background

Data Policy

Information Security & Compliance

Revised August 11, 2024

Risk Cognizance LLC implements robust safeguards in compliance with the NIST Cybersecurity Framework (NIST CSF) and ISO/IEC 27001 standards. We are committed to upholding the highest standards of security, integrity, and confidentiality for our data, information systems, and assets. All employees are bound by Non-Disclosure Agreements (NDAs) to prevent data leakage. Additionally, Risk Cognizance LLC is a recognized CMMC Registered Provider Organization (RPO).

Overview

Risk Cognizance LLC has established a comprehensive security program that adheres to the NIST CSF and ISO/IEC 27001 standards. As a technology firm, we deploy a range of controls to protect our information systems. We conduct third-party testing of all external and internal endpoints every six months to ensure our safeguards are effective.

Safeguard Implementation

Data Protection:

  • Compliance with NIST CSF and ISO/IEC 27001, including data privacy.
  • Risk management and data management practices, including vulnerability and penetration testing.
  • Utilization of monitoring and auditing tools managed by our 24/7 Security Operations Center (SOC), including Data Loss Prevention (DLP), Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Mobile Device Management, Cisco Umbrella for DNS filtering, and Google for email protection and archiving.
  • Deployment of NextGen firewall and antivirus with machine learning capabilities.
  • Disaster recovery, incident response, and business continuity procedures tested annually.
  • An in-house security team led by a Chief Information Security Officer (CISO).

Authentication and Identity:

  • Multi-factor authentication implemented on all endpoints.
  • Centralized authentication managed by Microsoft and monitored by our SOC team.
  • Risk-based framework for identifying, inventorying, and managing assets based on their importance and risk.

Information Protection Compliance:

  • Adherence to legal and regulatory obligations through a risk-based approach to policy, process, and procedure implementation, assessment, and monitoring.

Information Protection Program Governance:

  • Tailored risk-based information protection program aligned with Risk Cognizance LLC’s risk tolerance and strategy.

Information and Technology Risk Management:

  • Framework for identifying, assessing, and prioritizing information and technology risks, with resources allocated to risk treatment plans.

Account Management and Permissions:

  • Risk-based framework for managing account lifecycles and permissions to ensure secure access based on business needs.

Awareness and Training:

  • Ongoing risk-based training to ensure employees understand and fulfill their information protection responsibilities.

Capacity, Performance & Maintenance:

  • Framework for maintaining technology capacity and performance with periodic and timely maintenance.

Change and Configuration Management:

  • Controlled implementation of changes and maintenance of baseline configurations using a risk-based approach.

Information Security:

  • Risk-based governance program for protecting information.

Identification and Authentication:

  • Unique identification and verification of users and devices before granting access.

User Activities and Sanctions:

  • Defined acceptable and unacceptable behaviors for information and technology use, with enforced sanctions as necessary.

Physical and Environmental Security:

  • Management of physical access and protection of technology against physical and environmental hazards through a risk-based approach.

Secure System Development Lifecycle:

  • Secure configuration, development, and management of technology throughout its lifecycle.

Vendor Management:

  • Risk-based approach to assessing and monitoring vendor-related information and technology risks.

Vulnerability Management and Flaw Remediation:

  • Identification and remediation of technology vulnerabilities based on a risk-based framework.

Cloud Security:

  • Technical and administrative safeguards for protecting information and technology in cloud environments.

Internet of Things (IoT) Security:

  • Risk-based framework for securing technology embedded with electronics and software.

Mobile Device Management:

  • Control and protection of technology accessed via mobile devices through a risk-based approach.

Network Security:

  • Technical and administrative safeguards for protecting internal networks.

Perimeter Security:

  • Management of perimeter defenses to protect against external threats.

Remote Access Technology:

  • Technical and administrative safeguards for secure remote access.

Server Security:

  • Protection of servers through technical and administrative safeguards.

Workstation Security:

  • Safeguards for protecting workstations based on a risk-based approach.

Telecom Security:

  • Safeguards for protecting telecommunications systems.

Wireless Security:

  • Protection of wireless networks and connections through technical and administrative measures.

Continuous Monitoring and Correlation:

  • Ongoing monitoring for suspicious activities and trends using a risk-based framework.

Incident Response:

  • Framework for handling and responding to incidents, including identification, containment, eradication, and recovery.

Business Continuity:

  • Plan for maintaining operations with minimal downtime or service outages.

Disaster Recovery:

  • Program for minimizing downtime and recovering critical processes following a disaster event.