Virtual CISO (vCISO) Service Offerings:
Ongoing active engagement virtual vCISO services plans start at $4,995 per month for the "Virtual vCISO Bronze" plan and are offered over several CyberCorps Service Offering levels, based on the agreed scope of effort, business infrastructure & estimated CyberCorps resource hours:
Virtual CISO Bronze: For small businesses requiring minimal but consistent virtual CISO services including:
1. customer and partner questionnaire support,
2. information security program creation and management,
3. annual information security training,
4. annual business continuity table-top exercise,
5. external vulnerability assessments, and
6. annual qualitative AND quantitatve Six Sigma Black Belt information/data security risk assessment.
Virtual CISO Silver: For small and midsized businesses requiring more complex virtual CISO services. Includes all the features of Bronze plus:
1. annual SOC2 or similar audit support,
2. compliance with regulations and standards such as ISO 27001, ISO 20000-1, NIST SP 800-53, NIST-CSF, CMMC, NIST SP 800-171, PCI, or HITRUST;
3. annual IT security assessment;
4. chairing an Annual &Quarterly governance committee, and
5. third-party critical vendor reviews.
Virtual CISO Gold: For midsized businesses over 300 employees with the complexity to require the features of Silver but at a greater volume of virtual CISO services. Includes managed KnowBe4 or InfoSec training services (license fee extra).
Virtual CISO Platinum: For midsized businesses requiring virtual CISO services beyond the Gold level. Includes the CyberCorps managed GRC services (license fee extra).
Virtual CISO Black Diamond: Fully dedicated CISO (on-site or remote) plan that includes all CyberCorps Service Offerings except for the PenTest Services ( can be added for the PenTest fee) Short-term (less than three months) full-time virtual CISO. Contact us for details. Longer-term engagements are available pending CyberCorps resource availability.
CyberCorps Service Offerings Modules
The following CyberCorps Service Offerings are included in the different CyberCorps Service Plans "scaled-by" Bronze, Silver, Gold, Platium & Black-Diamond OR each of these CyberCorps modules can be selected individually as required to scale to & support your business requirements.
This approach allows our clients the flexibility to scale to their budgetary requirements and build-out a cybersecurity program at a pace that the business can support.
Managed Governance, Risk, and Compliance (GRC) Services:
CyberCorps managed GRC service enables SECOPS tracking and dashboard reporting on information security risks, compliance with various *frameworks and regulations, vulnerability management, asset management, security events & incidents, and more.
Requires a one-year commitment
Price dependent on engagement*
Security Awareness Training:
When reviewing security risks associated with the primary 3 - pillars of security - "People, Process & Technology". It is ALWAYS the "PEOPLE" within your organization that will be your major security weakness. The "people resources" are always the first target for any threat vector and is the weakest link in the security layers of any organization. With security tools such as KnowBe4 & InfoSec, CyberCorps' vCISOs provide and manage online training, phishing campaigns and security gaps to further your organization's information security awareness, reducing the risk of an information security incident caused by "human" error.
Requires a one-year commitment
Price dependent on engagement*
Information Security Risk Assessment (Quantitative & Qualitative):
CyberCorps service offering to perform a baseline Information Security Risk Assessment (ISRA) is required for all the CyberCorps Service Offerings. The baseline "ISRA", at its core, will be the point of original for risk management strategies and improvements and MUST be conducted annually. A Risk Mangement (RM) process is required to capture your unique risk appetite and thresholds. Risks must be identified and prioritized so as to efficiently apply both financial & human resources for mitigation per the risk management risk strategies.
An Information Security Risk Assessment (ISRA) is a set of tools (risk register, risk scores) for managing and communicating OPSEC risks to executive management and the board of directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address.
A CyberCorps vCISO will create and manage a complete and sustainable RA-ISRA process.
Price dependent on engagement*
IRS PUB 1075, NIST SP 800-171, NIST SP 800-53, CMMC, NIST-CSF, PCI-DSS, HITRUST, SOC2, ISO 27001/2, and Other Framework Gap Analysis:
Compliance should never be confused with "security". This is a required action for most organizations, both large & small and is necessary to demonstrate the viability and effectiveness of the security program.
