Information Security & Compliance

Revised Aug 11, 2024

CyberSecOp LLC implements safeguards compliant with NIST Cyber Security Framework and ISO27001. CyberSecOp ensures best practices to provide security, integrity, and confidentiality to covered data, information, systems, and assets. All employees understand and are under a Non-Disclosure Agreement (NDA) to ensure protection against data leakage. CyberSecOp is also a proud CMMC Registered Provider Organization (RPO).

Overview

CyberSecOp LLC has implemented a security program covering policy and control that complies with NIST CSF and ISO 27001. As a technology firm, we have multiple controls safeguarding our information technologies and complete third-party testing of all external and internal endpoints every six months to ensure the safeguards in place are working as they were meant to.  

Implement Safeguards:

 Data Protection: 

  • CyberSecOp has implemented an information security program in compliance with NIST CSF and ISO 27001, including data privacy.

  • CyberSecOp has implemented risk management and data management, including vulnerability and penetration testing of endpoints.

  • CyberSecOp has implemented the following monitoring and auditing tools that are managed and monitored by our 24/7 security operations center: Data loss prevention (DLP), Security information and event management (SIEM), and Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), Mobile device management, Cisco Umbrella for DNS filtering, and Google for email protection and archiving.

  • CyberSecOp uses NextGen firewall and antivirus with machine learning capability.

  • CyberSecOp has implemented disaster recovery, incident response, and business continuity procedures that are tested at least once a year.

  • CyberSecOp has an in-house security team that includes a Chief Information Security Officer.

Authentication and Identity:

  • CyberSecOp has implemented multi-factor authentication on all endpoints

  • CyberSecOp uses a Microsoft centralization authentication system, which is monitored by our SOC Team

CyberSecOp utilizes a risk-based framework to identify, inventory, and manage assets consistent with their relative importance and risk.

Information Protection Compliance:

CyberSecOp uses a risk-based approach to implement, assess, and monitor the necessary policies, processes, and procedures to comply in good faith with all applicable legal and regulatory obligations related to information protection.

Information Protection Program Governance:

CyberSecOp uses a risk-based approach to implement, assess, and maintain an information protection program focused on information and technology risk. It is tailored to CyberSecOp, and consistent with its risk tolerance and strategy.

Information and Technology Risk Management:

CyberSecOp utilizes a framework using a risk-based approach to identify, assess, and prioritize information and technology risks, allocating resources to risk treatment plans to monitor and control the probability and impact of events to CyberSecOp’s operations to a level consistent with its risk tolerance and strategy.

Account Management and Permissions

CyberSecOp utilizes a risk-based framework to manage the accounts' lifecycle and their permissions so that access to information and technology is secure and based on business needs.

Awareness and Training:

CyberSecOp uses a risk-based approach to provide initial and continued and measured training to enable its employees’ users to understand and carry out their information protection-related responsibilities.

Capacity, Performance & Maintenance:

CyberSecOp makes reasonable efforts to utilize a framework using a risk-based approach to implement, assess, and maintain the capacity and performance of technology as well as perform periodic and timely maintenance for availability.

Change and Configuration Management:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain baseline configurations and implement changes to technology in a controlled manner.

Information Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain an information governance program that includes how CyberSecOp protects information. 

Identification and Authentication:

CyberSecOp uses a risk-based approach to uniquely identify users and devices and verify the identities of these users and devices before allowing access.

User Activities and Sanctions:

CyberSecOp utilizes a risk-based framework to provide users with acceptable and unacceptable behaviors when using information and technology and enforce sanctions when deemed necessary.

Physical and Environmental Security:

CyberSecOp utilizes a risk-based framework to limit and manage physical access to technology, equipment, and work environments to authorize individuals and protect technology against physical and environmental hazards.

Secure System Development Lifecycle:

CyberSecOp utilizes a risk-based framework to configure, develop, and secure technology as part of its system development life cycle.

Vendor Management:

CyberSecOp uses a risk-based approach to implement, assess, and maintain a vendor management program that includes how CyberSecOp assesses threats and monitors vendor information and technology risk.

Vulnerability Management and Flaw Remediation:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain a vulnerability management program that identifies technology vulnerabilities and acts on any discovered flaws according to risk.

Cloud Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect information and technology in the cloud.

Internet of Things Security:

CyberSecOp utilizes a framework using a risk-based approach to secure technology embedded with electronics and software which enables these items to connect and exchange information.

Mobile Device Management:

CyberSecOp utilizes a risk-based framework to control and protect technology and information accessed by mobile devices.

Network Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect its internal network.  

Perimeter Security:

CyberSecOp utilizes a risk-based framework to protect information and technology from outside threats by creating and managing an appropriate perimeter.

Remote Access Technology:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to provide secure remote access.

Server Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect its servers.

Workstation Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect its workstations.

Telecom Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect telecommunications.

Wireless Security:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain technical and administrative safeguards to protect its wireless networks and connections.

Continuous Monitoring and Correlation:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain a continuous monitoring plan that allows CyberSecOp to identify suspicious activities and/or trends.

Incident Response:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain incident handling and response capabilities, including identifying, containing, eradicating, and recovering incidents.

Business Continuity:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain a business continuity plan that allows CyberSecOp to operate with minimal downtime or service outage.

Disaster Recovery:

CyberSecOp utilizes a risk-based framework to implement, assess, and maintain a disaster recovery program that allows it to minimize downtime and recover its information and technology to support critical processes after the declaration of a disaster event.