Governance, Risk, and Compliance (GRC)

GRC is a discipline that aims to synchronize information and system activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps.

At Douala IT, we’re able to use the GRC capabilities to help our clients in the following areas :
Controls and policy library
Policy distribution and response
IT Controls self-assessment and measurement
IT Asset repository
Automated general system control (GSC) collection
Remediation and exception management
Reporting
Advanced IT risk evaluation and compliance dashboards

Policy and Compliance Management

With the increasingly complex cybersecurity regulations, compliance and reporting regimes, our crop of professionals provide profound knowledge and practical insight into industry regulatory and compliance matters by working closely with our clients to develop a structured process and implementable strategy to meet current and future regulatory challenges that will ensure continuous compliance for their organizations.

Improved process definition, implementation, management,and oversight – which ensure improved compliance and performance with applicable regulatory bodies as listed below :
FISMA/OMBRequirements and Compliance
NIST Special Publications (e.g., 800-53)
NIST Cybersecurity Framework
FedRAMP Cloud Compliance
HIPAA Security Rule
HITRUS Compliance
PCI DSS Compliance
Sarbanes-Oxley Act
ISO/IEC 27001
SANS Top-20 Critical Security Controls
ISACA SSH Audit Practitioner Guidance

Assessment and Authorization (A&A)

The Federal Information Security Modernization Act (FISMA) of 2014, also known as Title III of the E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the Presidentin December 2002–requires that all systems and applications supporting federal agencies undergo a formal Assessment and Authorization (A&A) process (formerly known as formerly known as Certification and Accreditation (C&A)) before being put into operation or production.

Douala Cyber Security Analysts provide A&A support for our clientsby guiding them through the A&A/C&A process as required by FISMA using applicable NIST SPs and other related regulatory publications. Our security A&Ainnovative process includes but not limited to the following, which help client systems to achieve Authorization to Operate (ATO) status.

Review accreditation documentation for information systems, authorization boundary, networks and system component
Analyze risks through Security Controls Assessment (SCA) exercise
Provide recommendations to Security Assessment Report (SAR)
Prepare Authorization package security artifacts
Provide recommendations for Authorizing Official (AO) to make risk-based decision

Risk Management

Risk Assessment is the first process in the risk management approach. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT or information system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Prepare for the assessment
Conduct the assessment
Maintain the assessment

At Douala, we use this tool to support the identification, assessment, response, control and reporting of risk through a six-step process (as stated in NIST SP 800-37r1) that begins with system categorization and ends with continuous monitoring of security controls of information systems and the environment of operation.

The Risk Management Framework (RMF) Steps:
Categorizing Different Information Systems
Selecting Security Controls
Implementing Security Controls
Assessing Security Controls
Authorizing Information Systems
Monitoring Security Controls

POA&M & Vulnerability Management

A Plan of Action and Milestones (POA&M) is mandated by the Federal Information Systems Management Act of 2002 (FISMA) as a corrective action plan for tracking and planning the resolution of information security Vulnerability. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

Douala’s IT professionals use a structure and state-of-the-art approach to help clients at varying capability levels manage their POA&Ms and vulnerabilities embedded within using GRC and other related tools to determine the adequacy of security measures, identify security deficiencies, and provide remediation actions.
Identify vulnerabilities
Develop a remediation plan
Determine the root cause of the vulnerability
Determine the severity level of the vulnerability in order to prioritize POA&M
Developing a timeline for remediation by defining completion dates
Assign responsibility for remediation
Develop internal controls to monitor and update the POA&Ms
Monitor IS weaknesses to prevent delays in scheduled completion dates
Monitor (tracked) POA&Ms with remediation metric

System Security Documentation

Our Information Security Analysts liaise with system stakeholders at varying levels to develop, review, update and maintain system security artifacts for Low, Moderate or High impact systems using industry/agency approved templates. Our professionals use a developed and standardized approach to helps clients with their system artifacts documentation thereby ensuring completeness, accuracy compliance with agency requirements.

Such artifacts include but not limited to the following:
System Security Plan (SSP)
Configuration Management Plan (CMP)
Contingency Plan (CP)
Disaster Recovery Plan (DRP)
Incident Response Plan (IRP)
Memorandum of Understanding/Agreement (MOU/A)
Interconnection Security Agreement(ISA)
Security Assessment Plan (SAP)