requirements that may be necessary to safeguard and delimit its storage.
Take an inventory of your organization’s data, understand its value, and categorize how it should be protected.
M&A Due Diligence Support
ProCircular’s leadership has been involved in transactions large and small. We’ve seen the benefits from well prepared organizations and the downside from inheriting companies with major cybersecurity and IT risks. Our team has a standardized approach to analyzing an organization’s cybersecurity, IT, and privacy risks and can use the outcome to inform a valuation or M&A integration sizing project.
A relatively short, intense engagement with our consultants will shed light on those parts of due diligence that might only surface after a transaction is completed.
Shed light on those parts of due diligence that might only surface after a transaction is completed.
Compliance & Regulatory
Every day a new rule or regulation is published, and by the time a company is up and running the landscape may have changed. Once organizations have achieved a certification, maintaining those controls can be equally challenging. We support clients with several standards and regulatory requirements including:
Our organization breaks these services into four primary areas:
Benchmarking
ProCircular evaluates an organization’s maturity by comparing current business processes and the existing business state to industry best practices. ProCircular documents the current landscape and builds a clear picture of an organization’s compliance capabilities and gaps.
Strategy
ProCircular can help create a strategy that moves an organization beyond their current level of maturity and up to the level required by regulatory bodies or customers. We can also aid in successfully implementing any changes to ensure that employees are all helping to achieve the goals of the project.
Preparation
Organizations that have already received a pre-audit and need help understanding the results can use this set of services to establish the next logical steps. We interpret the findings, prioritize critical next steps, and establish well-documented controls to clear the path towards certification.
Remediation
Once we’ve established where an organization needs to go, we provide solutions to help make rapid progress, either directly or recommend capable partners to help make rapid progress. Whether gaps are in controls, policy, process or technology, we’ll coordinate with the team to clear the way towards compliance.
Establishing and maintaining a compliance program is a challenge for every organization.
Incident Response
We prepare an incident response plan with each client ahead of time, and our engineers are ready to travel onsite and manage the situation. We work closely with our partners at Vestige to ensure that chain of custody and data integrity is maintained, and the process of remediation addresses both short term and long term needs.
Once a breach has been contained, we work with the client to address root causes and ensure that the problem can’t arise again. This may include working with the client’s insurance providers, law enforcement, and other third parties on behalf of the client.
ProCircular offers 24/7 IR to ensure that organizations we protect are prepared in the event of a breach.
Custom Consulting Services
If your organization needs to cherry pick from our broad range of cybersecurity or privacy services, we will build custom programs to deliver what you need to make progress. Our team has a diverse set of industry and technology experience that we can blend to meet your needs. These custom consulting services are available in a variety of forms:
- Staff Augmentation
- Hourly or fixed-bid (on a case by case basis)
- Knowledge transfer and education
- Integration into larger team projects (ERP, CRM, etc.)
We attempt to bundle our expert services to fit all of your cybersecurity needs, but we understand that your requirements may be unique.
Security Awareness Training
While it’s important to have IT, InfoSec, and management keenly aware of the latest threats, many of the major challenges share themes that employees can spot and avoid if properly trained. ProCircular’s employee awareness training enables those closest to the problem to identify and prevent threats. Our program is different in that it’s paired with a vulnerability assessment. It’s conducted in person with the employees who need the training most, allowing them to share their experiences and hear how to best defend against your unique risks from an expert.
The results of this assessment inform the content, shaping the training around the unique risks to the organization. We draw from a common body of materials developed in house, work with management to pick out the top regulatory or business needs, and craft an interactive training session that truly engages the employees.
Bringing employees to the defense of an organization is one of the most effective means of protecting it.
Ongoing Security Training
The package consists of an ongoing subscription to consistently remind employees of the importance of security. We send a monthly newsletter and employees receive online training on a new subject each month. We also offer a subscription based program that tests a client’s employees on an ongoing basis to make sure that they continue to apply what they’ve learned.
