The OGO Blog

What Does OGO’s CISOaaS Engagement Look Like?

With the Ongoing Operations Chief Information Security Officer as a Service (CISOaaS), you gain all the benefits of having a C-level security employee on your team, but without the overhead.

But what does our CISOaaS solution look like? What can credit unions expect on a weekly, monthly, quarterly, and annual basis?

This is what our fractional CISO engagement looks like:

Overview Summary

The first thing we do is work with you to understand how and why your processes are the way they are. Then, we look for ways to improve your security posture while reducing the overall cost and burden of regulatory compliance. We can assess:

  • Financial, reputational, and regulatory risk exposure to data loss
  • Comparative risk to similar peer organizations
  • Risk assessment and risk profile of third parties
  • Alignment with security best practice and protection against known threats
  • Protection against emerging threats (e.g. social networking, crimeware, advanced persistent threats)
  • Scope of exposure to regulations such as the Data Protection Act, Financial Services Authority, and Payment Card Industry Data Security Standard. To do this, we take a data-centric approach, analyzing data flows, repositories, people, processes, and third parties to ensure that your security program has a solid grounding.
  • Where your data resides and why it needs protecting

After the initial assessment, we provide a report to serve as a baseline. This enables you to de-scope, re-architect, and reduce exposure before proceeding.

Ongoing Operation’s CISO consultants are highly experienced, with extensive senior- and CISO-level experience already under their belts. Your CISO will help you with access to resources that you could not afford to maintain on a full-time basis, keeping you ahead of the game.

Implementation and Scope

Ongoing Operations follows a loose guideline on how to proceed with each credit union. In our experience, the engagement often fits the following timeline.

Phase I: Assessment (60 Days)

During the assessment phase, Ongoing Operations will perform an onsite assessment to review all of the existing tools, techniques, policies etc. that the Credit Union currently uses to administer its cyber security program. Each component is reviewed and benchmarked against industry leading solutions. In addition, the credit union will be reviewed against FFIEC best practices.

OGO Workload: This phase requires approximately 4 onsite engagements and 160 hours of labor.

CU Workload: This phase requires approximately 4 onsite engagements and 20 hours of labor from the CU to provide access and information.

Phase II: Gap Analysis & Strategy (30 Days)

Upon completion of Phase I, we generate a gap analysis and heat map that allows the credit union to visualize the status of their IT security program. This offers a quick comparison of internal goals, FFIEC/NCUA requirements, and industry standards. During this phase, we develop a comprehensive project plan and strategy to govern the credit union’s IT security program for the next 3–5 years.

OGO Workload: This phase requires approximately 3 onsite engagements and 100 hours of labor.

CU Workload: This phase requires approximately 3 onsite engagements and 15 hours of labor from the CU to provide guidance and feedback.

Phase III: Tool Alignment & Installation (90 Days)

In Phase III, Ongoing Operations will begin executing the specific prioritized action items and strategy from Phase II. In general, we seek to align tools, policies, procedures, and techniques with Ongoing Operations’ best practices. The goal of this phase is to create significant oversight and management, thus providing direct and noticeable efficiency gains once fully deployed. Through this efficiency, Ongoing Operations can then offer breadth and depth of tools, data, and reporting to match the FFIEC requirements.

OGO Workload: This phase requires approximately 15–20 remote project management engagements and 300 hours of labor.

CU Workload: This phase requires participation in 15–20 remote project management engagements. We will also develop an estimate of the CU workload based on the tools to be replaced and installed.

Phase IV: Reassessment (30 Days)

Upon completion of Phase III, Ongoing Operations will need approximately 30 days to normalize tools, techniques, and data gathering. Upon completion, we conduct a reassessment to determine the success of the implementation phase. Any additional gaps are documented, and we create a plan of action to delivered to the credit union.

Continual Maintenance

Once the full complement of tools is delivered, installed, and configured, we enter the fifth and final phase of continual maintenance. Here, we establish lifecycle and review processes with the CU that look something like the following:


  • Threat review and critical issues updates


  • Trend analysis
  • Review of upcoming moves, adds, and changes
  • SLA review
  • Heat map and metric review
  • Policy review (once per month)


  • Threat review
  • FFIEC change review
  • NCUA audit discussion
  • Strategic goal review
  • Performance on key metrics


  • NCUA audit prep and review
  • Strategy review
  • Yearly performance trends

Want to learn more about our CISOaaS solution? Click here.

Or follow the links below to see more about what to expect from a fractional CISO offering.

You Already Have Security—Do You Need CISOaaS?

What Is CISO as a Service for Credit Unions