Cymbel offers a broad range of security and compliance oriented services based on a simple but effective four step process – Assessment, Policy Development, Policy Implementation, Re-assessment – ADIR. Cymbel sees this process as analogous to Ready, Aim, Fire. In other words, you cannot develop policy in a vacuum. You must understand what is actually happening in your organization before you can develop a plan.


Cymbel uses an enhanced version of the SANS Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (20CC) as an overall framework for evaluating an organization’s Information Security posture.

In order to gain as complete a picture as possible, Cymbel has developed a three phase Visibility process which provides a Security Gap Analysis. You do not have to commit to all three phases. Rather you can select the parts that are most relevant to your organization’s situation.

Phase 1 – Questionnaire

Cymbel’s questionnaire is based on an enhanced version of the SANS 20CC.

Phase 2 – Visibility Testing

There are a series of single or multi-day engagements where one or more tools can be used to provide visibility in areas that are currently of concern. Here are some examples:

  • Device and Software Discovery
  • Vulnerability Assessment
  • Penetration Testing
  • Threat Analysis of users’ web browsing and web application usage
  • Users’ Internal Activity Monitoring
  • Configuration Drift Analysis

Phase 3 – SANS 20CC Metric tests

Each of the SANS 20CC Controls has series of tests that can be conducted to ensure that the appropriate defenses are in place.


The next step is to develop policies to mitigate the security/compliance gaps that have been discovered. Additional tasks associated with the Policy process include:

  • Deciding which currently installed controls need to be replaced
  • Deciding which new controls need to be deployed
  • Developing the specific policies associated with a control


Once Policies are decided, then the Controls can be implemented and deployed.


After the Controls are implemented, their effectiveness must be assessed.

Cymbel’s overall Approach to Information Security is based on two key points. First, due to changes in business needs, technology, threats, compliance requirements, and the economy, organizations must rethink defense-in-depth. Second, the SANS Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guideliness (20CC) provides a basis for managing IT Security and Compliance.

One of the strong points of 20CC is that it documents one or more “Tests” to assess the effectiveness of each recommended Control. Cymbel can assist you in performing these control assessment tests.

Links to Explore

Cymbel’s Services:¬†Secure Network Engineering, Penetration Testing, Incident Response Capability, Data Recovery Capability, Security Training.