Our Approach

At Exact Cyber Security we don’t believe that professional and effective cybersecurity consulting should put an undue burden on an organization. Our goal is to meet your business needs economically with the specific outcome of mitigating cybersecurity risk based on your organization’s risk appetite while at the same time reducing your attack surface. We are always assessing the cybersecurity industry and analyzing the threat landscape, to include Advanced Persistent Threats (APT), common threat vectors, and potential vulnerabilities of networks and information systems that can be exploited. Our security professionals are all certified with industry leading certifications and are experts in the cyber security / cyber risk mitigation field. We take a holistic approach to cybersecurity problems and address the full spectrum from top level governance down to specific system level security controls while providing industry standard and best practice solutions to solve your security related problems.

Our Services




Cyber Risk Assessment

Cybersecurity Risk Assessment

A risk assessment is one of the fundamental components of an organizational risk management process. Effective cybersecurity risk assessments inform decision makers and support risk responses by identifying:

  • Relevant threats to organizations
  • Vulnerabilities
  • Impact or harm to organizations if a vulnerability was exploited
  • Likelihood that harm will occur

  • There are three tiers to a cybersecurity risk assessment.
    Tier 1 is the organizational level. This is where we will assess the governance (company policy), management activities, security framework(s) used and funding of a security program.
    Tier 2 is the business process level. At this level we look at how the IT infrastructure is used on a daily basis and the overall IT enterprise architecture.
    Tier 3 is the system level. At the system level we look at specific system level security controls, how they are implemented, their effectiveness and how they are monitored.

    The outcome will be a detailed executive report of all 3 tiers with findings identified as high risk, moderate risk and low risk along with recommendations to mitigate those risks. The foundation of our cybersecurity risk assessments is derived from the National Institute of Standards and Technology (NIST) Special Publication 800-30 Guide for Conducting Risk Assessments.







    Application / System Security Assessment

    Application / System Security Assessment


    Our Application and System level Security Assessment provides a deep dive at the local system level to identify misconfigurations and exposed vulnerabilities which may lead to a compromise of user data and/or privacy information. Additionally we investigate open ports, services running on those ports and ensure they are working as intended with the least amount of functionality needed to accomplish their purpose. Finally, we'll look at internal and external connections and ensure they are functionally needed and operate in a secure state.







    Policy Development / Governance

    Policy Development / Governance

    The foundation of an effective cybersecurity program is governance through executive directed, company-wide policies and department level procedures. Depending on the framework used, or compliance initiative you are trying to meet, our policy development can be tailored to meet your specific needs (FISMA, Risk Management Framework, NIST Cybersecurity Framework, PCI-DSS, ISO 27K, SOX, SOC 2, GLBA, COBIT, HIPAA etc.)

    Benefits

    • Cost per hour or per engagement
    • Thoroughly researched
    • Management coordination
    • Framework and/or compliance initiative focused






    Contingency Planning

    Contingency Planning

    Business today rely heavily on their IT infrastructure to meet their needs for daily operations. Sometimes components of IT infrastructure fail, or systems become infected with malware. Having a robust, well tested contingency plan will ensure a smooth transition to a backup capability. We can help with the development of business continuity planning and specific disaster or system recovery plans (communications failures, natural disasters etc.).

    The model for our contingency planning is based on NIST 800-53 Contingency Planning security controls and NIST 800-34 Contingency Planning Guide

    Specializing in:

    • Overarching Policy
    • Plan Development
    • Business Impact Analysis
    • Checklist Development









    NIST Cybersecurity Framework

    NIST Cybersecurity Framework

    More organizations are implementing the NIST Cybersecurity Framework to aid in their cybersecurity efforts and comprehensively address risk within the organization. The Framework is broken down into 5 major functions.

    • 1. Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
    • 2. Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
    • 3. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
    • 4. Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
    • 5. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.


    Our experts are fully prepared to help your organization establish and maintain the Cybersecurity Framework by implementing industry standard best practices geared to a specific outcome of reducing your cybersecurity risk.







    Risk Management Framework

    Risk Management Framework

    The Risk Management Framework (RMF) is a requirement for DoD and some Federal Agencies have adopted this framework. The RMF is a well-developed process broken down into 6 steps.

    Steps

    • Step 1 – Categorize the System (CNSSI 1253 or FIPS 200)
    • Step 2 – Select Security Controls
    • Step 3 – Implement Security Controls
    • Step 4 – Assess Security Controls
    • Step 5 – Authorize Information System
    • Step 6 – Monitor Security Controls

    The RMF mirrors portions of the System Development Lifecycle (SDLC) so taking a hand in hand approach from system inception to disposition when applying the RMF will ensure your organization is taking the necessary steps required for a robust cybersecurity posture. We use NIST 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach and The Committee on National Security Systems Instruction 1253 (as required).

    Let our professional team of RMF experts guide you through the process.







    FISMA Compliance

    FISMA Compliance

    The Federal Information Security Management Act (FISMA) was signed into law as part of the Electronic Government Act of 2002. FISMA compliance is outlined by the National Institute of Standards and Technology (NIST) with a 9 step process.

    1. Categorize the information to be protected (FIPS 199)
    2. Select minimum baseline controls (FIPS 200 and NIST 800-53)
    3. Refine controls using a risk assessment procedure
    4. Document the controls in the System Security Plan (SSP)
    5. Implement security controls in appropriate information systems
    6. Assess the effectiveness of the security controls once they have been implemented (NIST 800-53A)
    7. Determine agency-level risk to the mission or business case
    8. Authorize the information system for processing
    9. Monitor the security controls on a continual basis.

    Let our professionals guide you through your organization's FISMA compliance requirements.









    DoD Information Assurance Matrix Compliance

    DoD Information Assurance Matrix

    Many DoD contracts that outsource IT services to private industry come with a wide range of Information Assurance security requirements. Currently there is a transition between the old Defense Information Assurance Certification and Accreditation (DIACAP) process to the newer DoD implementation of the Risk Management Framework (RMF). Still today there are some legacy information assurance requirements (IA Matrix) used in DoD contracts. The requirements are outlined based on the Mission Assurance Category (MAC) levels I, II, III, with MAC I being the most secure set of controls to ensure confidentiality of information systems.

    The security controls used in the DIACAP process stem from an outdated and rescinded DoD Instruction (DoDI 8500.2). DoDI 8500.01 which has been updated as of March 2014 implements the RMF and uses the Committee on National Security Systems Instruction 1253 (CNSSI 1253) for system categorization and security controls selection. The security controls are documented in the National Institute of Standards and Technology Special Publication 800- 53 revision 4. (NIST SP 800-53r4).

    Let our professionals guide you through your organization's DoD IA compliance requirements.







    ISO 27001 Compliance

    ISO 27001 Compliance

    This international standard provides a well-rounded approach to cybersecurity. Like most other compliance standards, ISO 27001 covers the managerial side with policy and procedures all the way down to the technical implementation of security controls on systems and devices.
    Let our experts help you navigate and implement your organization's ISO 27K compliance requirements.







    Custom Solutions

    Custom Solutions

    If any of our pre defined solutions don't exactly meet your needs, please contact us to work out a custom solution. We are always flexible to meet organizational needs and requirements