- Vulnerability & Cyber Security Assessments
- Penetration Testing
- VISO Virtual Information Security Officer
- Social Engineering & Physical Security Testing
- ISO Training and Support
- Enterprise Risk Management
- IT Audit
- SOC1/SOC2/SOC3/SSAE 19
- HIPAA Risk & Security Assessment
- IT Security Policy Development
- Technology Infrastructure Assessment
- Business Continuity Planning
- Vendor Management
- SCADA & ICS Security & Compliance
Megahertz's Vulnerability & Cyber Security Assessments provide a complete evaluation of existing and potential vulnerabilities within your organization with the end result of improving your security posture. The evaluations are designed to proactively identify and prevent the exploitation of any existing IT vulnerabilities.
Our main objective is to identify cybersecurity weaknesses and test how far a potential exploit can compromise your network. We also test your organization's security policy compliance, the effectiveness of your employee security awareness training program, as well as your ability to identify and respond to cybersecurity incidents.Readmore
Megahertz 's security experts conduct real-world attacks to determine your security weaknesses. Our extensive knowledge of the most current attack vectors, along with our experience in the financial services, insurance, healthcare, and utility industries, will provide you with the assurance and confidence you need to concentrate on your business rather than on your network security.
Megahertz’s penetration testing consists of:
- Gathering information about the target before the test (reconnaissance),
- Identifying possible entry points,
- Attempting to break in and,
- Reporting back the findings.
Can't afford a CISO? Why not "rent" one?
Large companies can afford a full-time Chief Information Security Officer (CISO) to help drive the security strategy and assess risk, but what do smaller companies do? How do you set a strategy, given the large number of solutions that are available to secure different parts of the network when you can't afford to hire a full-time person for this critical role? Many organizations are turning to our VISO™ program, and are benefitting from engaging with a true security professional without incurring the cost of a full-time resource (that's often difficult to hire).
ISO Mentoring and ISO Outsourcing
We offer two unique programs to fulfill the needs of your organization.
1. Our VISO™ Mentoring Program fills the education gap by providing mentoring and oversight for the individual who is the organization’s designated ISO.
2. Our complete VISO™ Outsourcing Program provides you with a Megahertz security professional who serves as an extension of your business and is responsible for the development, implementation and management of your organization's corporate security vision, strategy and programs..Readmore
Watch your phishing and fraud susceptibility drop, while your ROI goes up
Your employees are frequently exposed to sophisticated phishing and ransomware attacks. More than ever, your users are the weak link in your network security. Megahertz’s social engineering assessment and physical security testing involve a comprehensive set of security tests designed to establish the current state of security awareness among your organization's personnel and to determine gaps in policy, procedure, enforcement and security awareness training. Readmore
Security is an ongoing process, whereby the condition of an organization's controls is just one indicator of its overall security posture. Through Megahertz 's ISO Training & Support Services, Megahertz will help assist your information security officer to ensure an appropriate information security program is in place.
- Security process
- Information security risk assessment tools
- Information security strategy development
- Security controls implementation
- Security monitoring program development
- Security process monitoring and updating
- Security reporting.Readmore
Our ISO program focuses on:
Successful Enterprise Risk Management (ERM) must expand beyond individual risk silos to create an integrated enterprise-level risk management framework that views all risk holistically. At Megahertz, we take a holistic approach to risk management by developing strategies to mitigate risks at an enterprise level across the entire organization. Rather than each department being responsible for managing its respective channels and risks driving up costs, we'll work with you to make well-informed risk management decisions that justify expenditures.
Our risk management services encompass several options:
- Gap Analysis – Evaluation of your existing Risk Management Program against industry regulatory requirements and best practices.
- Risk Assessment - We'll identify vulnerabilities in your IT systems, assess the likelihood and potential impact of threats, and assess the sufficiency of controls to mitigate risks.
- Risk Mitigation – We'll prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process.
- Assurance & Support – We'll help you periodically update your Risk Management Program by identifying new risks and designing new risk-reducing controls.
- Monitoring Systems – We'll help you design a monitoring system that ensures the success of your Risk Management Program. With metrics and monitoring criteria, you'll be able to identify critical success factors as well respond to any weaknesses identified.
Megahertz has both the knowledge and the experience in IT audit to help you comply with internal, external, and regulatory audit requirements.
