IT and Information Security Assessments
IT and Information Security are complex.
If you are concerned about risk, wrestling with compliance requirements, or questioning your IT design, an IT assessment can provide clarity.
Mainstay’s assessments are designed to shine a light on your organization’s “current state,” provide proven guidance, and equip you with the knowledge to make the appropriate next decision. They go deep, combining the science of best practices with the wisdom of experienced leaders. Assessments are designed to be efficient and cost-effective.
Information Security Risk Assessment
Goal: Identify areas of risk, gaps to compliance, and overall status of Information Security and cybersecurity
Who it is for: Organizations with security concerns. A risk assessment is a requirement of most compliances for a reason: It is incredibly effective at finding vulnerabilities and gaps before they are exploited.
Approach: We combine a plethora of technical tests, simulated hacking techniques, and thorough investigations by Information Security professionals. Think of it like a home inspection – complete with crawling in the attic and checking every window lock.
Report: We present our risk rating, our findings, and our recommendations – communicated in the language and detail appropriate for the audience. Our clients find value in the education they receive, the clarity on what needs to be addressed today, and the consultative approach to the long-term path.
Outcome: You understand your risk and your options and are confident to navigate next steps.
Compliance Gap Analysis and POAM (Plan of Action & Milestones)
Goal: Understand how to meet a specific compliance, such as CMMC (Cybersecurity Maturity Model Certification), HIPAA, NIST SP 800-171, ISO 27001, client contract, or state law.
Who it is for: Organizations who are focused on meeting a compliance and seek a clear plan.
Approach: Our Information Security team’s combination of tools and experience allow us to assess with speed and pinpoint accuracy. We review policies, IT controls, and documentation to determine what is currently compliant, what needs work, and what’s missing entirely. Then we prioritize and create a plan.
Report: We meet, review, and deliver a clear assessment on each compliance control, with our findings and recommendations. The process culminates in a clear Plan of Action & Milestones.
Outcome: Clear understanding of the work, cost, and options to meet compliance, tailored for you, along with a POAM to execute.
Goal: Review all aspects of IT (infrastructure, plans, budget, cybersecurity, and support) to provide a clear assessment of today and lay the building blocks for future planning.
Who it is for: IT leaders seeking a best practices review and a potential partnership between Mainstay and their IT staff. Also for organizations with uncertainty in IT design, decision making, and staffing.
Approach: We perform an array of cybersecurity tests and investigations, review the environment hands-on, assess the architecture, interview leaders, check disaster recovery, analyze budgets, and identify items at various levels of priority. We then discuss, consult, and synthesize that in plain English in a report and in collaborative meetings.
Report: Critical issues are clearly identified, along with all findings and long-range recommendations. It is all designed to be collaborative, focused on informing and equipping the organization’s leaders.
Outcome: Leaders over IT have clarity on how they compare against best practices, on risk level, whether their budget is appropriate, how IT is performing, and what to do about the findings.
Frequently asked questions about IT and Information Security Assessments
When should I consider a technology assessment?
Assessments are tools of clarity. You have a decision to make, but you aren’t sure how to make it, if you have the knowledge you need, or if it’s even the right question. Assessments are useful by giving a clear picture, succinct options, and experienced guidance.
When the decision is clear (such as when you know that your IT service is subpar, and you must simply find a new partner for your organization), do not waste resources on an assessment. You must address the known issue, even if that solution is painful.
What type of technology assessment do I need?
There are 6 specific assessment types. The right assessment for you may be a hybrid combination, but it is still helpful to understand each type, as each is designed to supply the knowledge and guidance for a specific need:
Who it serves
What it answers
IT & Information Security Assessment
|Business leader (typically nontechnical) responsible for overall IT||How solid is our approach to IT – our infrastructure, cybersecurity, staffing, budgets, and plans? And what do we do to make it better?|
IT Infrastructure & Information Security Assessment
|Technical leader responsible for IT planning and staffing||Are we planning effectively? What are our biggest risk points? What best practices and new industry solutions should we be aware of?|
|Business leadership responsible for risk||Considering all areas of risk, how likely are we to have a security incident? How impactful would it be? And how do we lower our risk and deal with security appropriately for our size and industry?|
Compliance Gap Analysis
|Business leadership responsible for contracts or risk||How do we become compliant, with a known requirement (such as CMMC, HIPAA, or a contract)? Where are we today, where do we need to be, how do we get there, and how can we do it as easily and cost-effectively as possible?|
|Information Security Leader / IT Leader||Now that we’ve invested in Information Security, how well does it defend against a skilled hacker, in real-world situations?|
|Business leader||We have a specific question related to IT and Information Security, not well addressed in the other types, that we need answered, so we can make a wise decision.|
What about free IT assessments?
In the early years, Mainstay gave away assessments. One of us would come onsite, spend 1-2 hours looking over the infrastructure, run a couple of tools, listen for pain points, and then make recommendations.
Over time, we learned this was not always in our clients’ best interest. We stopped the practice and now advise against it.
Why? Because IT and Information Security decisions carry an enormous impact. What you decide to invest, what infrastructure you build, what partners you select, and what security protections you implement…. These decisions will serve you or haunt you for years into the future.
The best way to make a wise decision is to know the facts and be guided by a voice of experience. And that takes time.
A cursory analysis (provided free, as part of a sales process) is simply not sufficient as it is neither thorough nor impartial.
How much should an IT assessment cost?
An assessment should be appropriately thorough and detailed, tailored to the upcoming decisions.
But it should leave the bulk of your resources available to invest in solutions. It should be a small percentage of the overall technology budget.
Question the value of any assessment that costs less than $5,000, unless it is a tiny scope. And pause before investing multiple tens of thousands, unless it is for a very wide scope (or for a mid-market organization).
There is a sweet spot where an assessment is deep enough to illuminate the path forward, while being low-cost and pushing investments towards the work ahead. Again, ensure you know the goal – what decision is pending, for which you need data and guidance? And remember that an assessment is just the first phase in solving the problem.
How do I evaluate a potential firm for assessments?
1. Determine if their assessment fits your pending decision. Is it designed to solve your clarity problem? As noted above, there are multiple types of technical assessments.
2. Consider, do you only need an assessor, or do you need a partner? If the assessment report includes pages of findings, do you have the resources and knowledge to address those findings well? If not, evaluate the potential assessor based on their overall capabilities and potential fit to help beyond the assessment.
3. Find out, who will do the assessment, and what current experience do they have? Are they also in the trenches, working with the latest technology, helping organizations like yours to be successful? Any auditor can use a checklist to assess your organization. But a high-value assessment goes well beyond this. High-value assessments are done by experienced professionals who have direct experience making IT and Information Security successful. They tailor and guide your organization to a degree that a nontechnical auditor simply cannot.
4. Ask for references. The ideal firm will have experience in your industry (or a similar one), with similar size organizations (you want to be in their “ideal client” profile, and not convince a firm to work with you, who normally works with a very different size client). They will have many enthusiastic clients who will be happy to talk with you and describe their assessment experience.