We have dealt with many legal, regulatory, compliance and
security requirements and issues. As a CISO, we performed numerous risk assessments and audits, and as an external auditor
we have been directly involved in audits and certifications in the following areas: PCI-DSS, HITRUST, HIPAA, EHNAC DTAAP-HISP, SOC2, ISO 27001, CMMC, GLBA.
All
projects required a deep knowledge of the compliance requirements, as well as leading the efforts from both a project management
and management/technical design, review and remediation focus. These projects also involved extensive, regular communications
with management, divisions, and outside auditors, as well as regular internal status reports and briefings.
Below are a few examples of compliance project engagements:
ISO/IEC
27001:2013 Certifications and Readiness Assessments
Global
Cloud Services Company
Leading Mobile Telematics and Analytics Company
Leading Pharmaceutical Contract Commercial Organization
International
Customs Brokerage and Trade Services Firm
Leading International Footwear
Company
International Law Firm
- Performed annual ISO 27001 internal audits, set up audit schedules and requirements,
prepared status reports and updates.
- Performed an assessment to determine whether the IT security program and business applications meets prudent and regulatory
security guidelines as defined in the ISO/IEC 27002 control framework. Developed scoring methodology for objective ratings.
- Performed risk assessments, developed scope
and boundaries and Statement of Applicability (SoA) documents, developed required high-level policies, etc.
- Conducted interviews of all business units;
performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications,
physical security controls, and other areas.
- Prepared comprehensive report of findings to Executive Management; report included identification
of gaps between the current operations and ISO 27001/27002 requirements, defined the risk associated with the gaps, and provided
remediation recommendations and methodology.
PCI Certifications
and Readiness Assessments
USA Regional Health system operating hospitals, multi-specialty physician practices, home health agencies, home medical
equipment stores and retail pharmacies
Large Cable, Data, Entertainment and Broadband Service Provider
Nationwide Provider of Voice, Data, Mobility Solutions and Telecom Consulting Services
Global Cloud Services Company
Leading International Footwear Company
Medical Device Division, Multinational Corporation
- Technical review of entire data and voice
networks, including detailed review of firewall, router and switch configurations for PCI compliance.
- Identification of PCI non-compliant firewall
rules and required steps for remediation, conference calls with internal company teams to review findings and steps for appropriate
remediation.
- Led
project management for all technical areas and reviews.
HITRUST, HITECH and EHNAC DTAAP-HISP Certification
Global Cloud Services Company
Market
Leader for Disclosure Management and Health Information Exchange
- Led all internal efforts to manage preparation of response documents and exhibits to external
auditors.
- Provided
project management expertise including weekly progress reports and executive dashboard for executive management team.
- Provided management and security guidance
to Security and Risk Management Officer to strengthen internal infrastructure, policies and controls.
CMMC (Cybersecurity Maturity Model Certification)
Global Cloud Services Company
- Led all internal efforts to manage preparation of response documents
and exhibits.
- Reviewed
controls in place for all systems, applications, physical security controls, and other areas.
GLBA Risk Assessment
Major Mid-Atlantic/East
Coast Credit Union
- Performed a complete GLBA risk assessment
in order to identify reasonable and foreseeable internal and external threats to member information; assess the likelihood
and potential damage of those threats; and assess the sufficiency of the policies, procedures, customer information systems,
and other controls in place to mitigate and reduce the identified risks.
- Conducted interviews of all business units; performed reviews of
technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical
security controls, and other areas.
- Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation
recommendations for all business units, systems, applications and other areas of the organization.
SOC2 Readiness Assessments
Industry
leader in Print, Mail and Marketing Services
Global Cloud Services Company
Company Providing Customs Brokerage, Freight And Transportation, Global
Trade Management, And International Trade Consulting
- Performed SOC2 readiness
assessments including interviews and determination of the appropriate Trust Services Principles/Criteria.
- Conducted interviews of all business units;
performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications,
physical security controls, and other areas.
- Prepared a comprehensive report of findings including a risk assessment spreadsheet
with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization,
as well as a gap analysis and recommendations for improvements needed prior to external audit and certification.