|
Compliance Services -- Providing executive
and technical leadership for various compliance and regulatory areas.
|
We have dealt with many legal, regulatory, compliance and security
requirements and issues. As a CISO, we performed numerous risk assessments and audits, and as an external auditor we
have been directly involved in audits and certifications in the following areas: PCI-DSS, HITRUST, HIPAA, EHNAC DTAAP-HISP, SOC2, ISO 27001, CMMC, GLBA. All
projects required a deep knowledge of the compliance requirements, as well as leading the efforts from both a project management
and management/technical design, review and remediation focus. These projects also involved extensive, regular communications
with management, divisions, and outside auditors, as well as regular internal status reports and briefings. Below are a few examples of compliance project engagements: ISO/IEC
27001:2013 Certifications and Readiness Assessments - Performed annual ISO 27001 internal audits, set up audit
schedules and requirements, prepared status reports and updates.
- Performed an assessment to determine whether the IT security program and business
applications meets prudent and regulatory security guidelines as defined in the ISO/IEC 27002 control framework. Developed
scoring methodology for objective ratings.
- Performed risk assessments, developed scope and boundaries and Statement of Applicability (SoA)
documents, developed required high-level policies, etc.
- Conducted interviews of all business units; performed reviews of technical, architectural design,
and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
- Prepared comprehensive report of findings
to Executive Management; report included identification of gaps between the current operations and ISO 27001/27002 requirements,
defined the risk associated with the gaps, and provided remediation recommendations and methodology.
PCI Certifications and Readiness Assessments - Technical review of entire data and voice
networks, including detailed review of firewall, router and switch configurations for PCI compliance.
- Identification of PCI non-compliant firewall
rules and required steps for remediation, conference calls with internal company teams to review findings and steps for appropriate
remediation.
- Led
project management for all technical areas and reviews.
HITRUST,
HITECH and EHNAC DTAAP-HISP Certification - Led all internal efforts to manage preparation of response documents
and exhibits to external auditors.
- Provided project management expertise including weekly progress reports and executive dashboard for executive management
team.
- Provided
management and security guidance to Security and Risk Management Officer to strengthen internal infrastructure, policies and
controls.
CMMC (Cybersecurity Maturity
Model Certification) - Led all internal efforts to manage preparation
of response documents and exhibits.
- Reviewed controls in place for all systems, applications, physical security controls, and other areas.
GLBA Risk Assessment - Performed a complete GLBA risk assessment in order to
identify reasonable and foreseeable internal and external threats to member information; assess the likelihood and potential
damage of those threats; and assess the sufficiency of the policies, procedures, customer information systems, and other controls
in place to mitigate and reduce the identified risks.
- Conducted interviews of all business units; performed reviews of technical, architectural design,
and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
- Prepared a comprehensive report of findings
including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems,
applications and other areas of the organization.
SOC2 Readiness Assessments - Performed SOC2 readiness assessments including interviews and determination
of the appropriate Trust Services Principles/Criteria.
- Conducted interviews of all business units; performed reviews of technical, architectural design,
and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
- Prepared a comprehensive
report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business
units, systems, applications and other areas of the organization, as well as a gap analysis and recommendations for
improvements needed prior to external audit and certification.
|