Industry Specialties
RESCOR serves organizations in critical-infrastructure industries, from small businesses to enterprises with over $2.8 trillion in combined assets. Every engagement runs on STORM quantitative risk measurement and the RAPID methodology, and is tuned to the regulatory and operational constraints of the sector in question.
Financial Services
GLBA · SOX · FFIEC · PCI DSS
Credit unions to the world's largest commercial banks. Customer-information security, financial-controls reporting, and examination readiness.
Healthcare
HIPAA · HITECH · HITRUST
Risk analysis, security testing of clinical and administrative systems, and ongoing compliance support across the full privacy and security surface.
Electric Utilities
NERC CIP · NERC EOP
Converged IT and operational-technology security for bulk electric systems — SCADA, ICCP, RTU, and control-network segmentation included.
Government
FedRAMP · FISMA · NIST 800-53
Federal, state, and local agency engagements: authorization support, compliance assessment, and risk assessment aligned with NIST 800-30.
Education
FERPA · State student-data laws
Student-records privacy, research-data protection, and security-awareness programs for faculty and staff in primary, secondary, and post-secondary institutions.
Transportation
TSA Cyber Directives · CAP · DOT
Pipeline, rail, and multi-modal operators subject to TSA cyber directives, with the same converged IT and OT security expertise that serves the electric sector.
Nuclear Power
10 CFR 73.54 · NRC · NEI 08-09
The regulatory regime with the highest cybersecurity-assurance bar in civilian infrastructure. Critical digital-asset identification, plan development, and testing.
Technology
SOC 2 · SSDLC · DevSecOps
Product companies that are simultaneously targets of attack and producers of systems that must be secure. SSDLC, cloud architecture, supply-chain review, AI governance.
Financial Services
Regulated financial institutions face strict requirements for customer-information security, financial-controls reporting, and examination readiness. RESCOR has served organizations ranging from local credit unions with less than $10 million in assets to the world's largest commercial banks. Compliance scope typically covers the Gramm-Leach-Bliley Act (customer-information security), Sarbanes-Oxley (financial controls and reporting), FFIEC examination guidance, and PCI DSS for card data.
Typical engagements include StrongCOR subscription support for ongoing SGRC work, STORM-based enterprise risk assessment, security testing across vulnerability / penetration / application scope, GLBA compliance audit aligned with FFIEC guidelines, vCISO services, and incident response and forensic analysis.
Healthcare
Healthcare organizations face increasing risks from privacy regulation, data-security compliance, and the operational realities of connected clinical systems. RESCOR's healthcare work covers the HIPAA Security Rule (45 CFR § 164.308), HITECH Act breach-notification and enforcement, HITRUST CSF, and Meaningful Use security requirements for electronic health records.
Typical engagements include STORM-based risk analysis for HIPAA compliance (Information System Activity Review), STORM-VM quantitative vulnerability measurement, security testing of clinical and administrative systems, security-awareness training using the Guerilla Security material, BIA and disaster-recovery planning, and ongoing compliance support through StrongCOR. A dedicated healthcare page describes the practice in depth and shows real longitudinal risk measurements from an active engagement.
Electric Utilities
Critical-infrastructure protection in the electric sector requires specialized expertise in both corporate IT and operational-technology environments. Deregulation and market dynamics have increased data sharing between entities, and control networks once isolated are now connected to corporate infrastructure. The regulatory scope is primarily NERC CIP (cyber security for the bulk electric system) and NERC EOP (emergency operations planning).
Traditional SCADA systems relied on security-through-obscurity that no longer holds up once the networks touch anything corporate. RESCOR covers SCADA and DCS server security, ICCP server and communication security, RTU and control-protocol vulnerability review, control-network segmentation and monitoring, operator security-awareness for OT environments, NERC CIP compliance assessment and gap analysis, STORM risk assessment for critical infrastructure, security architecture for converged IT/OT environments, and incident-response planning for control-system environments.
Government
Federal, state, and local government agencies require security programs that meet rigorous standards for protecting citizen data and government information systems. The compliance surface typically spans FedRAMP (for cloud service providers), FISMA, NIST 800-53 security and privacy controls, the NIST Cybersecurity Framework, and state-specific privacy and security regulations where applicable.
Typical engagements include FedRAMP readiness assessment and authorization support, FISMA compliance assessment, STORM risk assessment aligned with NIST 800-30, security testing of government information systems, and security architecture for government cloud environments.
Education
Educational institutions manage sensitive student records and research data that require protection under federal and state regulation. The compliance surface centres on FERPA (student education-records privacy), state-specific student-data-privacy laws, and research-data protection requirements imposed by federal grant agencies.
Typical engagements include FERPA compliance assessment, security testing of student information systems, security-awareness training for faculty and staff, research-data protection program development, and incident-response planning tuned for educational environments.
Transportation
Transportation organizations operate critical infrastructure subject to federal security directives and must protect both information systems and operational technology. The compliance scope typically covers TSA Cybersecurity Directives (pipeline and rail), the Cybersecurity Assessment Program (CAP), and DOT security requirements for specific modes.
Typical engagements include TSA-directive compliance assessment, STORM risk assessment for transportation systems, security architecture for mixed IT/OT environments, and incident-response planning including cybersecurity- event reporting.
Nuclear Power
Nuclear facilities require the highest level of cybersecurity assurance in civilian infrastructure, with regulatory requirements that reflect the catastrophic potential of a security failure. The compliance scope is primarily 10 CFR 73.54 (cyber security for nuclear facilities), the NRC Regulatory Guides for cybersecurity, and NEI 08-09 as the industry plan template. RAPID itself was first developed in 1992 to serve exactly this sector; the nuclear work is part of RESCOR's founding DNA.
Typical engagements include 10 CFR 73.54 compliance assessment, cyber- security plan development aligned with NEI 08-09, critical-digital-asset identification and protection, and security testing of nuclear-facility information systems.
Technology
Technology companies face a dual security challenge: they are simultaneously targets of attack and producers of systems that must be secure. RESCOR helps technology organizations build security into their products and protect their own infrastructure.
Typical engagements include SSDLC consulting, application security testing and code review, cloud security architecture on AWS, Azure, and GCP, DevSecOps integration, supply-chain security assessment, SOC 2 readiness and compliance, and AI/ML security and governance — see ATRA for AI applied to risk assessment itself.
Simplified Total Risk Management, STORM, ATRA, StrongCOR, RAPID, and RSK are trademarks of Andrew T. Robinson.