NORA
NORA focuses on standards compliance and pre-certification. Name your standard or framework, and NORA guides you through the rest by tackling the conceptual and compliance layer of security controls for a given asset using NIST, ISO, SOC2, and CMMC requirements and principles. NORA prepares your company, its documentation and maturity level for full certification or attestation by identifying gaps and shortcomings to be met.
The two key deliverables are:
- Compliance Gap Assessment
- Compliance Checklist
NORA Use Case – Perform and Report Compliance
Trigger: 123 Inc. wants to obtain their SOC2 I attestation to do more business in the public sector market. To save time and money, 123 Inc. wants to obtain an assessment of their current state in meeting SOC2 requirements, and internally shore up qualifying factors and maturity level to handle sensitive customer data. NORA performed the assessment on security, availability, processing integrity, confidentiality, and privacy and reports the results and the checklist to close the gaps in a two-part report, the Compliance Gap Assessment and the Compliance Checklist. NORA’s report can be then used to operationalize those changes and later perform a compliance test for SOC2 II.
Preconditions: Bare minimum documentation, any level of maturity.
Phase: Exploration and Discovery
Asset type: All types
Performed by: TIGIR-supplied resource using the TIGIR platform or Customer-supplied resource using the TIGIR platform. Approximately 2 weeks of work effort.
Type: Deliverables based
NILA
NILA focuses delivering security controls audits for any already adopted and/or implemented standard – NIST/ITSG-33, ISO and SOC2 and CMMC – extending to DevSecOps in new solution builds. NILA provided the controls audit and included a cursory Statement of Sensitivity to ensure the correct level of security is met for confidentiality, availability, and integrity, and by the required controls for the identified asset.
The two key deliverables are:
- Security Controls Audit
- Security Controls Strengths and Gaps and Rated Audit Recommendations
NILA Use Case – Perform and Report on Security Control Audit
Trigger: EIO Inc. wants to determine any gaps in their implemented security controls using NIST/ITSG-33, ISO, SOC2 or even CMMC. NILA performed the audit assessment on the confidentiality, availability, and integrity and reports the results and rated recommendations in a two-part report, Security Controls Audit and the Rated Audit Recommendations.
Preconditions: Implemented and operational security controls of a particular standard
Phase: Requirements Analysis
Asset type: All types
Performed by: TIGIR-supplied resource using the TIGIR platform or Customer-supplied resource using the TIGIR platform. Approximately 2 weeks of work effort.
Type: Deliverables based
NEB / ULA
NEB/ULA focuses on full-service risk assessment and certification of a system or asset and protection of its data using NIST 800:53 and the CSF, including supporting NIST CA-8 control, and CSF v1.1, 18.2 and 20.x by delivering on comprehensive penetration testing.
The penetration testing element provides a penetration testing program that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks, depending on the target system and the data. This is in alignment with CSF v1.1 PR.IP-7, PF v1.0 PR.PO-P5 and IG2 and IG3. Further it lays out regular external and internal penetration tests to identify vulnerabilities and attack vectors used to exploit enterprise systems and periodic Red Team exercises for organizational readiness and response that identify and stop attacks.
The eight key deliverables are:
- Organizational Attractiveness
- Statement of Sensitivity
- Security Controls Strengths and Gaps - Requirements and Controls Matrix
- Evidence Guidance
- Security Assessment Report
- Target or Asset Penetration Testing and results
- Penetration Testing Program and Schedule
- Red Team Exercises Plan and Schedule
Simplified Risk Assessment: Straightforward rated reporting for compliance, risk, third party vendor risk, threat-modeling and system risk, and enterprise risk management processes.
Automated Controls Mapping and AI Exploration of CVEsDevSecOps: Integrate compliance into DevSecOps processes and demonstrate compliance requirements across the product development and delivery life cycles stages.
Automated Evidence Identification: Plug-and-play automation to guide evidence collection and corrective action workflows.
Customize: Customize Terminology to suit your organization’s needs and culture.
NEB Use Case – UC1
Trigger: ABC Inc. needs a risk assessment performed on an external web-based SaaS in order to certify it for internal and remote use for their employees. The level of data being handled is sensitive and confidential, equivalent to GOC Protected A. NEB provided the risk assessment in compliance with NIST 800:53, CSF and related security controls as the Statement of Sensitivity on its data, the Security Requirements and Controls Matrix, assistance in collecting the evidence of those controls and is fully explained in the Security Assessment Report.
These results are stored as a record in TIGIR platform that can be updated, reassessed and reported, compared with other assessments, and used to compile data in the event of a security breach on that asset at any time during the license period. This ensures the external web-based SaaS continues to meet the required security posture and that controls are continuously improved as required.
ULA Use Case – UC2
Trigger: MNL Inc. needs a risk assessment performed on an internally developed application used for performance management and customer tracking that is accessible by external customers as well as their internal salesforce.
ULA provided the risk assessment in compliance with NIST 800:53, CSF and related security controls as the Statement of Sensitivity on its data, the Security Requirements and Controls Matrix, assistance in collecting the evidence of those controls and is fully explained in the Security Assessment Report. These results are stored as a record in TIGIR platform that can be updated, reassessed and reported, compared with other assessments, and used to compile data in the event of a security breach on that asset at any time during the license period.
Preconditions: Concept of Operations, Business Case, Needs Analysis
Phase: Requirements Analysis / Production and/or Operations
Asset type: All types
Performed by: TIGIR-supplied or Customer-supplied resource using TIGIR (approx. 2 weeks)
Type: Licensed based / Ongoing assessment