Find Vulnerabilities

To achieve regulatory compliance you must know your weaknesses.

.

Call (832) 730-2850 to get started.

Finding vulnerabilities in your environment is part of any cybersecurity risk assessment process. You can't fix what you don't know. Whether or not your agency qualifies for a Limited Exemption, you need to know what weaknesses exist so you can make informed decisions about risk avoidance, mitigation, acceptance or transfer.

PLAN - PRICE

Description

Cybersecurity Risk Assessment

$3499

$3324 for BIG I Members!

What is the Cybersecurity Risk Assessment?

Quick Explanation:

  • The Cybersecurity Risk Assessment is focused on identifying and documenting exploitable vulnerabilities in your information systems.

Detailed Explanation:

  • Developed in cooperation with BIG I New York, the Cybersecurity Risk Assessment is a lot like it's big brother - the Vulnerability Assessment - but is more affordable and designed specifically for agencies that qualified for a Limited Exemption. It is a technical risk assessment of your systems, network and policies that is focused on finding and documenting exploitable vulnerabilities (vulnerabilities that are accessible to an intruder). The Cybersecurity Risk Assessment complies with and satisfies Section 500.09 of the NY state regulation (23NYCRR500)

We designed this service because the law does not require agencies that qualify for a Limited Exemption to conduct Vulnerability Assessments (VA), yet they still need to identify vulnerabilities in their systems. The Cybersecurity Risk Assessment provides these agencies with access to the critical elements of a VA and a path to regulatory compliance without the additional cost.

What's included?
  • Technical assessment performed by government-trained, cybersecurity experts.
  • Phone consultation to review the results.
  • PDF report with findings, severity ratings and an actionable remediation plan.
  • Access to online cybersecurity portal which serves as a one-stop-location for tracking progress, viewing findings and storing and downloading documents. We also provide content via your portal on various cybersecurity topics to elevate your education and awareness.
  • At the conclusion of a Risk Assessment you can be confident that exploitable vulnerabilities have been documented, with a strategy to remediate them.
Who should purchase this service?

Agencies that have qualified for a Limited Exemption under Section 500.19 of the NYCybersecurity Regulation,  who have a network infrastructure with 5 or more employees and who want to become compliant.

Why should I purchase this service?

Cybersecurity is good business and you will gain peace-of-mind as a business owner that enables you to stay focused on what you do best. Further, Section 500.02 of the regulation requires all agencies (including Limited Exempt agencies) to maintain an adequate cybersecurity program that is kept up to date by a periodic risk assessment per Section 500.09. The purpose of the risk assessment is to inform your decision-making process, jump start, enhance or update your cybersecurity readiness program, identify critical vulnerabilities that could damage your business if exploited and to help you achieve regulatory compliance.

There are only two of us in my business, what do we do?

Glad you asked! We created the Simple Cyber services just for you. If you operate a really small insurance agency, with less than five computers and no network infrastructure you do not need to bear the higher costs of our risk assessment, but you are still required to secure your systems. Simple Cyber is an IT service that gets right to the heart of the matter by patching (updating) your operating systems, ensuring your email is configured as securely as it can be and ensuring that your firewall is properly configured (if you have one).

Why can't I just do a self-assessment?

A self-assessment (such as a "questionnaire") is the equivalent of self-diagnosing a medical condition that truly requires a doctor's expertise. You are highly likely to mis-diagnose or completely miss critical facts due to your own lack of expertise. This will lead to preventable and unnecessary risk that could damage your ability to conduct business. Many small businesses close their doors for good in the months following a data breach. This doesn't have to happen to you.

Vulnerability Assessment

(cost dependent upon scope)

5% DISCOUNT for BIG I Members!

What is a Vulnerability Assessment?

Quick Explanation:

  • A Vulnerability Assessment is focused on identifying and documenting vulnerabilities that are present and/or exploitable on your information systems through an exhaustive, detailed analysis.

Detailed Explanation:

  • Typically the starting point for cybersecurity services, a Vulnerability Assessment, or VA, aims to identify and document all vulnerabilities in your organization. It is an in-depth technical assessment of your systems, network  infrastructure and policies, performed by skilled experts that satisfies and complies with Section 500.05(a) of the NY state regulation (23NYCRR500). A VA also includes includes other features such as planning, threat modeling, engagement customization, validation against false positives, assessment of web applications (if applicable), open source intelligence gathering and potentially password/configuration auditing.
What is included?
  • Technical assessment performed by government-trained experts.
  • Phone consultation to review the results.
  • PDF report with findings, severity ratings and specific, how-to, actionable remediation plan.
  • Access to online cybersecurity portal - a one stop-location for tracking progress, viewing findings, storing and downloading documents and access to educational material to elevate your cyber-threat awareness.
  • At the conclusion of a VA you can be confident that, through and exhaustive, methodical analysis, vulnerabilities that are present and/or exploitable have been documented, with a strategy to remediate them.
Who should purchase this service?

Entities that are considered non-exempt under the NY regulation and who want to become compliant. Absent effective continuous monitoring, non-exempt entities are required to conduct annual penetration tests per Section 500.05(a) and bi-annual Vulnerability Assessments per Section 500.05(b) of the NY regulation.