Instead of being made to feel foolish, employees that inadvertently fall victim to these attacks are automatically enrolled in training, ensuring that they’ve been provided the tools to better protect the organization.
This online solution is a perfect follow-up for our Onsite Security Awareness Training.
Compliance Training
Our experts have a deep knowledge of a variety of the more pressing compliance and regulatory needs,and we’re able to help employees understand the expectations that these standards pose. A training course is typically three to five days onsite and can be tailored to a variety of audiences. ISO 27001, SOC2, PCI DSS, HIPAA, HITRUST, NISTEU and International Privacy, Privacy Shield, FISMA, GLBA, FERPA, COBIT, SSAE16 are all standards that we support both for audits and implementation.
Help employees understand the expectations of compliance and regulatory standards.
Vulnerability Assessment
This is an excellent first step in establishing the relative risks that an organization may have for a modest investment, and often precedes a penetration test or an IT risk assessment.
- Online Presence – We’ll take a close look at the company’s website and sites that we can associate with the organization. We scan those systems using modern tools for thousands of vulnerabilities and weaknesses.
- Network Security – We’ll apply similar tools to the border security to deduce what the organization looks like to the Internet. This often uncovers Internet-facing devices, out-of-date hardware and software, and frequently a few other surprises.
- Social Presence – This step analyzes a few of the places where the organization is visible online and what sort of data can be easily assembled from what they’ve posted.
Automated Quarterly:
We’ve combined the power of a variety of different tools and automated the execution of the test and delivery of the reporting so that all you need to do is to check your email. Every quarter you’ll receive a complete scan of the computer system you’re required to monitor and a report that fits your specific regulatory requirements.
Enumerate an organization’s external risks and ensure quarterly tests are done on time and meet your needs.
Social Engineering
It is much easier to compromise an organization’s individual accounts to steal information in the target’s name rather than to breach a complex border defense or website. ProCircular takes on the role of the hacker and uses a variety of methods to gain access to information. This includes phishing via email, impersonation and manipulation over the phone and in-person social engineering.
A common method of gaining access to an organization’s information, and typically a hacker’s first steps.
Application Security
Our testing methodology is consistent, reproducible, rigorous, and performed under quality control to ensure an actionable outcome. We can translate standards like OWASP into a prioritized list of remediation steps that your development team can follow. Our team has decades of software development experience,and can improve not only your applications but your SDLC and Agile software development process to include security as a part of your regular development.
Using a combination of tools and experience we’re able to test all aspects of an application’s security, whether it’s on the web, an SaaS service, or a client based system. ProCircular combines penetration testing, code review and discussions with your development teams to build a plan that helps you to deal with existing challenges and reduce future weaknesses in your applications in a way that fits your unique budget, resources and timeline.
Our software security team can help you test any number of application types to improve their security.
Penetration Testing
IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).
An External Penetration (pen) test simulates the actions of an attacker and usually employs all means necessary to compromise a system from outside of the network. It actively exploits vulnerabilities turned up in an assessment, and validates their severity. It may also include an attempt to access other data or computer systems once the target has been compromised, bringing to light the potential data or systems that could be attacked once the hacker is inside of the company.
An Internal Penetration test works from inside of the organization it helps you to understand the internal systems that may be at risk from a hacker or a rogue employee.
These tests can help to identify data that’s left out in the open, systems that may have dropped off of the radar of the IT department, or inter-company weaknesses that allow remote offices to gain access to systems they may not need. It often incorporates both the physical network and the wireless network, and presents a more complete picture of an organizations overall cybersecurity risks. Both tests result in a deliverable with extensive information that allows you to take action. This report includes a list of recommended next steps and organizes the findings by likelihood and impact. Together with the client we evaluate relative priority and act to resolve issues, transfer the risk or bring in the requisite third party.
Help identify data that is left out in the open with internal & external penetration tests.
