Rochester Information Security - Services

CONSULTING SERVICES

Comprehensive information security consulting focused on governance, risk, compliance, and audit preparation. All services are tailored to your organization's specific needs, industry requirements, and timeline.

FRAMEWORK IMPLEMENTATION

NIST 800-53 Implementation

What's Included: System categorization using FIPS 199, control baseline selection and tailoring, security control implementation guidance, System Security Plan (SSP) development, assessment and authorization support, continuous monitoring program establishment.

Best For: Federal agencies, federal contractors, organizations handling government data, high-security environments requiring comprehensive controls.

Typical Engagement: 3-6 months depending on system complexity and impact level.

NIST Cybersecurity Framework (CSF) Adoption

What's Included: Current state assessment across five functions (Identify, Protect, Detect, Respond, Recover), target profile development aligned with business objectives, gap analysis and prioritization, implementation roadmap creation, risk register development, executive reporting and communication.

Best For: Organizations building or maturing their security programs, companies seeking risk-based security approaches, businesses preparing for more prescriptive compliance requirements.  Educational institutions.

Typical Engagement: 6-12 weeks for assessment and roadmap development.

NIST 800-171 Compliance

What's Included: CUI scoping and data flow mapping, gap assessment against 110 security requirements, System Security Plan (SSP) creation, Plan of Action & Milestones (POA&M) development, technical control implementation guidance, self-assessment preparation, supplier flow-down requirements.

Best For: Defense contractors handling CUI, organizations in government supply chains, companies pursuing CMMC certification.

Typical Engagement: 2-4 months for assessment and implementation.

CMMC Certification Preparation

What's Included: Level determination and scoping, comprehensive readiness assessment, gap remediation planning and support, documentation package development (SSP, POA&M, policies), practice implementation guidance for all domains, staff training and awareness, Certified Third-Party Assessor (C3PAO) coordination, mock assessment and preparation.

Best For: Defense Industrial Base contractors, companies bidding on DoD contracts, organizations required to protect CUI.

Typical Engagement: 4-9 months depending on starting maturity and target level.

ISO 27001 Certification

What's Included: ISMS scope definition and planning, gap analysis against ISO 27001:2022 requirements, risk assessment and treatment methodology, Statement of Applicability (SoA) development, Annex A control implementation, mandatory documentation creation (policies, procedures, records), internal audit program establishment, management review facilitation, certification body selection and liaison, Stage 1 and Stage 2 audit support.

Best For: Organizations with international customers, companies in regulated industries, service providers seeking competitive differentiation, businesses requiring formal security certification.

Typical Engagement: 6-12 months for full implementation and certification.

SOC 2 Audit Preparation

What's Included: Scope definition and Trust Services Criteria selection, readiness assessment and gap analysis, control design and documentation, policy and procedure development, evidence collection framework, audit period planning and tracking, auditor selection guidance, pre-audit preparation and walkthroughs, audit support and liaison, remediation support for findings.

Best For: SaaS companies, cloud service providers, technology service organizations, companies with customer security questionnaires requiring SOC 2.

Typical Engagement: 3-6 months for Type I readiness; 6-12 months for Type II (including audit period).

SPECIALIZED ADVISORY SERVICES

Audit Preparation & Support

Comprehensive preparation for any security or compliance audit. Includes pre-audit readiness reviews, evidence organization and management, interview preparation for key personnel, control testing and validation, findings response and remediation, and continuous improvement recommendations.

Gap Assessments

Independent evaluation of your security posture against any framework or standard. Detailed findings report with risk ratings, prioritized remediation roadmap with effort estimates, quick wins identification, and executive summary for leadership.

Security Program Development

Build a mature, sustainable security program from the ground up or enhance existing programs. Includes governance structure design, risk management framework, policy and standard development, security metrics and KPIs, awareness and training program, incident response capabilities, and vendor risk management.

Virtual CISO (vCISO)

Part-time security leadership for organizations that need strategic guidance without a full-time hire. Provides security strategy and roadmap development, board and executive reporting, policy and governance oversight, risk assessment and management, incident response leadership, and vendor and auditor management.

Documentation Development

Professional development of all required security and compliance documentation. Specializing in System Security Plans (SSP), policies and standards, procedures and work instructions, Plans of Action & Milestones (POA&M), risk registers and assessments, and audit evidence packages.

ENGAGEMENT MODELS

Project-Based

Fixed-scope engagements with defined deliverables and timeline. Best for specific initiatives like certification preparation, gap assessments, or program implementation. Clear milestones, predictable costs, and focused outcomes.

Retainer Advisory

Ongoing monthly engagement for continuous support. Includes allocated hours per month, regular check-ins and strategy sessions, on-demand guidance and question answering, compliance maintenance support, and documentation review and updates. Ideal for organizations maintaining multiple compliance requirements or building security programs over time.

Audit Support

Intensive preparation and support during audit periods. Flexible engagement starting 2-3 months before audit, comprehensive readiness activities, and dedicated support during audit execution. Ensures successful outcomes and minimizes findings.

GETTING STARTED

Every engagement begins with a consultation to understand your specific needs, current state, objectives, timeline, and constraints. Based on this, we'll provide a detailed proposal outlining approach, deliverables, timeline, and investment required.

Initial consultations are complimentary. Contact us to schedule a discussion about your compliance needs.