The Mesa Group offers a complete suite of security assessment services that provide cost-effective solutions to support the identification and elimination of vulnerabilities.  Our security team works with you to establish actionable metrics and a tailored, integrated risk management dashboard at the start of each project. Our assessment services help you to measure improvement, evaluate process efficiencies, and manage your organization's risk posture.

Security Vulnerability Assessment (SVA)or gap analysis alone will not ensure that your organization is compliant with those standards, or even secure for that matter. In fact, if done improperly, it can actually create liability for your organization. Many organizations are not aware that there are many necessary steps to a proper security audit or assessment, which are all part of an entire security compliance lifecycle. Our assessment methodologies comply with NSA IAM (National Security Agency INFOSEC (Information Security) Assessment Methodology).

Through a very strict, professional, and proven methodology, combined with extensive experience and highly specialized expertise, our primary goal is to improve your organization’s reliability, security, and regulatory compliance through a comprehensive approach and seamless due diligence. Even though the following Mesa Group services can be utilized individually, they are intended to be used together in a complete lifecycle process.

·         Vulnerability  and Risk Assessment

The Mesa Group security team has an in-depth experience in vulnerability assessments in a wide range of environments—from a specific area of an organization's technical environment to more comprehensive assessments encompassing multiple components and tiers within the information technology infrastructure.  The Mesa Group has performed vulnerability assessments on networks, web applications, servers, databases, VoIP, firewalls, network infrastructure, wireless, and PBX systems.  The Mesa Group approach delivers substantiated findings and actionable recommendations for both the technical audience and the boardroom.

·         Regulatory and Compliance Assessments

Mesa Group security experts work with management, risk management groups, and information security management teams to evaluate your security program's alignment with and support of business processes and goals. Our assessment ascertains that your program complies with the necessary legal and regulatory requirements and that it supports the overall risk management program. It also evaluates your security management program components, including policies and procedures, security strategy, the selection of solutions, and the collection and management of metrics.  Our specialists have extensive experience in evaluating compliance with:

•            Sarbanes Oxley - new and enhanced standards for public company boards and management
•            Gramm-Leach-Bliley Act - protect personal financial information held by financial institutions
•            ISO 27001 - IT security techniques and management
•            ISO 27002 - IT security techniques & best practices security management (previously 17799)
•            HIPAA - standards for health care transactions, security, and privacy of health data
•            PCI - Payment Card Industry requirements include quarterly network security scans
•            STAR Networks - PIN-secured debit networks providing real-time transaction processing
•            FISMA - Defines a framework for managing information security

·         Application Security Assessments

Mesa Groups security team applies extensive skills and experience to the detection of security flaws within your organization’s applications. Despite increasing awareness of the need to protect application security, much of the software development testing process remains focused on functional testing.   The Mesa Group security team can help you identify issues that will never be uncovered using that approach. In fact, our experts frequently discover security vulnerabilities that even newer technologies—such as web application vulnerability scanners—have failed to detect.

·         Physical and Operational Vulnerabilities

Physical and operational vulnerabilities can also provide additional attack vectors into your process control systems and network. Therefore, they must be taken into account when performing a vulnerability assessment. In this step, we will help your organization accurately identify and understand the current vulnerabilities within your architecture by performing the necessary vulnerability assessments from both a vulnerability focused perspective as well as a controls focused perspective. MESA Group performs the following vulnerability assessments:

•         Physical Vulnerability Assessment – Physical security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks. Our physical security experts have extensive experience with some of the most secure environments in the world including Air Force Bases, financial institutions, and nuclear facilities. We will help you identify gaps and potential vulnerabilities in your physical security.
•        Operations Vulnerability Assessment – Like physical security weaknesses, operational security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks. Through procedure review and staff interviews, we will help you identify gaps and potential vulnerabilities in your operational security as part of our complete Holistic Lifecycle Approach to your compliance. With this expert knowledge, we will help you identify any cyber vulnerabilities in your architecture and systems.
•        Cyber Vulnerability Assessment – Our security analysts are experts in cyber security and cyber security vulnerabilities. They stay up to date on the latest vulnerabilities and security controls. They are able to analyze systems and locate vulnerabilities from the viewpoint of the attacker.

·         Threat Modeling

Every organization is unique and so are the threats that an organization may face. For example, specific business objectives or geographic locations may pose a particular threat that another organization may not face. Does a particular employee or contractor present a potential "insider" threat? How does an organization know when a threat is substantial enough to warrant action? Our highly trained experts are uniquely qualified in this area to address concerns exactly like these. Through a process of technical, environmental, organizational, and operational analysis, combined with staff evaluations, we will build a threat model specific to your organization and environment providing specialized data needed for a proper risk analysis.

·         Compliance Gap Analysis

A gap analysis is the formal “audit” that brings the entire assessment phase together. We will review all of your written policies and procedures, as well as all of the data collected from each of the other steps within the assessment phase, and compare it against all of the standards you are required to comply with. This can be industry standards as well as internal standards. NOTE: The term "audit" used here is for descriptive purposes only since this is how much of the industry identifies this process. This is not referring to a formal audit performed by regulation authorities.

·          Mitigation & Remediation
In the mitigation phase, we will work with you to build an effective mitigation / strategic roadmap and then help you put your plan into action using our workflow management process specifically for risk management and compliance mitigation. From start to finish, we will help you enhance your policies and procedures, put the necessary safeguards in place, minimize your risk, and bring your organization up to compliance. Our experts have extensive real-time, experience as well as both cyber and physical security expertise. They understand that, within an enterprise network, a failed mitigation / strategic roadmap can turn out to be more harmful than the risk itself, due to unforeseen system impacts. Our team is also completely vendor agnostic/independent. This enables the Mesa Group Security Team to effectively analyze the data from the assessment phase and present to you the most flexible, reliable, and comprehensive security solution for your organization; while at the same time, not posing a single risk to your production environment.