eGlobalTech delivers Risk and Vulnerability Management solutions based on NIST’s Governance, Risk Management, and Complaince (GRC) Framework and at multiple tiers based on organizational need:
- At the Tier 1 Organization level, we address risk by implementing a GRC Framework that ensures activities and plans for governance, risk management, and compliance are integrated and aligned in order to avoid conflict, gaps, and/or wasteful overlap. We integrate this framework with program and project management processes (e.g. standard operating procedures) and develop a Unified Control Framework that crosswalks, categorizes, and consolidates all applicable security requirements, standards, and guidelines, to include agency-specific requirements.
- At the Tier 2 Mission/Business Process level, we prioritize mission and business processes with respect to the organization’s goals and objectives. Working closely with stakeholders and enterprise architects, we develop an information protection strategy, which defines the degree of autonomy that subordinate organizations are allowed for assessing, evaluating, mitigating, accepting, and monitoring risk.
- At the Tier 3 Information System level, we assist with selecting and implementing the appropriate security controls as defined in NIST Special Publication 800-53 rev 4, taking into consideration SANS Top 20 Critical Controls, and including a plan for system-level Assessment and Authorization (A&A) on a continuous basis. We integrate information security and risk management activities throughout the system development life cycle in accordance with the NIST SP 800-37 Risk Management Framework (RMF) which enables a risk-based approach to security control selection and specification.
We integrate the Governance, Risk Management, and Compliance (GRC) Framework in the appropriate Standard Operating Procedure (SOP) as a formalized and repeatable process to:
- Assess information system-related security risks
- Evaluate the significance of identified risks
- Identify appropriate risk mitigations
- Determine acceptable risk levels
- Describe risk monitoring approaches
- Document processes for ensuring risk mitigation implementation