We have a documented, solid history of building security programs aligned with many frameworks - i.e. NIST, ISO, IRS, CMS. As security evolves so does the compliance requirements to support a particular regulation or standard. The vCISO levels above "silver" are ideal for your organization needs on reoccuring basis. If you require a baseline compliance review, this "stand-alone" service offering is what is need to build your compliance baseline. We will review your data sets and determine the data category and data compliance requirements to ensure your business in in full compliance going forward. The CyberCorps's vCISOs and information security risk analysts will manage your compliance requirement.
Price dependent on engagement*
Annual & Quarterly Governance Committee
Communication of an organizations security-in-review is absolutely a requirement for any organization. This is the time to highlight 'both' the security operations successes as well as the challenges. As part of this security governance task is an annual review of your Security Governance & SOC programs, as well as a Quarterly security governance committee led by the CyberCorps vCISO and involving business unit leaders and executives organization-wide.
The C-suite and the board of directors can only make risk-informed decisions if they understand data security risks, and these essential meetings facilitates that communication and will support FY budget requirements for the future.
Our CyberCorps vCISO can present once annually & every quarter.
Price dependent on engagement*
IT Security Assessments & Continuous Improvements:
Do you know where all your Controlled Unclassified Information (CUI) - Sensitive Data exists? Most organizations are unware of all the locations that CUI is captured. Are your security tools fully utlized and providing the intell that was expected when procured? Does your firewall ruleset make sense? What is your security posture and have you considered implementing ZeroTrust. Are your other IT controls maximized for protection?
CyberCorps will perform a detailed security tool rationalization of your security tools, tool capabilities and gaps and recommend the critical tool set that will provide your security team & leadership a single lens perspective of your environment.
CyberCorps will integrate the IT Security Assessment inputs into a continuous improvement program to harden the security posture of your organization.
CyberCorps' experienced vCISOs and risk management analysts will provide an independent review to verify IT controls or recommend changes, all while not impeding business operations.
This requires a one year commitment
Price dependent on engagement*
Information Security Program / Policy Creation and Implementation:
The Data & Information Security - Cybersecurity Program Strategies and associated policies form the foundation of an organization’s data security program. These cybersecurity strategy artifacts are as unique to the business you operate and MUST represent the business value & risks of your unique business.
CyberCorps vCISO or risk analyst will carefully capture the business requirements that for your business model and then design policies and standards (including RACI charts if desired) to match your organization’s needs and culture.
The CyberCorps Service Offering is considered a baseline task to get your business compliant with GRC Policy & Procedures documentation. Once the Policies & Procedures are baselines to the standard - framework that governs your Infromation / Data Protection capability, these artifacts will be considered "living - security artifacts". CyberCorps will work with you to set up the appropiate level of on-going support that will match your business and budget.
Price dependent on engagement*
Business Disaster & Continuity Plans and Tabletop Exercises:
CyberCorps has extensive experience with Government & the private-sector business communities in preparing these organizations for unforescene events -- these can be natural events related or nefarious actors with the intent to shut down your business and your operations. Plan for the worse and be prepared. Your business needs to survive unintended events. We will capture your mission critical operations & processes, document who is accountable and those resources that are responsibe to support and then script different scenarios for our clients each year.
In 2019 - 2022, the exercises we have designed for the State of Maryland focused on a pandemic that required a 100% remote workforce, which prepared our clients for the improbable security events to support the business inn this new 100% remote COVID-19 environment.
Schedule a meeting to let one of our virtual vCISOs work with you to create meaningful BIAs and conduct effective Tabletop exercises to ensure continuity of operations, whatever the cause of the business interruption.
CyberCorps will build the tabletop scenario script, manage the Tabletop excercise and generate the After-Action Report (AAR) to drive security improvements.
At an additional cost CyberCorps can also manage the security program implementation of the AAR Findings & POA&Ms, test the improved controls and validate during the following TableTop excerise if requested.
