Advanced Information Solutions, Inc.
Compliance Services
Providing executive and technical leadership for various compliance and regulatory areas
We have dealt with many legal, regulatory, compliance and security requirements and issues. As a CISO, we performed numerous risk assessments and audits, and as an external auditor we have been directly involved in audits and certifications in the following areas: PCI-DSS, HITRUST, HIPAA, EHNAC DTAAP-HISP, SOC2, ISO 27001, CMMC, GLBA.
All projects required a deep knowledge of the compliance requirements, as well as leading the efforts from both a project management and management/technical design, review and remediation focus. These projects also involved extensive, regular communications with management, divisions, and outside auditors, as well as regular internal status reports and briefings.
Below are a few examples of compliance project engagements:
ISO/IEC 27001:2013 Certifications and Readiness Assessments
Performed annual ISO 27001 internal audits, set up audit schedules and requirements, prepared status reports and updates.
Performed an assessment to determine whether the IT security program and business applications meets prudent and regulatory security guidelines as defined in the ISO/IEC 27002 control framework. Developed scoring methodology for objective ratings.
Performed risk assessments, developed scope and boundaries and Statement of Applicability (SoA) documents, developed required high-level policies, etc.
Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
Prepared comprehensive report of findings to Executive Management; report included identification of gaps between the current operations and ISO 27001/27002 requirements, defined the risk associated with the gaps, and provided remediation recommendations and methodology.
PCI Certifications and Readiness Assessments
Technical review of entire data and voice networks, including detailed review of firewall, router and switch configurations for PCI compliance.
Identification of PCI non-compliant firewall rules and required steps for remediation, conference calls with internal company teams to review findings and steps for appropriate remediation.
Led project management for all technical areas and reviews.
HITRUST, HITECH and EHNAC DTAAP-HISP Certification
Led all internal efforts to manage preparation of response documents and exhibits to external auditors.
Provided project management expertise including weekly progress reports and executive dashboard for executive management team.
Provided management and security guidance to Security and Risk Management Officer to strengthen internal infrastructure, policies and controls.
CMMC (Cybersecurity Maturity Model Certification)
Led all internal efforts to manage preparation of response documents and exhibits.
Reviewed controls in place for all systems, applications, physical security controls, and other areas.
GLBA Risk Assessment
Performed a complete GLBA risk assessment in order to identify reasonable and foreseeable internal and external threats to member information; assess the likelihood and potential damage of those threats; and assess the sufficiency of the policies, procedures, customer information systems, and other controls in place to mitigate and reduce the identified risks.
Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization.
SOC2 Readiness Assessments
Performed SOC2 readiness assessments including interviews and determination of the appropriate Trust Services Principles/Criteria.
Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization, as well as a gap analysis and recommendations for improvements needed prior to external audit and certification.