Policy Review and Documentation
A policy is a system of guidelines, implemented as a procedure or protocol, to guide decisions and achieve rational outcomes throughout an organization. As part of Stetson’s policy review, we assess the current inventory of policies for existence, completeness, and accuracy in alignment with best practices or regulatory requirements and assist organizations in updating or initially documenting policies to meet all applicable regulatory requirements.
Policies reviewed and/or documented include, but are not limited to:
- Information Security
- Vendor Management
- Disaster Recovery
- Incident Response
- Asset Management
- Data Management
- Access Management
- Change Management
- Vulnerability Management
Cybersecurity Risk Assessment and Gap Analysis
Risk, measured in terms of impact and likelihood, is the possibility of an event occurring that will have negative impact on the achievement of objectives. A Risk Assessment is a systematic process for identifying, evaluating, and prioritizing risks and threats, whether internal or external, facing your organization. Based on the National Institute of Science and Technology’s (NIST) cybersecurity framework, and the Center for Internet Security 18 (CIS18) cybersecurity control categories, Stetson’s risk assessment strategy is to identify threats that could affect the Confidentiality, Integrity, and Availability of systems and data and the Safety of the people, connected devices, and the physical environment. The Gap Analysis will provide management with an assessment of an organization’s cybersecurity policies, procedures, and controls, and their operating effectiveness as well as identifying the gaps required to be remediated to achieve compliance with regulatory requirements. Overall, when complete, each organization will get a better understanding of the capabilities of defenses required to protect against malicious attacks.
To safeguard sensitive national security information, the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) 2.0, which replaced NIST 800-171 on DoD requirements in late 2020, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. The CMMC will not allow for self-attestation, and every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve CMMC compliance.
Information Technology Application Controls (ITAC) Audits
ITACs are responsible for protecting the transactions and data associated with a specific software application, are unique to each application, focus on input, processing, and output functions, ensure the completeness and accuracy of records created by the application, the validity of data entered into those records, and the integrity of data throughout the lifecycle. ITAC audits, or information systems audits, examine the management controls IT infrastructure and business applications. Stetson’s team can perform ITAC audits as stand-alone assessments or in conjunction with internal audit, or other form of attestation engagement.
Information Technology General Controls (ITGC) Audits
ITGCs apply to all systems, components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. As part of an ITGC audit, Stetson will assess your organization’s controls related to logical access over infrastructure, applications and data, system development life cycle, program change management, data center physical security, system and data backup and recovery, and computer operations.
Regulatory Compliance Audits
A regulatory compliance audit is an independent evaluation to ensure that an organization is following external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. Compliance audits may determine if an organization is conforming to an agreement, such as when an entity accepts government or other funding. Compliance audits may also review IT and other security issues, compliance with HR laws, quality management systems, and other areas. Our team of professionals will assess the overall effectiveness of your organization’s compliance practices and protocols with cybersecurity regulations such as HIPAA, PCI-DSS, NYS EdLaw 2d and FERPA, and NYSDFS 23 NYCRR 500.
SOC 2 Report Preparation
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve SOC 2 Type 2 audit readiness.