Professional Services

Compass provides services that are independent of daily security operations to help determine if security controls are in place and operating as intended. We offer world-class Penetration Testing services that emulate real-world attack techniques.

Compass-icon

Penetration Testing
Compass-icon

Security Control Assessment
Compass-icon

Risk Assessment
Compass-icon

Security Documentation Design
Compass-icon

Plan of Actions & Milestones
Compass-icon

Security Training

Penetration Testing / Vulnerability Assessments

Our Penetration Testing services are performed by world-class experts who have conducted hundreds of Penetration tests for every area of critical infrastructure, from government to healthcare to finance. 

These services complement an organization’s Information Security Vulnerability Scanning, Configuration Management and/or Application Development Program by proving how effective security controls are (or are not) implemented.  Our testing is non-invasive and our techniques are proven to not interfere with daily business operations.  

We provide detailed, customized reports on the findings, including risk ratings and remediation guidance. We also offer follow-up retesting to validate that findings have been properly mitigated.

We offer a full suite of Pen Testing services including:

  • Network level Pen Testing
  • Application level Pen Testing
  • Database level Pen Testing
  • Internal and External facing Pen Testing
  • Cloud hosted Pen Testing
  • Black-box, Gray-box, White-box and Red-Team
Security-Control

Security Control Assessment (SCA)

We perform independent Security Control Assessments (SCA), formerly called Security Testing and Evaluation (ST&E), to determine if security controls are properly documented, in place and operating as intended. They are typically performed by individuals who are not responsible for writing security documentation or performing daily security operations.

Compass are experts with the Federal Information Security Modernization Act (FISMA), OMB guidance and the latest guidance from the National Institute of Standards and Technology (NIST), including the Risk Management Framework (RMF), NIST Special Publication 800-series (latest versions of 800-53, 53A and 171, etc.), and Federal Information Processing Standards (FIPS).

Risk Assessment

Compass helps organizations understand their security risk posture and makes clear recommendations on remediation activities that need to be taken to improve it. We partner with our federal and commercial clients to understand their risk tolerance and evaluate where the critical IT assets and data reside to help secure and protect it from potential attacks or unauthorized disclosures. We utilize the NIST Risk Management Framework (RMF) to help guide our Risk Assessments.

Security and Privacy Documentation Design

Compass has extensive experience creating security documentation that not only helps organizations become compliant with FISMA and NIST, but also is useful for organizations to continue to enhance and mature their enterprise Information Security Program.

We have built security documentation for large federal agencies from the ground up, ensuring it represents the actual operational environments and that it all works seamlessly together. We have helped hundreds of systems achieve an Authority to Operate (ATO) by creating (or improving):

compass-logo-icon-teal

System Security Plans (SSPs) using the latest NIST 800-53 or 800-171 guidance

compass-logo-icon-teal

System Boundaries and Characterizations using FIPS 199 and 200

compass-logo-icon-teal

Security policies, procedures, processes and guidance for all 800-53 control families

compass-logo-icon-teal

Privacy Impact Assessments (PIA), Privacy Threshold Analysis (PTA), System of Record Notices (SORN)

compass-logo-icon-teal

Contingency Plans and Contingency Plan Testing

compass-logo-icon-teal

Interconnection Service Agreements (ISA) and Memorandum of Understanding (MOU)

Plan of Actions and Milestones (POAM) Management

Compass works with the top GRC tools to help large federal organizations concurrently manage and remediate hundreds of POAMs annually. We capture the details of every POAM and work with the POCs to ensure remediation has occurred, assisting with guidance as needed or requested. We also support large and smaller commercial healthcare organizations with POAM remediation using templates, using our security expertise to provide remediations and/or remediation activities.

Technology-web-brain

Security Training

The biggest creator of security risks usually come from the humans who work in the organization or are responsible for implementing the technical, managerial and operational controls in that organization. Humans make errors and often use poor judgment by clicking on malicious links.

Compass provides our customers with numerous security training options, from Enterprise-wide security training tools that track progress and completion, to custom-built training classes for a wide variety of topics.

We have built and conducted training for the following:

  • Penetration Testing techniques
  • Secure application coding
  • GRC Tool use
  • FISMA / Assessment and Authorization (A&A) compliance
  • Phishing simulations
  • Vulnerability scanning
  • DLP tool use

Our training customers range from C-level to ISSO/ISSM to technical engineers to security analysts to general end-users.

Benefits and Outcomes of Engagements

Penetration Testing

Understand how a real-world attacker might try to infiltrate your organization and improve defenses, decreasing the likelihood of a successful attack and limiting the potential impact of one.

Security Control Assessment (SCA)

Receive an unbiased view of how Information Security controls are documented and functioning, along with specific improvement recommendations. Achieve compliance with federal requirements.

Security Training

Improve defenses by imparting security knowledge into the human beings in your organization. Improve technical staff knowledge to better implement and manage security tools. Impart security knowledge and awareness to end-users and reduce the likelihood of falling for scams or clicking on malicious links.

Risk Assessments

Learn where the risks are the greatest to your organization and receive clear, prioritized recommendations that will reduce risk over time.

Security Documentation

Ensure security controls are properly documented and reflect operational activities.  Improve resiliency by establishing and following repeatable actions and activities consistently across the organization.

POAM Management

Ensure that the Organization’s weaknesses are identified and understood and that remediation is properly prioritized and staffed. Show regular progress by improving the risk posture of an organization.

Security-lock-Control

Real World Examples

  • NIH OCIO Pen Testing

    +

    Compass completed 30+ annual Penetration Tests for every NIH Institute / Center (IC).  Tests were network and System/Application focused, including testing of critical and high-value assets.

  • CPSC Security Control Assessments

    +

    Compass completed SCAs on every CSPS IT System (GSS and MA), helping them obtain an Authority to Operate (ATO) for each.

Please contact us to discuss your security controls and assess your vulnerability against cyber threats.

Contact Us