We also offer:
- IT Audit Testing Support
- IT Audit Deficiency Remediation
- IT Audit Program Design and Review
- Audit Automation Software Implementation and Configuration
- IT Audit Training
- NACHA ACH Compliance Audit
We conduct our IT audits in accordance with standards provided by both ISACA and IIA organizations for planning, fieldwork, and reporting and have in-depth knowledge of IT systems, controls, and processes.Readmore
The continued rise in cyber attacks and resulting regulations have made the controls surrounding the protection of data a primary concern for the Board of Directors. As a result, vendor management practices now require that a SOC 1 and often a SOC 2 be performed.
Megahertz has expert knowledge in SOC 1, 2, and 3 requirements and can help you decide what type of review should be performed. Based upon your operating environment, we can help you decide what trust principles should be reviewed, as well as what assurances you need from vendors to whom you subcontract. We can also share insight on what your customers' auditors are looking for.
Megahertz can help with:
- SSAE 18 SOC Type I and II Review in accordance with AICPA SSAE No. 16; reporting on controls at a service organization.
- SOC 2, Type I and II Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA guide, reporting on controls at a service organization relevant to security, availability, integrity, confidentiality, or privacy.
- SOC 3 Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA technical practice aid, trust services principles, criteria, and illustrations
To conform with HIPAA-HITECH, covered entities and business associates must develop, implement, and enforce a comprehensive program that includes administrative, physical, technical, and organizational safeguards for the organization as well as those attributes related to business associates.
In addition to conforming with HIPAA safeguards, organizations are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care, collectively, Business Associates under Business Associate Agreements (BAA).
Our HIPAA risk assessment includes:
- Risk analysis and management (administrative, physical, technical, & organizational)
- Security and privacy training
- Physical security of facilities and mobile devices
- Off-site access and use of ePHI from remote locations
- Storage of ePHI on portable devices and media
- Disposal of equipment containing ePHI
- Business associates and contracts
- Data encryption
- Virus protection
- Technical safeguards in place to protect ePHI
- Monitoring of access to ePHI
- Network vulnerability scan
- Policies, procedures, and practices with regard to security, privacy and information technology
Megahertz has expert knowledge in BSA/AML regulations and is here to help you develop one or more of the requirements for a comprehensive BSA/AML Compliance Program. All institutions must now develop, implement, and maintain an effective BSA/AML Program that addresses the changing strategies of money launderers and terrorists.
Megahertz's BSA/AML Services include:
- Risk Assessment – Evaluation of the Risk Assessment against requirements (required as part of the overall BSA/AML Compliance Program).
- Reportable Transactions Monitoring and Reporting Assessment – Evaluation of the completeness, timeliness, and accuracy of SARs, CTRs, and CTR exemptions reporting. Results of this assessment can also drive opportunities for a BSA Validation Assessment as defined below (required as part of the overall BSA/AML Compliance Program).
- Customer Identification Program (CIP) – Evaluation of the CIP Program (required as part of the overall BSA/AML Compliance Program)
- System Validation Assessment – Evaluation of the processing integrity and security of the BSA System based upon its configuration.
- Compliance Program Assessment – Evaluation of all program components that include all of the above as well as internal controls, independent testing, the assignment of responsibilities, period training.
- OFAC Risk Assessment - Assessment of OFAC risks and controls in place.
Megahertz, we'll help you determine the elements you need to consider when developing and maintaining an information security policy. We'll design a suite of information security policy documents to cover all information security bases, which can be targeted for specific audiences such as management, technical staff, and end users.
An IT security policy should:
1. Protect people and information
2. Set the rules for expected behavior by users, system administrators, management, and security personnel
3. Authorize security personnel to monitor, probe, and investigate
4. Define and authorize the consequences of violations
5. Define the company consensus baseline stance on security
6. Help minimize risk
7. Help track compliance with regulations and legislation
8. Ensure the confidentiality, integrity, and availability of their data
9. Provide a framework within which employees can work, are a reference for best practices, and are used to ensure users comply with legal requirements.
As a part of the PCI DSS compliance process, most organizations are wise to assess their readiness prior to an official audit. It is an extremely valuable exercise that puts your organization in the best possible position for a successful audit and a sound security program. But finding vulnerabilities is only the first step toward addressing associated risks. Addressing these risks with a sound remediation roadmap is arguably the most critical step in the process.
