SudoSecure uses the SANS 20 Critical Security Controls for Effective Cyber Defense as an overall framework for evaluating an organization’s Information Security posture. The strength of the Critical Controls is that they reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats.
Additionally, these 20 Critical Security Controls build upon ISO 27002 and NIST SP 800-53 security controls enabling organizations to effectively operationalize compliance guidelines and requirements to protect, detect, contain and mitigate against advanced threats. By using the 20 Critical Security Controls as an assessment framework, SudoSecure accurately measures the security posture of an organization to provide a holistic view of the state of security within that organization.
Two Types of Assessment Offerings
A gap assessment to compare your organization’s current security stance to the detailed recommendations of the 197 sub controls within the 20 Critical Security Controls is performed. This assessment is carried out through a series of collaborative interactions with key stakeholders, interviews with network and security staff, and in-depth reviews of your organization’s security architecture, processes, procedures and policies.
This assessment type determines what has been implemented and where gaps remain for each control and sub-control.
In addition to a gap assessment, comprehensive validation testing for each of the 20 Critical Security Controls is carried out within your organization’s technology environment.
This assessment type not only determines what has been implemented and where the gaps remain for each control and sub-control, but also validates the operational effectiveness of the current implementation of the 20 Critical Security Controls within your organization’s technology environment.
Assessment Reporting and Deliverables
At the conclusion of the assessment, SudoSecure provides a comprehensive and detailed oriented post-assessment report that clearly identifies your organization’s current state of implementation and compliance with the 20 Critical Security Controls. Additionally, this report provides a framework for a path forward to ongoing risk reduction with inclusion of the following items:
- An executive overview summarizing the scope and outcome of the assessment
- Methodology detailing the extent of the assessment performed and the tools used
- The organization’s overall strengths and weaknesses identified during the assessment
- Detailed findings and recommendations for all 197 sub-controls within the 20 Critical Security Controls
- Risk prioritized mitigation and remediation recommended actions
- Risk versus effort analysis of proposed remediation actions for project planning
- Proposed enhancements to business practices that will further strengthen the organization’s risk posture