Vous êtes sur la page 1sur 2

G a p A s s e s s m e n t

Assessment & Compliance Services Division


847.221.0200 halock.com

Solution Overview
Solution Governance, oversight, and regulatory compliance are key to the success of an organization.
At-a-Glance: Setting expectations through policy, defined procedures, and underlying standards are critical to
secure confidential information assets.
 Fulfill regulatory and legal
requirements to perform
To identify and resolve the risks associated with the organizations information security program,
regular risk assessments of
the design of information
it should be assessed for adequacy and effectiveness.
security controls
Focused primarily on the design of the organization’s security controls, Halock will review the
 Identify gaps in policies, organization's documented information security policies, standards and procedures. Halock will
procedures, and standards
conduct interviews with key organization resources where documentation is unavailable or
that could result in regula-
otherwise deemed appropriate. The objective of the assessment is to ensure that the contents of
tory issues
the security program adequately address the requirements and intent of relevant compliance
 Determine if existing gov- frameworks and/or standards, such as ISO 27002 or other suitable security frameworks
ernance, risk management
applicable to the organization’s requirements.
practices, and oversight of
sensitive information han-
Each document will be reviewed in terms of overall content, consistency with other policies and
dling adequately protects
standards, effectiveness of specific language or terminology used, intended audience, methods of
the organization from breach
or incident communication to that audience, and methods of enforcement.

 Receive recommendations Halock will conduct interviews, as appropriate, with key individuals regarding security policies,
for continual improvement of procedures, and standards to collect required data for review. Halock can perform an in depth
the security program
analysis of the design and content of policies, procedures, and related standards, identifying
 ISO 27002 is referenced as applicability and compliance with security control objectives .
the default standard

ISO 27002 Framework : Pricing:

 High level reviews typically


Halock will review control objectives from the 10: Communications and Operations Manage- renage from $5,000 to
following ISO 27002 as part of the review: ment $7,000

 In depth reviews typically


4: Risk Assessment and Treatment 11: Access Control
range from $6,000 to
$10,000
5: Security Policy 12: Information Systems Acquisition, Develop-
ment, and Maintenance  Pricing varies based on the
6: Organization of Information Security level of available documenta-
13: Information Security Incident Management tion, number of business
7: Asset Management units, and additional stan-
14: Business Continuity Management dards mapped to documented
8: Human Resource Security controls
15: Compliance
9: Physical and Environmental Security

1834 Walden Office Square, Suite 150 * Schaumburg, IL 60173 * 847.221.0200 * www.halock.com
847.221.0200 halock.com

Gap Assessment: Scope Worksheet

The following review approach will be utilized:


COMPLETE REVIEW (In Depth)
SAMPLED REVIEW (High Level)
Halock will review available security documentation, typically consisting of the following items. Please indicate additional
documents that will incorporated into the review in the empty boxes:
Email Usage Policy Acceptable Use Policy
Email Usage Policy Firewall Configuration Policy
3rd Party Agreements Configuration Standards for Servers
Data Retention and Disposal Policies Privacy Policy
Change Control Procedures Server Hardening Standards
Security Awareness Program Data Handling Procedures
Monitoring and Auditing Procedures Business Continuity / DR Plans
Patch Management Procedures Configuration Standards
Daily Operational Security Procedures Data Backup Procedures / Offsite Storage

Halock will interview key resources, typically including the following roles. Please indicate additional resources that will
interviewed as part of this process:

CIO / CISO CFO Compliance Officer IT Director / Manager

Development Lead Systems Administrator HR Director Facilities Manager

ISO 27002 is referenced as the default standard for controls. Please specify additional standards (such as CobiT, FFIEC
guidelines, etc) that should be incorporated into the scope of review:

1834 Walden Office Square Suite 150 * Schaumburg, IL 60173 * 847.221.0200 * www.halock.com