Megahertz can perform an initial PCI gap analysis to review your IT infrastructure, network design, application architecture and policies to help you identify any gaps between your current security posture and PCI requirements.Megahertz 's comprehensive enterprise security solutions provide the products and services necessary to comply with the PCI DSS, assess the ongoing security of your cardholder data environment, and protect your network against security breaches. We simplify PCI DSS compliance and security with flexible options that meet your specific needs and protect your business.Readmore
Megahertz’s IT Infrastructure Consulting provides secure, reliable, scalable designs that take advantage of your existing LAN/WAN and Voice assets while planning for growth. Our services extend beyond traditional network design services, providing proven solutions with our strategic partners to also help meet regulatory compliance requirements.
Megahertz as your trusted partner can help you:
- Enhance the business value of IT investments through alignment between IT initiatives and business strategies.
- Develop an investment portfolio clearly allocating resources to highest business value opportunities.
- Achieve operational efficiencies and the competitive edge over peer organizations.
- Manage overall cost, deliver more, and enhance client satisfaction.
- Shift the IT organization's role from traditionally taking business needs for execution to becoming a business value creator.
- Simplify environment and leverage both emerging technologies and legacy investments as and where appropriate.
- Achieve a shift in IT spend toward adding new capabilities and strategic initiatives and reducing money spent on a legacy.
Organizations must make disaster planning a top priority if they are to prevent data loss and maintain business continuity in times of crisis. Unfortunately, day-to-day operations too often usurp the time that IT professionals might otherwise devote to critical disaster planning efforts. If your organization does not have an existing Business Continuity Policy or an outdated plan,
Megahertz ’s Certified Business Continuity Planners (CBCP) can aid in the development of one.
The process is simple:
1.Business Impact Analysis (BIA) – A BIA allows you to develop an understanding of how tolerant a business process is in respect to business disruption, the effect of supply to the process, and the ability of resources to deliver on its commitment to support the process during a loss of service.
2.Technology Strategy – Designing an appropriate network with a just-right balance of technology, manual human intervention and budget is key to success during this phase.
3.Documentation – Having documentation that contains not only a business resumption plan at an enterprise level but one that also contains individual departmental recovery procedures will cut your losses dramatically.
4.Testing – Testing your plan regularly and making adjustments to the documentation and procedures after every test and system change or update are critical to successful execution of your plan during that time of crisis.
To properly mitigate risk, institutions should have a comprehensive Outsourcing Risk Management Program to govern TSP risks. This Program includes:
- Risk assessment and requirements definition – risks associated with the functions outsourced, location of the IT vendor, and the technology are identified and assessed.
- Selection – requirements are defined in a formal RFP and due diligence is performed for each TSP.
- Contract Review – the contract is reviewed for adequate and measurable service level agreements and appropriate clauses (right to audit, confidentiality, etc.).
- Monitoring - the relationship is monitored through key service level agreement metrics and an internal process is created for the review of TSP SSAE16 and SOC 2 reports.
- Cloud Relationships – the type of payment, service, and deployment model is chosen and the inherent risks associated with the model are mitigated through appropriate controls.
Megahertz provides an Outsourced Vendor Management Program Development/Assessment (FI) to develop and/or assess a Program that is usually part of the overall Vendor Management Program aligned with the FFIEC Handbook. Our Outsourced Vendor Management Requirements (TSP) provide consultation to third-party service providers in meeting FFIEC requirements.Readmore
Protect SCADA devices from threats and cyber attacks
Utility companies, oil, and gas, alternative energy and manufacturing organizations require the ease of remotely controlling and regulating SCADA and other industrial control systems, but the advancements in connectivity and information technology also increase their exposure to inside and outside threats.
For example, many different stakeholders, such as accounting, maintenance, and purchasing departments require real-time access to the data generated by the SCADA software. And many, if not most, SCADA platforms that communicate across Internet and wireless networks don’t have the necessary tools to protect themselves making these systems especially vulnerable to cyber attacks.
While the number of attacks against critical infrastructure is increasing, many organizations that provide critical infrastructure are not as prepared as they should be to deal with cyber threats, employee negligence or third-party risks. Additionally, the sheer volume of intrusions attempted against SCADA systems every day creates the possibility that a cyber attack could penetrate the defensive systems in place on many networks.Readmore