Dan Tuuri, CISA, CISSP, GIAC-SSAP
Connect on LinkedIn
989-278-8450 | dan@tuuri.us
In 2009 I founded Computer Security Team, LLC. which is now SecAud. At the time a local manufacturer had reached out to me, their largest customer had started requiring the supplier to conduct an annual security assessment and review as a requirement of their own SOX compliance. I engaged with the group to perform a full security review and checklist, an assessment of policies and procedures, a physical penetration test, vulnerability scanning, and several scenario table top discussions.
I took pride in delivering a high quality product at an affordable price. Quotes from larger audit and security firms for this work quoted tens of thousands of dollars. I was able to execute the work for one quarter of what the big firms wanted to charge.
Today the story is the same as the engagement that started the organization. Organizations are doing business with publicly traded companies, government entities, or may be confronted with technology self-study questionaries for their banking, credit card, or insurance renewals. There isn't a choice of whether not to comply, it simply needs to be done.
The choice businesses do have though is the partner that they engage with to perform this work.
Alphabet Soup is Confusing
With the string of various phrases, standards numbers, identities, you might not know where to start.
Having an experienced guide to help you navigate can make all of the difference.
I hold numerous IT certifications including the Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), and SANS Security Awareness Professional (SSAP). I have a Masters in Information Systems Management and am pursuing a second Masters in Cyber Defense. In addition I have completed multiple trainings and coursework in auditing, NIST standards, and remain abreast of the latest developments surrounding compliance and regulations.
Take a look at some of the services I offer at the right. If there is something I can help you with I'd be honored to learn more about your scope and provide a timeline and quote. Note, I am not a CPA or QSA, so while I can help you with preparing for SOC, SOC2, and PCI-DSS assessments, I am unable to provide a formal compliance statement or opinion.
You may notice my website is simple. I am a proud home based business. I emphasize value and am not seeking to compete with large enterprise firms.
My business value statements are simple:
Action > Words
Honesty > Flattery
Impact > Value
Tenacity > Laurels
SECURITY AUDITS
Security audits are a critical component of any robust cybersecurity strategy, providing a thorough examination of an organization's information systems, policies, and procedures. All IT security audits are conducted following guidelines from ISACA and other industry standards to identify vulnerabilities, ensure compliance, and assess the effectiveness of security controls. Through both internal and external assessments, we evaluate your organization's defenses against potential threats and recommend actionable steps to enhance security posture. This process not only helps in mitigating risks but also demonstrates a commitment to maintaining the highest level of data protection and compliance. In disclosure, not all artifacts or programs are available, and I am not a CPA. It is important to discuss the full scope of your need prior to engagement.
ASSESSMENTS
Assessments are foundational to understanding the current state of an organization's cybersecurity posture. Comprehensive security assessments that we deliver encompass vulnerability assessments, penetration testing, and risk assessments, aligned with frameworks like NIST, CMMC, PCI DSS, and ISO 27001. By systematically identifying weaknesses in your IT environment, our assessments help prioritize risks based on potential impact, providing clear, strategic recommendations for improvement. These assessments are crucial for organizations looking to enhance their security measures, achieve compliance, and protect their critical assets from evolving cyber threats. Deliverables include an actionable risk register and findings which prioritize the most critical areas for you to remediate.
AWARENESS
Security awareness is essential to creating a resilient organizational culture that understands and responds to cybersecurity threats. The majority of cyber incidents can be traced back to user error or action, and not a failure of technical controls or safeguards. A robust awareness programs is designed to educate employees about the latest threats, safe online practices, and the importance of data protection. By fostering a culture of security mindfulness, the risk of human error is mitigated. Through customized training sessions, workshops, customized phishing scenarios and simulations packages are designed to address the unique and specific needs of your business. With an understanding of industry challenges and regulatory requirements, the program ensures that all staff members are prepared to recognize and respond to potential threats.
POLICIES
Developing and maintaining effective security policies is crucial for guiding an organization's approach to managing and protecting its information assets. Policy review engagements are not simply a cookie cutter applicaiton of existing language, it relies on expertise and resources in the creation, review, and enhancement of IT security policies that align with regulatory requirements and industry standards such as ISO 27001 and COBIT. By establishing clear policies, organizations can define acceptable behaviors, enforce compliance, and create a structured framework for risk management. These policies serve as the foundation for a strong security posture and help safeguard against breaches, data loss, and other cyber threats. As a SHRM-CP Human Resources certified professional I have the experience to ensure that IT security policies support, not hinder, your organization.
CHANGE
In the dynamic field of cybersecurity, change management is vital for maintaining secure and stable IT environments. Change management services ensure that all modifications to your IT infrastructure are planned, tested, and implemented securely, minimizing the risk of introducing vulnerabilities. As a Prosci Certified Change Practitioner I am able to apply the ADKAR methodology to ensure value is recognized by the organization and that change adoption is successful. I am a certified Project Management Professional (PMP) and have held the ITIL Foundations certification for nearly twenty years. Ensuring change management controls are in place to manage changes effectively is criticial. Protecting your organization by modeling processes for updates, patches, and system upgrades that do not compromise security or compliance. Through a controlled change control process, I help organizations adapt to new technologies and evolving threats while protecting critical assets.
RESOURCES
The three sites below are trusted resources that can help your small business improve your security baseline:
- CISA Cyber Guidance for Small Business
- Iowa Cybersecurity Program Business Defenses
- NIST Small Business Cybersecurity Corner
STANDARDS
Ensuring your organization is aligned with established best practices is critical. These are some of the frameworks I have utilized:
- CIS Critical Security Controls
- NIST SP 800-53
- NIST SP 800-37
- NIST SP 800-137
- NIST SP 800-171
- NIST Cybersecurity Framework
- NIST Privacy Framework
- NIST Risk Management Framework (RMF)
- ISO 27001
- ISO 27701
- ISO 27005
- ISO 27017
- ISO 27018
- ISO 27032
- ISO 27035
- Cybersecurity Maturity Model Certification (CMMC)
- Payment Card Industry Data Security Standard (PCI DSS)
- HITRUST CSF (HIPAA) Controls
- AICPA-CIMA SOC Controls