Our consulting services use consistent, automated, and efficient sub processes. This allows ThreeShield to focus on your unique concerns and needs with a fully customizable -- yet very efficient -- approach. Although fully customizable, a typical engagement includes the following:
Phase 1: Find compliance and security vulnerabilities
Initial scope discussion covering:
- web sites and Internet-facing systems
- networks, VPNs, and wireless systems
- servers, workstations, virtual machines, and operating systems
- established policies, standards, and procedures
- business impact assessment, disaster recovery, business continuity plans, and backup processes
- external systems and service providers
- compliance needs
Signed agreement with permission to perform vulnerability assessments.
Internal and external vulnerability scans
Partially-automated penetration tests
Execution of proprietary configuration extraction scripts.
Compliance assessment for:
- privacy and personally-identifiable information (PII)
- C-SOX and SOX financial statement controls
- corporate policies
Server, Active Directory, databases, applications, and cloud service configurations.
Reporting at the level you need: from highly technical, executive risk statements, and customer assurance.
Phase 2: Fix: project and security management with hands-on support
We provide as much support to fix your security and compliance vulnerabilities as you need. Many companies have great IT teams that can take care of most changes. However, with competing priorities, they can often benefit from additional security and project management. Our most common services during this phase include:
Chairing of a Security Council to ensure that senior leadership understand and prioritize security and compliance needs among other critical business concerns.
Security project management to ensure the success of security-related projects. We will oversee your whole security program and provide hands-on support as needed.
Documentation and improvement of critical policies, business impact assessments, disaster recovery plans, business continuity processes, and other regulatory needs.
Training, including phishing simulations, OWASP developer training, PCI and NERC CIP-004 compliance, and other job-specific training requirements.
Phase 3: Ongoing training and monitoring
Once the high-priority items are in place, we provide:
- Monthly phishing simulations with additional training during peak phishing seasons.
- Annual security awareness training
- On-demand solutions for security design and configuration problems
- Continuous monitoring of emerging threats, missing patches, and configuration problems.
- Annual updates to disaster recovery and business continuity plans, business impact assessments, and other living documents