WHAT WE DO
Cybersecurity and compliance programs require much more than just implementing an order, standard, or directive. They require a long-term vision to truly recognize the benefits of compliance and improved security, and the experience to advise through the challenges of change management, interpretation, implementation, adoption, performance, and validation. Imagine the benefit of working with a consulting firm that has assisted Critical Infrastructure organizations across the U.S. and Canada with IT and OT cybersecurity and compliance since 2008.
ITEGRITI is that firm. Our team has deep expertise gained through our work in protecting large-scale and distributed National Critical Infrastructure since compliance with the cybersecurity Standards first became mandatory. We are flexible, will easily integrate with your team, bring relevant best practices and lessons learned, and will deliver tangible results.
- Account management assessments: user, service, and privileged accounts
- Asset inventory and site walkdowns, change and configuration management
- Attack surface reduction: service, port, asset, and application rationalization
- Business continuity planning and testing
- Cloud security control assessments, shadow IT reviews
- Disaster recovery planning and testing
- Incident response and recovery: process, tools, and information
- Information protection: classification, identification, and storage
- Network security architecture design, segmentation, and redundancy
- NIST CSF Security Assessments
- Organizational change management
- Penetration testing and social engineering, security assessments
- Secure asset configuration and hardening, including IOT/IIOT
- Security patching: source and file validation and implementation
- Security training and awareness
- Supply chain management: policy and supplier assessments
Cybersecurity
To operate, organizations require the reliability of their information technology systems and IT/OT managed assets. Well-designed cybersecurity programs defend against and withstand most hacks but, despite best efforts, a motivated hacker will eventually break into a system they target.
What happens next depends on incident planning and preparedness. Cybersecurity Resilience builds on good cybersecurity programs by addressing demands for business continuity, information protection, and crisis communications.
-
How will business operations and customer service continue until the technology is restored?
- What did the hackers take, was sensitive data encrypted, and is it usable by these criminals?
- How, when, and what is communicated to leadership, employees, customers, and the community and by whom?
Compliance
Risks associated with cyber systems containing or controlling Critical Infrastructure, BCSI, CEII, CUI, PII and ePHI are growing as regulations mount, hacking tactics evolve, and bad press meets social media. The Federal Government and public demand protection of this information and assets, and these regulations can carry civil, operational and financial penalties. Companies are becoming keenly aware that compliance does not alone provide cybersecurity.
Many organizations are working to develop and support compliance cultures. Sustainable programs must be manageable, scalable, and transparent where compliance tasks are embedded with operational tasks and leadership is provided with timely and accurate information with which to make decisions. Internal audit programs must measure, monitor, and report the operational effectiveness of security controls.
Our team members served in operational, management, and auditor roles and have deep experience in regulatory compliance and affairs, internal compliance program development, cybersecurity, training development and delivery.
Program
- Program design and implementation (NERC CIP, TSA SD2, HIPAA, HITRUST, AFRMR, ITGC, etc.)
- Compliance assessments using recognized frameworks (NIST, ISO27K, NERC CIP, TSA SD2, HITRUST CSF, COBIT, etc.)
- Internal control design and implementation
- Audit program design and implementation
Audit Preparation
- Gap analysis with actionable recommendations
- Compliance package creation and review (e.g. RSAWS, narratives, cross-references, etc.)
- Mock audits
- SME/witness training and coaching
- Staff augmentation and support
Mitigation Activities
- Root causal analysis with corrective action recommendations
- Organizational change management
- Process design for key IT functions including account, asset, patch and change management
- Process design for measurement, management and reporting internal control effectiveness
Compliance
Risks associated with cyber systems containing or controlling Critical Infrastructure, BCSI, CEII, PII and ePHI are growing as regulations mount, hacking tactics evolve, and bad press meets social media. The Federal Government and public demand protection of this information and assets, and these regulations can carry civil, operational and financial penalties. Companies are becoming keenly aware that compliance does not alone provide cybersecurity.
Many organizations are working to develop and support compliance cultures. Sustainable programs must be manageable, scalable, and transparent where compliance tasks are embedded with operational tasks and leadership is provided with timely and accurate information with which to make decisions. Internal audit programs must measure, monitor, and report the operational effectiveness of security controls.
Our team members served in operational, management, and auditor roles and have deep experience in regulatory compliance and affairs, internal compliance program development, cybersecurity, training development and delivery.
vCISO
- Strategic planning, governance, and oversight
- Align security initiatives with business risks and objectives
- Technology advisory and steering committee – cybersecurity
- Impact analysis and planning – cybersecurity
- Technology and program reviews for M&A support
- External, independent IT audits (ITGC, AFRMR, etc.)
vCompliance Team
- Technology advisory and steering committee – compliance
- External, independent compliance audits
- Impact analysis and planning – compliance
- Compliance resource generation (risk and control mappings, updates to regulations, etc.)
