Cybersecurity Risk Exam Process

Reasonable cybersecurity practice for competitive advantage and avoiding unexpected damages.

Relevance

Last Review: April 26, 2021

Product(s): Cybersecurity Risk Exam

Author(s): Matthew Born

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Reference

Summary

An annually updated Cybersecurity Risk Exam is required by various state and federal laws for all businesses, with specific regulations for financial and professional service firms.

Reasonable cybersecurity practices provide competitive advantage by avoiding unexpected reputation damage and business disruption/loss, along with costly government penalties or imprisonment and civil litigation.

Unfortunately, many business owners are unaware of these laws or willing to gamble their future.

The FTC also warns of the common Free Network Assessment Scam used by unqualified service providers to prey on unsuspecting businesses to steal information under the guise of identifying problems.

Requirements

  • Administrative credentials to Matrixforce Overwatch portal to manage clients.
  • System Plan redacted of Personally Identifiable Information (PII) which provides most questionnaire answers.
  • Digital copies of existing policies and procedures with systems and logs that verify or prove stated policies and procedures.
  • Digital copies of Business Associate, Cloud Provider, or Critical Vendor agreements and their Risk Executive Summaries or Business Compliance Verification.
  • Employee Account List exported from Active Directory or Microsoft 365.
  • Many organizations have no System Plan, little vendor information, and few policies or procedures. Top 10 policies are provided along with templates for dozens more.
  • A Risk Exam establishes answers to questionnaire, Risk Plan, Executive Summary, and a Work Plan of risk items by severity to improve each year.
  • Eliminating all risk each year is not required, feasible, or practical. Rather show some progress each year by reducing complexity, avoiding risk, and improving competitive advantage.
  • Highly recommend is publishing Executive Summary and Business Compliance Verification with the authority Delta logo and reference link that competitors don’t have and are unwilling to perform.
  • Depending upon preparedness and explanation or discussion, the average total time for the process (not including finding, creating, or updating supporting information) is 90 minutes which is three parts of 30 – 60 minutes each.

Administrator Organization Setup

  1. Login to portal.pi-protect.com with administrator credentials.
  2. Click Manage Clients – Create and enter Company Name.
  3. Click Company Name, enter support@matrixforce.com, website, e-mail domain, and Save.
  4. Click Products and select either BPP or HIPAA Compliance for healthcare.
  5. Click >Directory Sync – CSV Bulk Upload and select Attachment. Each user will receive a welcome message and upload hints and download template are provided.
  6. Send a brief e-mail announcement for management to edit as needed and send to staff with the intent to protect employees and customers, the URL, enter Email and click Forgot Password, and a 2-week deadline with specific date to complete the approximate 20-minute data breach training.

Preliminary Security Risk Assessment

  1. Login to portal.pi-protect.com with administrator credentials.
  2. Click Manage Clients and Company Name.
  3. Click Documents, Other Documents from the pulldown, and New Other Document to upload a redacted System Plan.
  4. Click SRA, fill in Organization Profile, and answer known Questionnaire questions.
  5. Schedule 30-minute meeting with client to show portal options, answer remaining questions, and recommend any contracts or other documents to upload with an agreed deadline of no more than two weeks to submit.

Review Risk Assessment

  1. Login to portal.pi-protect.com with administrator credentials.
  2. Click Manage Clients and Company Name.
  3. Click SRA and Submit for automated processing and third-party review within approximately 48 hours.
  4. Click SRA, fill in Organization Profile, and answer known Questionnaire questions.
  5. Schedule a 30-minute meeting with client and click SRA Report to review the Detail, Executive Summary, and Work Plan.

Follow-up

Clients will receive regular reminders concerning on-going training and annual risk exam. Clients are strongly encouraged to publish the Executive Summary on their website and additionally the Delta logo linked to Matrixforce as the less than 10% of businesses using Vetted IT Support