Frequently Asked Questions

What consulting services do you offer?

We offer information security consulting services in assessment and architecture in our core areas of expertise including general security architecture, identity management, cloud security, and Privacy-by-Design. The answers to the questions below describe some of our engagement formats. Multiple consulting services can be combined in a larger project to create a complex security architecture starting from scratch.

What is a virtual Chief Information Security Officer?

A vCISO is an information security professional that uses their years of information security and industry experience to assist organizations in developing, managing, and implementing a security program.

What is covered in the Privacy Consulting services?

SCI bases its privacy consulting services on the seven Privacy-by-Design principles:

  1. Proactive not Reactive – Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into the Design/Architecture
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Full Life-Cycle Protection
  6. Visibility and Transparency – Keep it Open
  7. Respect for User Privacy – Keep it user-Centric

What is a Privacy Impact Assessment?

A privacy impact assessment can be a high-level assessment to identify issues to be addressed and assist in prioritizing them based on information gathered typically through a survey of key stakeholders.

A more detailed, comprehensive assessment typically entails research to get the organizations current state of privacy, information gathering activities, key stakeholder interviews and industry practices to identify, measure risks related to personally identifiable information (PII).

What is covered in a Security Assessment?

An information security assessment is a consulting project that concludes in a written evaluation of your security program or a subset. In conducting the assessment, we interview key staff on a scoped area of your security program against specified criteria. We produce a summary report detailing the findings on your baseline environment, identifying gaps, and providing initial recommendations on areas of improvement. Our assessments are based on security evaluation criteria from years of experience in consulting.

You can choose between two options:

  1. A Comprehensive Assessment that provides a broad overview; or
  2. A Targeted Assessment that drills down into a specific area of the security program or security architecture.

The assessment criteria are tailored to your organization’s maturity level, vertical industry, project objectives and agreed scope of work. This is agreed to during the preparatory phase of the engagement.

We rely on our knowledge and expertise to evaluate the practices, risks, and opportunities. We do not strictly follow a checklist.

Learn more about our Security Assessments.

What is Security Architecture?

Security architecture is the art and science of designing business information systems which are not likely to fail, able to be relied upon and safe from attack.

For our consulting projects, SCI follows the SABSA framework and methodology. Architecture defines both organizational standards and guidelines. It also describes the people and process requirements associated with the technical recommendations and includes a roadmap for implementing the recommendations. An architecture can capture the “current state” or the “to be” state of where the organization wants to be.

Additionally, by helping clients define their target state for security, architecture projects form a key piece in client security programs. Through architecture the client can get a better understanding of the threat landscape as well as the risks and opportunities for organizations in their vertical industry.

With our assistance, clients find they can identify and choose among alternative strategies earlier and set priorities. In addition to the architecture documents, we help clients build the ability to maintain the architecture – and run an effective security program – over time. If a client requests it, we can also provide an option for ongoing coaching to help ensure you stay on track.

What is Security Engineering? How is it different from Security Architecture?

Security engineering is often confused and/or equated to security architecture. Security architecture deals with how an information security system is setup, how the components work as a whole and individually.

Security engineering “…focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.” – Ross Anderson, Security Engineering 3rd Edition.

How are consulting engagements priced?

Our preferred pricing structure is based on a firm fixed price estimate that covers the specified deliverables as outlined in a statement of work (SoW) and according to a defined process and schedule.

Who is used to deliver an engagement?

Our principal consultant with over 20 years experience across a broad range of industry verticals, practices, and security disciplines. We have a small group of trusted partners that we can bring to the table with similar expertise.

Can SCI Assist Us in Vendor Selection?

Yes. We maintain a policy of vendor neutrality and transparency to avoid any perceived or real conflicts of interest. Our goal is to ensure clients are getting the maximum value for their security and/or privacy budget.