Policy Review and Documentation
A policy is a system of guidelines, implemented as a procedure or protocol, to guide decisions and achieve rational outcomes throughout an organization. As part of Stetson’s policy review, we assess the current inventory of policies for existence, completeness, and accuracy in alignment with best practices or regulatory requirements and assist organizations in updating or initially documenting policies to meet all applicable regulatory requirements.
Policies reviewed and/or documented include, but are not limited to:
- Information Security
- Vendor Management
- Disaster Recovery
- Incident Response
- Asset Management
- Data Management
- Access Management
- Change Management
- Vulnerability Management
Cybersecurity Risk Assessment and Gap Analysis
Risk, measured in terms of impact and likelihood, is the possibility of an event occurring that will have negative impact on the achievement of objectives. A Risk Assessment is a systematic process for identifying, evaluating, and prioritizing risks and threats, whether internal or external, facing your organization. Based on the National Institute of Science and Technology’s (NIST) cybersecurity framework, and the Center for Internet Security 18 (CIS18) cybersecurity control categories, Stetson’s risk assessment strategy is to identify threats that could affect the Confidentiality, Integrity, and Availability of systems and data and the Safety of the people, connected devices, and the physical environment. The Gap Analysis will provide management with an assessment of an organization’s cybersecurity policies, procedures, and controls, and their operating effectiveness as well as identifying the gaps required to be remediated to achieve compliance with regulatory requirements. Overall, when complete, each organization will get a better understanding of the capabilities of defenses required to protect against malicious attacks.
To safeguard sensitive national security information, the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) 2.0, which replaced NIST 800-171 on DoD requirements in late 2020, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. The CMMC will not allow for self-attestation, and every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve CMMC compliance.
Regulatory Compliance Audits
A regulatory compliance audit is an independent evaluation to ensure that an organization is following external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. Compliance audits may determine if an organization is conforming to an agreement, such as when an entity accepts government or other funding. Compliance audits may also review IT and other security issues, compliance with HR laws, quality management systems, and other areas. Our team of professionals will assess the overall effectiveness of your organization’s compliance practices and protocols with cybersecurity regulations such as HIPAA, PCI-DSS, NYS EdLaw 2d and FERPA, and NYSDFS 23 NYCRR 500.
SOC 2 Report Preparation
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve SOC 2 Type 2 audit readiness.