- Vulnerability assessment
- Third-party vendor assessments
Workforce Support
- Perform background checks, personnel risk assessments (PRAs)
- Provide end-user training
- Manage and report user training
- Develop cyber security awareness materials
- Cybersecurity candidate screening, development, and pre-employment evaluation
Managed Services
Effective cybersecurity and compliance programs rely on key functional support from security and compliance managers having specific roles and experience. These professionals are in high-demand and not all organizations are staffed to meet these needs, while others divide and distribute tasks across many resources.
By establishing a key set of necessary tasks and developing a model where organizations can select services to meet their specific need and budget, ITEGRITI can provide ongoing compliance and cybersecurity advisory through our Virtual support models: vCISO, vCompliance Team, and Workforce Support. Our fractional resource models are designed to fit your need and budget.
GSD
GSDCompanies struggle with ongoing operational, cybersecurity, and regulatory compliance responsibilities. Recruiting, training, and retaining quality talent is difficult, but it can be even harder to find qualified and dependable consultants to ease the burden from:
- Having more projects or tasks than time or resources to manage
- Ever growing task lists that don’t seem to end
- Preparation activities for upcoming audits and reviews
- Dedicated resources to complete projects and task list items
- Independent, external IT, OT, HIoT, and compliance audits
- IT/OT asset inventory and physical walkdowns
- IT, OT, compliance process design, implementation, and training
- Management and oversight of “Shadow IT”, outsourced Cloud applications
- Organizational change management
- Recovery Plan, exercise design, planning, and facilitation
- Vulnerability Assessments
Case Study
An ITEGRITI client had a growing list of cybersecurity, compliance, process improvement, training and organizational change management concerns but lacked internal resources for timely completion of tasks. We reviewed the list with our client, identified dependencies and critical path, anticipated level of effort, and organizational priority. They contracted our team to lead and help complete priority items on their task list, working both independently and in collaboration with their employees, vendors, and other contractors.
ITEGRITI achieved internal and external timelines and has now completed over a dozen projects for this client supporting corporate compliance, IT compliance, CIP program management, enterprise applications, generation, transmission, renewables, critical infrastructure operations, cybersecurity, telecommunications, and physical security.
GSD
Companies struggle with ongoing operational, cybersecurity, and regulatory compliance responsibilities. Recruiting, training, and retaining quality talent is difficult, but it can be even harder to find qualified and dependable consultants to ease the burden from:
- Having more projects or tasks than time or resources to manage
- Ever growing task lists that don’t seem to end
- Preparation activities for upcoming audits and reviews
WHY ITEGRITI?
ITEGRITI designs an approach that follows the Plan, Do, Check, Adjust model. Our leadership team is involved in every project, including initial project advisory, scoping, and organization, and later through direct assignment or oversight roles. Our expertise includes:
- Experience in mandatory Critical Infrastructure and OT cybersecurity and compliance since 2008. Management, oversight, or service on over 300 projects in cybersecurity, compliance, and audit.
- Team members with deep experience across multiple disciplines:
- IT and OT operational experience with industry, Big 4 and large consulting backgrounds.
- Former regulatory auditors, and former compliance and enforcement regulator senior leadership.
- Advanced degrees, specialties in IT and cybersecurity: MBA, MS, and Doctoral levels.
- Multiple framework & methodology experience:
NERC CIP, TSA SD2, ISO27k, NIST (RMF, CSF, 800-37, 800-53, 800-171, NISTIR-7628), NRC 5.71, NEI 08-09, AFRMR, and COBIT. - Certified cybersecurity & compliance professionals:
CAP, C|CISO, CCNP-S, CDPSE, C|EH, CISA, CISM, CISSP, CRISC, FITSP-M, GCIP, HIPAA CHP, HITRUST CCSFP, MCSE, PMP, SABSA SCF, SASE.
- Planning and management of large, complex projects throughout the U.S. & Canada supporting Critical Infrastructure across healthcare, oil & gas, and electric sectors, supporting utilities, transmission, municipalities, cooperatives, and generation representing coal, natural gas, and renewables – wind, solar, hydro and geothermal.
RESULTS DRIVEN …
“Michael and the ITEGRITI team has partnered with us to advance and mature our cyber security capabilities across the technology that operates our critical energy infrastructure, in the midst of an evolving regulatory environment and threat landscape. ITEGRITI seamlessly integrated into our team, providing valuable industry expertise and practical solutions to imbed these new capabilities into the way we work at Duke Energy. Fantastic insights, tangible results. Thank you for the partnership!”
Brian Savoy
SVP, Business Transformation & Technology
Duke Energy Corporation
… EXPANDED SCOPE AND SCALE
ITEGRITI is pleased to announce that we entered a strategic partnership with HCL Technologies, combining their worldwide network of R&D, innovation labs and delivery centers, cybersecurity fusion centers, and 211,000+ ‘Ideapreneurs’ with ITEGRITI’s deep cybersecurity, compliance, and Critical Infrastructure expertise. Through this relationship, we can offer expanded remediation and implementation services.