The CyberCorps Service Offering is (1 Tabletop only) per 6 months -- It is recommended and in some cases may be driven by compliance requirements based on your data categories that your business model may require (2) Disaster Recovery Tabletops per year -- (1) focused on a cybersecurity incident & (1) focused on a natural disaster event.
Price dependent on engagement*
Supply-Chain Management: Third-Party (Vendor) Reviews:
Supply-Chain Management is a critical component of any business. All Third-Party Vendors require a detail review of their data security maturity levels. Migrating to a cloud provider or out-sourcing a call center does not absolve an organization of its cybersecurity responsibilities. Both your business & the supply-chain vendors security controls must be assessed and confirmed to align with the corporate risk tolerance.
This is accomplished through detailed anaylsis of the Third-Party Vendor's SOC 2 Type II if the organization has paid to a have a Third-Party assessment performed. In absense of a SOC 2 Type II study, a series of interviews and security artifact reviews is required.
CyberCorps vCISOs' years of experience reviewing vendors make vendor security maturity reviews organized for repeatablity to support audits and complete for your business, and are an essential element of proper information security risk management.
Price dependent on engagement*
Network Vulnerability Assessments (External) and Basic Web Application Scans:
Vulnerability Management is a major neccessity for your business. Testing is the first step in securing your environment from nefarious actors and threat vectors. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and costs and add efficiency while increasing the busines security posture.
Price dependent on engagement*
Penetration Testing:
Testing exposes both physical, application & system infrastructure vulnerabilities; CyberCorps penetration testing works to attempt to exploit those vulnerabilities. Our team of CyberCorps PenTesters understand the many different & evolving threat vectors and the weaknesses that can be exploited.
CyberCorps will "safely" via the Rules of Engagement (RoE) expose those weaknesses in your business operations and then secure your environment through the many CyberCorps Service Offerings we provide to our clients.
This Service Offereing may be added to any package for an additional fee, based on the scope of services desired and the environment.
Price dependent on engagement*
Security Operations Center (SOC) & On-Demand Incident Response Services:
CyberCorps has experience is standing-up a SOCasS (Security Operations Center (SOC)) model. The SOC is a critcal componet and function for any business that manages data.
CyberCorps has 2 offerings that can support your business and budget:
CyberCorps can partner with your organization and manage the SOC operations for you as our SOCaaS model.
CyberCorps can also stand-up a "scalable" SOC capabliity on your premises designed to your business requirements. When an incident occurs, timely response is critical.
Price dependent on engagement*
Controlled Unclassified Information (CUI) Data Mapping Exercises:
Most organizations are challenged with understanding & securing the data categories that they work with on a day-to-day basis. Do you know your Controlled Unclassified Information (CUI) data categories and where your data is located? How is it protected?
A Controlled Unclassified Information (CUI) data mapping exercise led by a CyberCorps virtual vCISO skilled in privacy concerns will answer these questions and reveal what kind of CUI is in your environment (PII, PHI, FTI or PCI-DSS). The vCISO will identify gaps in the exisiting security controls & policies. This is both a security & compliance requirement.
CyberCorps can assist your organization based on the insights gained via this service offering to support your resources on any audit that relates to Controlled Unclassified Information (CUI) - Sensitive Data - PII, PHI, FTI and PCI-DSS.
Price dependent on engagement*
Special Service Requests: Evolving Cybersecurity Compliance & Threat Landscape
As the Cybersecurity Compliance & Threat landscaping is constantly shifting, CyberCorps is positioned to lead any future efforts in the defense of sensitive data.
CyberCorps partners with both Government & Private-Sector Cybersecurity Subject Matter Experts (SMEs) and Vendors on a regular basis to be kept informed on the next-evolution of cybersecurity threats & compliance requirements on the cybersecurity frontlines.
Is there a Cybersecurity Plan of Action & Milestone (POA&M) that requires to be addressed by your business that is not listed here? Let us know. We will work to support this POA&M requirement, and if not possible for some reason, CyberCorps will direct you to a source that may be able to assist.