TURNKEY INFORMATION SECURITY & COMPLIANCE SOLUTION
The Turnkey Information Security & Compliance (TISC) program is designed to bring clients into compliance with DFARS 204.73 rapidly and at the lowest cost possible. It was designed and developed by Imprimis based on years of experience bringing clients into compliance, and utilizes detailed packages and databases developed by Imprimis based on real-world experience.
The normal progression of compliance is shown in Figure 1 and involves assessing the system and organization and identifying actions required to bring the organization into compliance. This is followed by the development of a remediation plan and budget along with the development of a System Security Plan (SSP). These two phases of the process tend to be very labor intensive. The remediation is usually spread over a long period of time for a couple of reasons. First, the governance program requiring the development of policies and procedures is very difficult to accomplish and very, very labor intensive.
Assessment or Gap Analysis
Plan of Action & Milestones (POA&M)
System Security Plan (SSP)
FIGURE 1 - Normal Compliance Progression
The second reason is that implementing security core competencies and controls can disrupt the normal operation of the organization and therefore, must be done at times where this impact can be minimized. Once remediation is completed, most organizations tend to “let up” having achieved their goal and do not carefully tend to compliance sustainment or remaining in compliance. This leads to compliance “porpoising,” surging into compliance with great effort and then rapidly falling out of compliance, and repeating the process as needed. This is particularly true for smaller organizations that do not have dedicated staff.
Imprimis has developed a process for smaller organizations that do not have dedicated staff that both achieves compliance and supports them throughout sustainment. This process is referred to as the Imprimis Turnkey Information Security & Compliance or TISC. The flow of TISC is shown in Figure 2.
This flow allows the organization to achieve compliance and sustain compliance in the least amount of time and for the least cost. The single greatest cost in compliance is labor- both internal labor and external labor. The turnkey model minimizes both categories of labor and sets up the sustainment activity as well. As these are bid as fixed-price-completion projects, the uncertainty of the “real” cost is removed.
Important to note, the turnkey approach works for organizations that need to comply with various standards and it applies to organizations who do not need to comply to a standard but want to establish a good cybersecurity program. Imprimis offers the CyberStart™ program for such organizations providing a turnkey project that transforms the organization’s cyber profile to one employing best practices and supports the organization in obtaining the proper cybersecurity insurance to round out their risk management program.
Security Core Competencies
Network Security (Cloud/Virtual)
ASSESSMENT & FINAL DOCUMENTATION
FIGURE 2 - Turnkey Security & Compliance Flow