Information Security Program Design

Sometimes, you don’t need to overhaul your information security program plan from the ground up. Instead, you may simply need to supplement your existing capabilities with specific security expertise. Our professionals are a diverse group of highly-credentialed and experienced information security professionals. That means we have the right IT security talent to complement your existing team. Here are just a few of our areas of expertise:

• Forensic analysis of security log information
• Penetration testing
• Centers for Medicare & Medicaid Services (CMS) Minimum Security Requirements
• National Institute of Standards and Technology (NIST) security control framework
• Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• Specific certifications, such as HITRUST Common Security Framework (CSF) Assessors, PCI Qualified Security Assessors, and Certified Public Accountants

We draw on our extensive experience in healthcare and a variety of other industries to assist your organization in security program development that meets your overall business objectives and help you appropriately manage cybersecurity threats. First, we conduct a thorough risk assessment, so that we can identify weaknesses in your organization’s security framework. Taking into account factors such as the size of the company, business objectives, risk tolerance, and budget, we create an information security program development roadmap. This roadmap may include policies and standards, intrusion detection and monitoring programs, enhanced documentation, and/or an awareness program to enhance the skills of existing IT staff through training and recruitment. Great design only manifests itself through great implementation. LBMC Information Security can help your team execute each step of your program in an effective yet manageable way, whether you are phasing in changes over time or undergoing a full-scale implementation.

1. Ensure that you either have or can quickly provision protections against DDoS attacks. Most organizations do not keep these protections on premise and choose to rely on external parties for this protection (ISPs, upstream providers, Cloudflare, Akamai, etc.). If you are unaware of whether these protections are available to you, now is the time to consider your capabilities and plan accordingly.
2. From a propaganda perspective, the United States will be targeted for website defacements. There have already been reports of this activity. Ensure that your web applications, and associated platforms, are properly patched from a security perspective. In addition, web application assessments are strongly suggested to determine any other security issues.
3. Ensure that security patching is consistent for internal workstations and servers.
4. Ensure proper segmentation between your production and business networks exists to segregate any networks that contain industrial control systems (ICS).
5. Perform external penetration tests to understand your security risks from attackers on the internet.
6. Conduct social engineering tests with a focus on phishing emails that are designed to capture user credentials. Also, ensure the multi-factor authentication (MFA) is deployed on all external entry points (cloud, Office365, VPN, etc.).