The term "compliance" can be misleading, as there is no definitive list of technical requirements that can ensure your organization would pass a cybersecurity audit. Rather than treating compliance as a one-time project, it should instead be thought of as an ongoing, active process of managing and mitigating risk that is a crucial part of every modern business and organization. Compliance necessarily has far-reaching implications for regular organization operations, such as implementation of password complexity requirements and password rotation schedules, policies for how data must be stored, accessed, transmitted and secured, and whether users are permitted to access work email and data on their personal computers or mobile devices. 

In order to create a comprehensive and evolving policy document customized to your organization's industry, size, resources and IT environment, our team of consultants will leverage the National Institute of Standards and Technology 's Cybersecurity Framework to conduct an in-depth risk-assessment and review your current cybersecurity status for each of the Framework's five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a high-level, strategic overview of an organization's cybersecurity risk management lifecycle.

The assessment process will consider data security, physical security, procedural response, disaster recovery preparedness, organizational resilience, and more. The information gathered from this assessment will be reviewed against the regulatory standards set out in the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, as well as other applicable regulatory or contractual standards (e.g., HIPAA, PCI, GLBA) in order to prepare a Written Information Security Program ("WISP") that will serve as your primary compliance policy document. ArcLight will also provide you with technical, process, and security solution recommendations designed to optimize your risk mitigation as your organization grows and evolves. 

After the WISP has been reviewed and accepted by your organization, ArcLight will manage the implementation of the technical safeguards and assist as needed with the implementation of any required management, process or environmental changes. ArcLight will then perform regularly scheduled reviews of your organization's compliance profile and current cybersecurity risks to determine whether new or revised safeguards should be implemented.