SERVE AS YOUR COMPLIANCE TEAM

Our Sprint plan is designed to help you get your audit report rapidly for SOC 2, HIPAA, or ISO 27001 in your GRC of choice. We will be available and responsive to questions pertaining to strategic level decisions, educating your team on standard practice within the compliance world (specifically related to companies just like you), and generally helping to direct the compliance goals of the organization.

• Drata  Implementation: Enable integrations for automated evidence collection, ensure proper mapping for all controls and evidence, troubleshoot all errors and failing tests, assign ownership, and manage the platform for optimal implementation.
  
• Compliance Readiness: Evaluate Compliance goals, high-level review of existing posture, prioritize critical gaps, and provide achievable timelines for all workstreams associated with the specific Compliance objective.
• Custom Policy & Procedure Creation: Tailor Policies & Procedures for the buiness context and operating environment, risk tolerance, ownership, and best practice recommendations.
• Evaluate and Develop effective Controls: Create, customize, deploy and test Controls within the buiness context and operating environment; design for risk tolerance, ownership, and best practice recommendations
• Security Training Implementation: Assist with evaluating training and awareness options, basic and advanced options, customized training where specifically requested.
• System Description & Statement of Applicability Support: Assist with creating and customizing the System Description and/or SoA for respective Compliance requirements.
• Compliance & Security Roadmap planning: Execute planning sessions for areas to improve security as identified during the audit and from best practices guidance, including discussions for additional compliance initiatives
• External Audit Management: Serve as the primary POC with Auditors (if desired), represent the security and compliance program to all external parties, manage the discussions and direct towards client teams only as needed, client coaching for how to manage the audit experience.
• Penetration Test Support: Assist with identifying scope and proper levels of penetration testing, discuss key differences, recommend Vendors, evaluate options for best use of limited resources.
• Initial Risk Assessment: Execute basic, Compliance-ready Risk Assessment to establish a foundational Risk Register, assign Risk owners, action plans, and priorities.
• Tabletop Exercises: Manage and document two tabletop scenarios: one for Disaster Recovery, one for Incident Response.
• Security Questionnaire Support: Eden Data will complete one security questionnaire of up to 150 questions per calendar month, within 5 business days of receiving the questionnaire.
• External Trust Page/Center Implementation: Where available, assist with establishing a Trust Page/Center, train on configuration of the page, educate Sales staff on value for accelerating the sales cycles.
• Attack Surface Management: Weekly scanning of AWS Cloud for configuration weaknesses, continuous oversight of operational drift, and technical advisory and guidance to address findings in a risk-prioritized manner.
• Attack Surface Management+ : Weekly scanning of AWS, Azure, or GCP Clouds for configuration weaknesses, continuous oversight of operational drift, technical guidance to address findings in a risk-prioritized manner. Additional items included in the + package: Slack, email, domain, and website security advisory services.
• Vendor Risk Management: Develop and formalize SOPs for Vendor Risk Management, especially procurement and evaluations; centrally manage Vendor assessments.
• Foundational Vulnerability Management: Create Policies and supporting SOPs for Patch and Vulnerability management, including CI/CD processes, for infrastructure, code, applications, and workstations.
• Foundational Incident Management development: Create Policies and supporting SOPs for Incident Management, including one tabletop test and Lessons Learned feedback loop exercise.
• Foundational Business Continuity & Disaster Recovery Development (BC/DR): Create Policies and supporting SOPs for BC/DR, including one tabletop test and Lessons Learned feedback loop exercise.
• Foundational Threat Management development: Create Policies, supporting SOPs, and technical stack (including log configuration) to ensure proper foundational elements for Threat visibility, sound forensic trails, and investigations.

SERVE AS CHIEF SECURITY OFFICER + TEAM

Our Engage plan is designed to help you pass ongoing audits and seamlessly remain compliant for SOC 2, HIPAA, or ISO 27001 in your GRC of choice.

• AWS Security Best Practices: Perform reviews to evaluate and optimize the reliability, security, and efficiency of AWS workloads. Review existing AWS-native security tools and their deployment and/or relevance for a client's environment, including the use of AWS Organizations, Control Tower, Trusted Advisor, Security Hub, and other native tools for a foundational security architecture.
  