IT Risk and Maturity
This program works well for management that has just joined an organization, taken over a new department, or for the group that needs to get a handle on their existing commitments. The primary goal of the risk assessment is to document the existing state of the IT organization and its risks. This program collects the relevant documents around strategy, builds an inventory of existing systems, applications, hardware, software, processes and procedures. This program includes analysis of the following areas:
- IT strategy plan and roadmap
- Cloud guidance and strategy
- Asset management review
- IT skills assessment
- IT budget and cost savings
- 3rd party & vendor risk management
- Backup configuration and preparedness
Help baseline existing status for new management or groups that need to get a handle on their commitments.
Security Information & Event Management (SIEM)
ProCircular has partnered with AlienVault (AV) to provide a mid-market solution to Security Information and Event Management (SIEM) to our customers. This AlienVault product is an excellent fit for our mid-market organizations at a fraction of the cost of its competitors. They provide asset discovery and inventory, vulnerability assessment, intrusion detection, behavioral monitoring and log management for integration with other systems.
This infrastructure is hosted on ProCircular’s systems at Involta and can automatically notify customers and our engineering team of issues.
Proactively detecting security threats before they’re able to do harm is a cornerstone of a quality security program.
Data Loss Prevention (DLP)
Using a variety of tools, including both commercial and off-the-shelf applications, ProCircular can help you to implement an all in one DLP solution.
These will enable you to monitor, discover, and prevent data leakage from within your organization. You can block any data flow containing credit card numbers, Social Security numbers, or any sensitive information and tailor it to your organization. Secure the flow of traffic to the web, email, printers, removable devices, or cloud storage systems.
Using a variety of tools, we can help you to implement an all-in-one DLP solution.
Device Threat Detection
A single piece of hardware is placed at each location and can begin collecting data. An asset list is built of devices using wireless, Bluetooth, and physical networks. Once the collection is complete, the company can white-list the‘known devices’ and alerts are sent through the Pulse monitoring service identifying rogue devices, access points, and computers. It’s a perfect tool both for monitoring and assessment and ProCircular will also use the tool in our reconnaissance for internal penetration testing.
An excellent tool for organizations with distributed systems or a wide variety of devices.
Password Management
ProCircular has partnered with LastPass for personal and enterprise password management. From safely storing passwords to manage employee permissions, LastPass removes standard password obstacles. It provides a method of securely managing and sharing passwords and audits password strength and duplication. It’s easy to use, and while the margins and price point are all very low, the solution is a major part of securing any organization.
Easily and securely manage and audit password strength and duplication.
Cybersecurity Wellness Package
This subscription based model ensures that once you organized your cybersecurity efforts, you’re able to continue to protect your investment and adapt with the changing threat landscape.
- Enterprise Password Management – Secure the weakest link, your employees’ access
- Quarterly Vulnerability Assessment – Keep abreast of new threats
- Pwnie Express SIEM Monitoring – Prevent rogue devices from entering the network
- Online Security Awareness Training – Bring employees to the defense to protect the organization
- Incident Response Planning – Secure your access to experts and be ready to respond
ProCircular has bundled the most critical elements of a continuing cybersecurity program to simplify the ongoing needs of any organization.
Security in a Box
Our Security in a Box solution provides the core pieces of a security program to help IT departments get started. ProCircular performs a vulnerability assessment and uses those results to inform five hours of consulting on the direction that the program should take.
We’ve also assembled a core set of policy and strategy documents needed to stand up the most important components of any security program – overall security strategic guidance, incident response, mobile device management, document retention, etc. Each has been built from best practices at SANS and NIST and is written in a human readable and actionable format.
Get expert strategic guidance taking the first steps setting up your organization’s security program.
Cyber Insurance Readiness
Much like an audit against a fixed standard, understanding the requirements of a cybersecurity policy can be a daunting challenge. If these requirements aren’t met, insurance organizations may decide not to pay in the event of a breach, leaving the client with a significant bill.
With this evaluation, we read through the policy with the client and establish both strengths and potential risks. After completing their mediation, a company can confidently purchase a cybersecurity policy, knowing that they have a much higher likelihood of collecting in the event of a breach.