Information Security Program Assessment Service (ISPAS)

What do we offer?

NEQ provides you with the comfort of knowing that your Information Security Program is effectively doing what you have designed it to do, plus recommendations of critical areas that should be included as it is compared with industry standards such as ISO-27001 and the SANS Top 20 Critical Cyber Security Controls.

To perform our assess your program, we leverage the FoRMA Methodology and begin by scoping our services to best fit your needs and interests. We conduct selected assessment services and partner with approved Security Service Providers, and we can even include your recent IT audit and Penetration Tests in our review of your security.

You will receive a comprehensive report that is technical and easily explains the strengths, gaps and risks.

Core Business Assets

NEQ will research the key business processes and will identify the corresponding critical systems that support them using a top-down approach. This will be performed using the GAIT-R methodology and discussions with business and IT stakeholders.



NEQ will review the Information Security Policy for alignment to ISO-27001, COBIT, and industry standard policy management practices.


Security Awareness

NEQ will review any existing security awareness efforts as well as perform a security awareness gap assessment of the end-user and provide an overall score and highlight the weaknesses in order to help mitigate and plan awareness campaigns.


Penetration Testing

NEQ will partner with approved Penetration Testing providers to include their results as part of the ISPAS report.


Core Business Asset Assessment

How well do you know what IT assets are critical to your business?

As part of our service to help you identify your core business assets, NEQ will perform a review of any existing Critical Business Inventory (which may exist for publicly traded companies for SOX compliance) or help you to develop an inventory of IT systems and IT security controls.

When you have security incidents or IT Control failures that affect your internals systems, do you know how they are impacting the business?

Our service will provide you with a validated inventory that includes the following:

  • IT Asset type (server, database, application, system, network, facility)
  • Criticality (may be in the form of disaster response planning availability requirements)
  • Business Value/Impact (in situations where they may be unavailable, exposed, or corrupted)
  • IT Owner (the authority for approving changes and notification of incident response)
  • IT Controls associated with the asset (Change, Access, Identity, Operations, Security)

We leverage the leading GAIT-R top-down methodology to ensure the IT assets are aligned with core business functions.

This will help you prioritize your respnse to security incidents and improve the reporting of the security value to your management.

To request this or another one of our services please

Policy Assessment

Do your security policies and standards affect your business... in a good way? Do they have the clarity, business alignment and management-endorsement to enforce needed employee behavior?

NEQ provides an Information Security Policy Assessment service to understand what you need to do to tune them, improve their visibility, ensure the business alignment and ultimately instill the awareness you need to reduce incidents.

Sometimes they are not always in one place or under the same author, we help to discover existing corporate policies and standards that are relevant to information security.

You will receive a report that provides:

  • Identification of the strengths and weaknesses so they can maximize the support for your business.
  • Ensure appropriate ownership for management endorsement, and to become enforceable.
  • Guidance for appropriate goals and expectations for policies and standards vis-à-vis relevant risks and opportunities.
  • Assessment of the pros and cons of the current policies and standards, including analysis to relevant regulatory requirements (e.g, SOX, HIPAA)
  • Gap analysis of where the coverage of current policies and standards may fall short of expectations and what can be included in consideration of ISO-27001 and COBIT.

To request this or another one of our services please

Security Awareness Assessment

End-users are at a greater risk of new phishing, malware and social engineering tactics every day, no matter the size of the company - big or small - cyber criminals are finding better ways to hack network databases, extract sensitive information and plunder financial services. Are your employees equipped with the knowledge and reactive habits to deal with the growing trend of phishing and other cyber attacks?

NEQ provides an Information Security Awareness Assessment service that identifies key areas of vulnerability on the end-user side through our custom and tailored security awareness assessment survey.

Sometimes they are not always in one place or under the same author, we help to discover existing corporate policies and standards that are relevant to information security.

You will receive:

  • Identification of the strengths and weaknesses of your company’s security awareness posture.
  • Guidance on selecting the best approach for selecting, implementing, monitoring, and tracking security awareness training and improvements for employees.

To request this or another one of our services please

Penetration Testing

Performing a Penetration Test on your infrastructure is the best way to validate your exposures from an attacker perspective. These tests are part of our FoRMA Duality of Risk model which will confirm the balance of controls necessary to protect your critical IT assets.

NEQ does not perform Penetration Testing ourselves and works with Penetration Testing security service providers to conduct the testing per the scoping that is agreed upon with the client and may be coordinated through NEQ’s ISPAS. The resulting Pen Test details will be included in a cohesive FoRMA report format with the other NEQ services and will be aligned with the respective business risks and supporting security controls.

For further details, view our list of recommended partners