Solution - Compliance


Your business is involved in the handling, processing, or transferring of federally protected information or you are simply concerned with the protection of your employee's information and the intellectual property (IP) of your company. While you have worked hard to do the right thing, you are unsure of your compliance obligations surrounding this sensitive information or the implications of what could go wrong from the business standpoint, the affected end user, or your personal liability.

What are the effects of compliance? Being compliant can help your business because you can, in some cases, advertise being compliant. Not being compliant will attract attention from regulators as well as drive business away from your company. After all, why would a customer want to do business with a company that can't follow the rules or protect their own employee's data?

Also, new regulations come out all the time. The latest to make a high impact is GDPR and if you deal with the EU or have EU clients/customers, or have EU employees then GDPR is, or should, be the top of your list for compliancy in order to avoid fine. These fines are nothing to avoid either as they can go up to 20MM Euros or 4% of your global gross revenue (which ever is greater). If you have GDPR issues or suspect you will have GDPR issues, you should read our brief article pertaining to GDPR (click here).

Arrakis can help you become more compliant or remain compliant by offering an unbiased 3rd party assessment that is specifically tailored around the framework or regulation you are required to conform to as well as help reduce your overall risk.

These solutions can be in several forms:

3rd party audits and assessments - All major frameworks require a 3rd party assessment to be performed in the areas of vulnerability assessment, risk assessment, or 3rd party audit of your information systems. Arrakis can be your trusted advisor that will provide an unbiased and brutal honesty assessment of where you feel weak or where you feel a regulatory agency may target you. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...

Business Impact Analysis (BIA) - As a matter of good practice, a BIA should be done at least yearly to ensure that you completely understand the level of impact to your business should any portion of your business process fail. How long can you stay down without major incident? How long can you stay down before your customers decide to move to another solutions provider? Knowing the impact, both qualitative and quantitative, to your business is vital and required. Arrakis can help you realize exactly what your impact is.

Gap Analysis - regardless of what framework you are required to follow there is always something that needs to be reviewed to see where your gaps, or weaknesses, are so you have targeted and actionable items to focus your remediation or improvement efforts. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...

Framework implementation, consultation, or support - All companies that process regulated data are required to conform to some security framework. Whether it be NIST 800-53, ISO 27001, FFIEC, etc... we can help implement or provide consultation services to make your current implementation easier. Additionally, in several situations, companies have to conform to multiple frameworks or create a hybrid framework that reduces the regulatory risk to the company and executives. Arrakis can help guide you down the path of confusion to a clear outcome.

vCISO/CISO as a service - Some companies simply do not have the budget, experience, or training to have a CISO or an information security department. While all frameworks require a security department and a CISO it simply isn't in the budget or there isn't enough technical work to justify hiring the appropriate personnel. Arrakis can help you be acting as a trusted advisor to the CIO or COO to your company and essentially performs CISO functions. Technically, by the frameworks, someone in the company still must have the title of CISO however none of the frameworks indicate that the actual "work" can't be outsourced to a reputable 3rd party. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...

vCIO/CIO as a service - Similar to the CISO as a service bullet item, some companies are more focused on building their business and increasing their profit margin and just don't have the time or experience to perform CIO functions. They have strategy without execution because of a lack of ability to execute. Arrakis can help be the IT glue that binds all the technological functions into a cohesive package to fill this gap. The professionals at Arrakis have, on average, over 20 years of experience in all aspects of IT including managerial functions such as budgeting, project management, and process improvement.

Governance, Risk, and Compliance - Regardless of what framework your company is required to follow or the level of maturity all companies bear some risk because they are in business. Our GRC people can help your company stay in compliance with regulations, assess and track risk to your company, and provide an easy to follow governance model to ensure that your company operates in a stable manner that keeps the auditors happy. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...

Policy Creation and Review - Quite often companies have some form of policies in place but a majority of the time those policies simply do not meet the requirements of the auditors or the required frameworks the company is supposed to follow. While the intention of the company is to be compliant, the deficient policies do not help and only bring closer attention of the auditors. Arrakis has years of experience writing policy and can help bring you up to speed with the frameworks and provide for an easier success rate when it is time to be audited.

RSA Archer - Coupled with a GRC program, RSA Archer can be a solid investment towards lowering and visualizing your risk. Our professionals have years of experience with Archer and other GRC programs as well as industry GRC certifications from OCEG.

Contact Arrakis for more information.