G a p A s s e s s m e n t
Assessment & Compliance Services Division
Solution Overview
Solution
At-a-Glance:
 Fulfill regulatory and legal
requirements to perform
regular risk assessments of
the design of information
security controls
 Identify gaps in policies,
procedures, and standards
that could result in regula-
tory issues
 Determine if existing gov-
ernance, risk management
practices, and oversight of
sensitive information han-
dling adequately protects
the organization from breach
or incident
 Receive recommendations
for continual improvement of
the security program
 ISO 27002 is referenced as
the default standard
ISO 27002 Framework :
Halock will review control objectives from the
following ISO 27002 as part of the review:
4: Risk Assessment and Treatment
5: Security Policy
6: Organization of Information Security
7: Asset Management
8: Human Resource Security
9: Physical and Environmental Security
1834 Walden Office Square, Suite 150
847.221.0200 halock.com
Governance, oversight, and regulatory compliance are key to the success of an organization.
Setting expectations through policy, defined procedures, and underlying standards are critical to
secure confidential information assets.
To identify and resolve the risks associated with the organizations information security program,
it should be assessed for adequacy and effectiveness.
Focused primarily on the design of the organization’s security controls, Halock will review the
organization's documented information security policies, standards and procedures. Halock will
conduct interviews with key organization resources where documentation is unavailable or
otherwise deemed appropriate. The objective of the assessment is to ensure that the contents of
the security program adequately address the requirements and intent of relevant compliance
frameworks and/or standards, such as ISO 27002 or other suitable security frameworks
applicable to the organization’s requirements.
Each document will be reviewed in terms of overall content, consistency with other policies and
standards, effectiveness of specific language or terminology used, intended audience, methods of
communication to that audience, and methods of enforcement.
Halock will conduct interviews, as appropriate, with key individuals regarding security policies,
procedures, and standards to collect required data for review. Halock can perform an in depth
analysis of the design and content of policies, procedures, and related standards, identifying
applicability and compliance with security control objectives .
Pricing:
 High level reviews typically
10: Communications and Operations Manage- renage from $5,000 to
ment $7,000
 In depth reviews typically
11: Access Control
range from $6,000 to
$10,000
12: Information Systems Acquisition, Develop-
ment, and Maintenance  Pricing varies based on the
level of available documenta-
13: Information Security Incident Management tion, number of business
units, and additional stan-
14: Business Continuity Management dards mapped to documented
controls
15: Compliance
* Schaumburg, IL 60173 * 847.221.0200 * www.halock.com
 847.221.0200 halock.com

Gap Assessment: Scope Worksheet

The following review approach will be utilized:

COMPLETE REVIEW (In Depth)
SAMPLED REVIEW (High Level)
Halock will review available security documentation, typically consisting of the following items. Please indicate additional
documents that will incorporated into the review in the empty boxes:
Email Usage Policy Acceptable Use Policy
Email Usage Policy Firewall Configuration Policy
3rd Party Agreements Configuration Standards for Servers
Data Retention and Disposal Policies Privacy Policy
Change Control Procedures Server Hardening Standards
Security Awareness Program Data Handling Procedures
Monitoring and Auditing Procedures Business Continuity / DR Plans
Patch Management Procedures Configuration Standards
Daily Operational Security Procedures Data Backup Procedures / Offsite Storage

Halock will interview key resources, typically including the following roles. Please indicate additional resources that will
interviewed as part of this process:

CIO / CISO CFO Compliance Officer IT Director / Manager

Development Lead Systems Administrator HR Director Facilities Manager

ISO 27002 is referenced as the default standard for controls. Please specify additional standards (such as CobiT, FFIEC
guidelines, etc) that should be incorporated into the scope of review:

1834 Walden Office Square Suite 150 * Schaumburg, IL 60173 * 847.221.0200 * www.halock.com