8/14/2019 Halock ACS - Controls Gap Assessment
1/2
Pr ic ing :
High level reviews typicallyrenage from $5,000 to$7,000
In depth reviews typicallyrange from $6,000 to$10,000
Pricing varies based on thelevel of available documenta-tion,
number of businessunits, and additional stan-dards mapped to
documentedcontrols
Governance, oversight, and regulatory compliance are key to the
success of an organization.Setting expectations through policy,
defined procedures, and underlying standards are critical tosecure
confidential information assets.
To identify and resolve the risks associated with the
organizations information security program,it should be assessed
for adequacy and effectiveness.
Focused primarily on the design of the organizations security
controls, Halock will review theorganization's documented
information security policies, standards and procedures. Halock
willconduct interviews with key organization resources where
documentation is unavailable orotherwise deemed appropriate. The
objective of the assessment is to ensure that the contents of the
security program adequately address the requirements and intent of
relevant compliance
frameworks and/or standards, such as ISO 27002 or other suitable
security frameworksapplicable to the organizations
requirements.
Each document will be reviewed in terms of overall content,
consistency with other policies andstandards, effectiveness of
specific language or terminology used, intended audience, methods
of communication to that audience, and methods of enforcement.
Halock will conduct interviews, as appropriate, with key
individuals regarding security policies,procedures, and standards
to collect required data for review. Halock can perform an in
depthanalysis of the design and content of policies, procedures,
and related standards, identifyingapplicability and compliance with
security control objectives .
Solution Overview
ISO 27002 Framework :
Halock will review control objectives from thefollowing ISO
27002 as part of the review:
4: Risk Assessment and Treatment
5: Security Policy
6: Organization of Information Security
7: Asset Management
8: Human Resource Security
9: Physical and Environmental Security
10: Communications and Operations Manage-ment
11: Access Control
12: Information Systems Acquisition, Develop-ment, and
Maintenance
13: Information Security Incident Management
14: Business Continuity Management
15: Compliance
G a p A s s e s s m e n t
S o l u t i o n At -a -Glance :
Fulfill regulatory and legalrequirements to performregular risk
assessments of the design of informationsecurity controls
Identify gaps in policies,procedures, and standardsthat could
result in regula-tory issues
Determine if existing gov-ernance, risk managementpractices, and
oversight of sensitive information han-dling adequately protectsthe
organization from breachor incident
Receive recommendationsfor continual improvement of the security
program
ISO 27002 is referenced asthe default standard
847.221.0200 halock.com
1834 Walden Office Square, Suite 150 * Schaumburg, IL 60173 *
847.221.0200 * www.halock.com
Assessment & Compliance Services Division
8/14/2019 Halock ACS - Controls Gap Assessment
2/2
Gap Assessment: Scope Worksheet
1834 Walden Office Square Suite 150 * Schaumburg, IL 60173 *
847.221.0200 * www.halock.com
847.221.0200 halock.com
The following review approach will be utilized:
COMPLETE REVIEW (In Depth)
SAMPLED REVIEW (High Level)
Halock will review available security documentation, typically
consisting of the following items. Please indicate
additionaldocuments that will incorporated into the review in the
empty boxes:
Halock will interview key resources, typically including the
following roles. Please indicate additional resources that
willinterviewed as part of this process:
ISO 27002 is referenced as the default standard for controls.
Please specify additional standards (such as CobiT,
FFIECguidelines, etc) that should be incorporated into the scope of
review:
Email Usage PolicyEmail Usage Policy3rd Party AgreementsData
Retention and Disposal PoliciesChange Control ProceduresSecurity
Awareness ProgramMonitoring and Auditing ProceduresPatch Management
ProceduresDaily Operational Security Procedures
Acceptable Use PolicyFirewall Configuration PolicyConfiguration
Standards for ServersPrivacy PolicyServer Hardening StandardsData
Handling ProceduresBusiness Continuity / DR PlansConfiguration
StandardsData Backup Procedures / Offsite Storage
CIO / CISO CFO Compliance Officer IT Director / Manager
Development Lead Systems Administrator HR Director Facilities
Manager