• Security Maturity Measurement & Roadmap development: Perform a comprehensive analysis across all Security Domains to rank existing capabilities, perform peer comparisons, and identify key focus areas with a roadmap built with a risk-prioritized lens.
• Premium Risk Assessment: Perform a detailed quantitative risk analysis by considering likelihood, impact, exposure; develop risk-prioritized mitigation strategies, create or enhance the Risk Register. The risk assessment will be based on a business-first approach, and aims to identify risks across different areas of the organization, providing a holistic view of risk exposure and business expectations.
• Premium Vulnerability Management
• Premium Incident Management Program Development: Evaluate and leverage automation for initial triage, evaluate existing toolset and capabilities, develop internal automated IR capabilities or define requirements for 3rd parties to assist and/or manage Incident Response, including Forensics investigations.e.
• Incident & Data Breach Response Support: Perform comprehensive analysis of the People, Processes, and Technology associated with endpoint security, Log Management, and correlation tools to support Threat investigations and Incident Response requirements. Evaluate and discuss options for baseline enforcement and remediation with Cloud-native or other automated response tools, including potential MSSP options. On-demand, perform initial triage to determine containment strategy, and define if expert Forensics and IR support is required.
• Premium Threat Management Program Development: Evaluate Log configurations at source, ensure proper details and sufficent coverage. Review and/or assist with designing log storage, lifecycle management, immutability. Review and/or refine endpoint security for workstations and Cloud assets (including containers), configuration management for hardened baselines, and build/refine processes for proper Threat Management. Create roadmap for deploying event correlation for automated triage and log investigations to move beyond manual investigations.
• Annual Business Impact Analysis (BIA): Identify and document key business and technological dependencies, define and evaluate appropriate recovery times, and ensure business recovery processes support business SLAs.
• Vendor Evaluations: Requirements definitions, tech reviews, downselects: Expert advisory services to identify key priorities, define critical requirements, evaluate Vendor offerings, downselect and ensure Vendors are accountable from the sales to delivery lifecycle, especially ensuring appropriate scope and no hidden products or costs.
• Architectural Design review and recommendations, including DevSecOps Advisory Services (IaC, Kubernetes, CI/CD, secure code & operations) and Configuration Management: Evaluate Development practices, CI/CD workflows, and security architecture against best practices; provide insights, immediate recommendations, and a strategic roadmap based on the business operating context and risk priorities, and develop CI/CD Security Plans as appropriate.
• Sales Support for Prospective Clients: Support clients during sales cycles to properly represent the security posture and culture to the prospect in order to win the business with the security story (up to 3 hours/monthly).
• Internal Audit Team: Perform formal Internal Audits against the ISO framework, provide detailed documentation, recommendations for improvements, and interactive discussions about findings and action plans.
• Mergers and Acquisitions Support: Perform general and/or technical assessments of potential acquisitions to evaluate overall risk, provide feedback to Leadership with ballpark cost estimates for risk mitigation to leverage in negotiations for final acquisition cost.

DATA PRIVACY AS-A-SERVICE

• Serve as Data Privacy Officer: This role operates independently and entails a wide variety of responsibilities including Advisory, Privacy Program Development and/or Management, Privacy Training, Communication with internal and external parties, and various other duties.
  
• GDPR/ISO 27701 Readiness Assessment: This assessment helps identify gaps in compliance, areas of risk, and opportunities for improvement in data protection practices.
• Privacy Impact Assessment (PIA): Assess existing Privacy practices, data collected, and creating a document with detailed findings of the DPIA, including identified risks to data subjects’ privacy and recommended measures to mitigate these risks.
• Transfer Impact Assessment (TIA): Evaluate types of data, existing controls, contractual clauses, and other relevant GDPR requirements to ensure or develop proper procedures for Data Transfers.
• Privacy Roadmap: Based on the Readiness Assessment, Eden Data will create a prioritized action plan with specific guidance to achieve GDPR readiness and compliance.
• Data Inventory and Record of Processing Activities (RoPA): Eden Data's GDPR Record of Processing Activity (RoPA) Assessment and Recommendations service is designed to assist organizations in achieving and maintaining compliance with the General Data Protection Regulation (GDPR), specifically concerning Article 30's requirements.