Security
Skill packages tagged with “Security”
DPC GDPR Data Security
Data security (Art. 32) for DPC self-assessment: risk assessment, technical and organisational measures, encryption, recovery, and secure destruction.
HIPAA Security Risk Assessment (SRA)
Draft and validate the Security Risk Assessment required by the HIPAA Security Rule (45 CFR §164.308(a)(1)). Maps ePHI assets to threats, vulnerabilities, and safeguards across administrative, physical, and technical categories. Produces the SRA report and risk register aligned with HHS/OCR audit protocol.
Incident Decision Tree Builder
Draft scenario-specific incident response playbooks (NIST CSF RS.RP) with a clear Decision Matrix for isolate vs. monitor and logic gates for Containment, Eradication, and Recovery. Inserts or validates mandatory regulatory reporting windows (e.g. GDPR 72h, SEC 4 days) in the playbook timeline.
Incident Response Playbook
Draft step-by-step security playbooks for any cyber attack type. Tailored to your organisation, tech stack, and threat landscape. Produces detection criteria, containment, eradication, recovery, post-incident review, and a quick-reference card with MITRE ATT&CK mapping and role assignments.
Information Security Policy (ISO 27001)
Draft and validate an Information Security Policy aligned with ISO 27001:2022. Builds a complete Statement of Applicability covering all 93 Annex A controls, validates enforceability of policy language, and maps every policy section to the relevant controls. Includes SoA cross-referencing and jargon-simplification tools.
ISMS Scope Statement (ISO 27001 Clause 4.3)
Define and validate the ISMS scope boundaries (physical, organizational, technical) with justified exclusions and no Shadow IT gaps. Includes boundary integrity checker and exclusion logic validator for audit-ready scope statements.
ISO 27001 Asset Inventory & Classification Register
Build and validate an Asset Inventory & Classification Register for ISO 27001:2022 Control A.5.9. Catalog information assets with Ownership and Classification (Public, Internal, Confidential, Restricted), suggest classification from sensitivity descriptions, and verify that every asset has a named Information Owner and that Confidential/Restricted assets have handling procedures.
MFA Exception Rationalizer (CISA CPG 1.1)
Document the transition to phishing-resistant MFA and draft MFA-exception rationales for Critical Infrastructure. Identifies legacy systems that cannot support MFA, proposes compensating controls (e.g. jump hosts), and validates authentication hardware against the FIDO2 standard required by CPG 1.1.
Mobile Device & Teleworking Policy (ISO 27001)
Draft and validate a Mobile Device & Teleworking Policy for ISO 27001:2022 (A.5.17, A.6.7, A.8.1). Covers BYOD, VPN, disk encryption, remote wipe consent, endpoint leakage risk, and compliance with Right to Disconnect (France, Brazil, Ireland). Includes labor-law overlap check.
NIST Password Logic Adapter (CISA CPG 1.2)
Rewrite legacy password policies to prioritize length and entropy over complexity and aging, and draft the Compromised Password Detection Protocol. Aligns with NIST SP 800-63B and CISA CPG 1.2; validates that procedures include a recurring check against leaked-credential APIs (e.g. Have I Been Pwned).
OT Asset Integrity Register (CISA CPG 2.1)
Maintain and validate an OT Asset Integrity Register for CISA CPG 2.1: catalog ICS, PLCs, HMIs, and sensors with firmware versions and physical locations; link assets to CISA KEV and vendor advisories (Siemens, Rockwell, etc.); cross-reference inventory with network discovery to flag unauthorized devices.
SOC 2 Readiness Gap Analysis
Map internal controls against AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Identifies unmapped criteria, validates evidence artifacts and tests of effectiveness, and produces a prioritized remediation roadmap for SOC 2 Type I or Type II audit readiness.
Third-Party Risk Assessment (TPRA)
Assess vendor security posture by validating SIG questionnaire responses against evidence and auditing SOC 2 reports for coverage gaps. Produces structured TPRA reports aligned with NIST SP 800-161 and GDPR Article 28, with automated tools that flag unsupported vendor claims, expired reports, and bridge-letter gaps.