HomeAbout UsCISO ServicesCompliance Services

Compliance Services

-- Providing executive and technical leadership for various compliance and regulatory areas.

 

We have dealt with many legal, regulatory, compliance and security requirements and issues.  As a CISO, we performed numerous risk assessments and audits, and as an external auditor we have been directly involved in audits and certifications in the following areas:  PCI-DSS, HITRUST, HIPAA, EHNAC DTAAP-HISP, SOC2, ISO 27001, CMMC, GLBA.

All projects required a deep knowledge of the compliance requirements, as well as leading the efforts from both a project management and management/technical design, review and remediation focus.  These projects also involved extensive, regular communications with management, divisions, and outside auditors, as well as regular internal status reports and briefings.

Below are a few examples of compliance project engagements:
 

ISO/IEC 27001:2013 Certifications and Readiness Assessments

Global Cloud Services Company

Leading Mobile Telematics and Analytics Company

Leading Pharmaceutical Contract Commercial Organization

International Customs Brokerage and Trade Services Firm

Leading International Footwear Company

International Law Firm

 

  • Performed annual ISO 27001 internal audits, set up audit schedules and requirements, prepared status reports and updates.
  • Performed an assessment to determine whether the IT security program and business applications meets prudent and regulatory security guidelines as defined in the ISO/IEC 27002 control framework.  Developed scoring methodology for objective ratings.
  • Performed risk assessments, developed scope and boundaries and Statement of Applicability (SoA) documents, developed required high-level policies, etc.
  • Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
  • Prepared comprehensive report of findings to Executive Management; report included identification of gaps between the current operations and ISO 27001/27002 requirements, defined the risk associated with the gaps, and provided remediation recommendations and methodology.

 

PCI Certifications and Readiness Assessments

USA Regional Health system operating hospitals, multi-specialty physician practices, home health agencies, home medical equipment stores and retail pharmacies

Large Cable, Data, Entertainment and Broadband Service Provider

Nationwide Provider of Voice, Data, Mobility Solutions and Telecom Consulting Services

Global Cloud Services Company

Leading International Footwear Company

Medical Device Division, Multinational Corporation

 

  • Technical review of entire data and voice networks, including detailed review of firewall, router and switch configurations for PCI compliance.
  • Identification of PCI non-compliant firewall rules and required steps for remediation, conference calls with internal company teams to review findings and steps for appropriate remediation.
  • Led project management for all technical areas and reviews.

 

HITRUST, HITECH and EHNAC DTAAP-HISP Certification

Global Cloud Services Company

Market Leader for Disclosure Management and Health Information Exchange

 

  • Led all internal efforts to manage preparation of response documents and exhibits to external auditors.
  • Provided project management expertise including weekly progress reports and executive dashboard for executive management team.
  • Provided management and security guidance to Security and Risk Management Officer to strengthen internal infrastructure, policies and controls.

 

CMMC (Cybersecurity Maturity Model Certification)

Global Cloud Services Company

 

  • Led all internal efforts to manage preparation of response documents and exhibits.
  • Reviewed controls in place for all systems, applications, physical security controls, and other areas.

 

GLBA Risk Assessment

Major Mid-Atlantic/East Coast Credit Union

 

  • Performed a complete GLBA risk assessment in order to identify reasonable and foreseeable internal and external threats to member information; assess the likelihood and potential damage of those threats; and assess the sufficiency of the policies, procedures, customer information systems, and other controls in place to mitigate and reduce the identified risks.
  • Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
  • Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization.

 

SOC2 Readiness Assessments

Industry leader in Print, Mail and Marketing Services

Global Cloud Services Company

Company Providing Customs Brokerage, Freight And Transportation, Global Trade Management, And International Trade Consulting

 

  • Performed SOC2 readiness assessments including interviews and determination of the appropriate Trust Services Principles/Criteria.
  • Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
  • Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization, as well as a gap analysis and  recommendations for improvements needed prior to external audit and certification.