A Vulnerability Assessment will likely be recommended following a breach response.

Why should I purchase this service?

You might be required to conduct bi-annual vulnerability assessments, depending on your exemption status. That aside, cybersecurity is good business. The alternative to security is hoping that your systems do not get breached and/or bearing the consequences of reputation damage, repair and recovery costs and potentially additional damages from enforcement or litigation. If you have assets and nonpublic information to safeguard, why take the chance when a modest investment in a cybersecurity strategy could bring you peace-of-mind, hardened defenses and preparedness if a breach were to occur?

What are the differences between the Cybersecurity Risk Assessment and the Vulnerability Assessment?

There are a few key differences:

  1. The Cybersecurity Risk Assessment focuses on finding and documenting exploitable vulnerabilities in your systems and network. By "exploitable" we mean vulnerabilities that are accessible to an intruder.  In contrast, the Vulnerability Assessment (VA) identifies and documents vulnerabilities that are present and/or exploitable and includes other features such as planning, threat modeling, engagement customization, validation against false positives, assessment of web applications (if applicable), open source intelligence gathering and potentially password/configuration auditing.
  2. The VA remediation plan includes full technical reporting, detailed and tailored analysis, methodology information and more, whereas the Risk Assessment remediation plan is more generic in nature (although still actionable by a competent IT person). 
  3. At the conclusion of a Risk Assessment you can be confident that exploitable vulnerabilities have been documented, with a strategy to remediate them. At the conclusion of a VA you can be confident that, through and exhaustive, methodical analysis, vulnerabilities that are present and/or exploitable have been documented, with a strategy to remediate them.
  4. Each service is appropriate for the size, maturity and budget of the entity we are assessing.

We selectively scaled back some of the more detailed aspects of the VA to create the Cybersecurity Risk Assessment for agencies that qualify for a Limited Exemption so that these agencies would have access to the primary elements of this VA and service that would gather the critical information needed on the path toward regulatory compliance.

DFS FAQ on Vulnerability Assessments and Penetration Tests

Assuming there is no continuous monitoring under 23 NYCRR Section 500.05, does the Department require that a Covered Entity complete a Penetration Test and vulnerability assessments by March 1, 2018?


The Regulation requires Covered Entities to have a plan in place that provides for Penetration Testing to be done as appropriate to address the risks of the Covered Entity. Such plan must encompass Penetration Testing at least annually and bi-annual vulnerability assessments, but the first annual Penetration Testing and first vulnerability assessment need not have been concluded before March 1, 2018 under Section 500.05. The Department expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component of a cybersecurity program.

Penetration Test

(cost dependent upon scope)

5% DISCOUNT for BIG I Members!

What is a Penetration Test?

A Penetration Test is a method of finding and exploiting vulnerabilities found in an Information System or web application. The testing process simulates an actual attack or attacks and reveals the potential damage that could be realized. Penetration Testing is a highly skilled process that involves as much intuition as it does technology.

What is included?
  • Technical assessment performed by government-trained experts.
  • Phone consultation to review the results.
  • PDF report with findings, severity ratings and specific, how-to, actionable remediation plan.
  • Access to online cybersecurity portal - a one stop-location for tracking progress, viewing findings, storing and downloading documents and access to educational material to elevate your cyber-threat awareness.
Who should purchase this service?

Entities that are considered non-exempt under the NY regulation and who want to become compliant. Absent effective continuous monitoring, non-exempt entities are required to conduct annual penetration tests per Section 500.05(a) and bi-annual Vulnerability Assessments per Section 500.05(b) of the NY regulation.

A Penetration Test may also be recommended following a breach response.

What is the difference between a Vulnerability Assessment and a Penetration Test?

The purpose of a Vulnerability Assessment is to discover all the systems in a network and to identify and enumerate all vulnerabilities in those systems. A Penetration Test seeks to test the controls, or countermeasures in place to protect an Information System, circumvent or defeat those controls, and to demonstrate the potential damage that could result. A Penetration Test is less concerned with identifying every vulnerability in an Information System and more concerned with gaining access to a system and exploiting critical vulnerabilities.

DFS FAQ on Vulnerability Assessments and Penetration Tests

Assuming there is no continuous monitoring under 23 NYCRR Section 500.05, does the Department require that a Covered Entity complete a Penetration Test and vulnerability assessments by March 1, 2018?


The Regulation requires Covered Entities to have a plan in place that provides for Penetration Testing to be done as appropriate to address the risks of the Covered Entity. Such plan must encompass Penetration Testing at least annually and bi-annual vulnerability assessments, but the first annual Penetration Testing and first vulnerability assessment need not have been concluded before March 1, 2018 under Section 500.05. The Department expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component of a cybersecurity program.

CONTACT US

832-251-6600 | 855-524-9778
LCG, LLC
11767 Katy Freeway, Suite 515
Houston, TX 77079

Privacy Policy
Sitemap

WHY CHOOSE LCG?

Our Clients hire us because we provide honest advice, excellent customer service, and winning solutions based on experience. The best way to find out how we can help you is to call us.

Copyright 2008-2019. LCG Discovery Experts, LLC d/b/a LCG, LLC. All Rights Reserved