Gap Analysis & Risk Assessments

Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Based on an organization’s structure of internal controls in place, Stetson works with the organization to perform a gap analysis and risk assessment to identify the priorities, constraints, risk tolerances, and assumptions established and used to support operational risk decisions.

‍
Gap Analysis

A Gap Analysis involves the comparison of actual performance with potential or desired performance of a regulation or framework. Stetson performs cybersecurity / information security / data protection gap analysis based on frameworks such as NIST CSF, NIST 800-53, NIST 800-71, NIST 800-72, CIS18, PCI DSS, HITRUST, NJ MEL, and the soon to be enforced U.S. Department of Defense CMMC to provide organizations with a better understanding of existing cybersecurity policies, procedures, and controls, operating effectiveness as well as identifying the gaps required to be remediated to achieve compliance with regulatory requirements.

‍
Cybersecurity Risk Assessments

A cybersecurity risk assessment is a systematic process for identifying, evaluating, and prioritizing risks and threats, whether internal or external, facing your organization and assists organizations in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals. Risk, measured in terms of impact and likelihood, is the possibility of an event occurring that will have negative impact on the achievement of objectives. Stetson will identify cybersecurity / information security risk based on the results of the gap analysis and missing controls to assess threats that could affect the Confidentiality, Integrity, and Availability of systems and data and the Safety of the people, connected devices, and the physical environment. Overall, when complete, each organization will get a better understanding of the capabilities of defenses required to protect against malicious attacks. In addition, organizations will identify, rank the risks, and prioritize next steps.

‍
CISA Cyber Resilience Review Assessment

The Assessment Evaluation and Standardization (AES) Program qualifies individuals to conduct Cybersecurity and Infrastructure Security Agency (CISA) assessments in the active engagement of
securing the Nation's physical and cyber infrastructure against threats. Stetson’s professionals are qualified to conduct CISA standard Cyber Risk Assessments to evaluate operational resilience and cybersecurity practices.

‍
Fraud Risk Assessments

IN conjunction with cybersecurity risk assessments, Stetson can also use the Association for Certified Fraud Examiner’s (ACFE) Fraud Risk Assessment tool to identify and address organization’s vulnerabilities to internal fraud. Stetson then uses the results to assist organizations in identifying fraud risks and developing a fraud risk response.

‍

SOC2 Type 2 Report Preparation

A SOC2 Type 2 report, performed by a qualified CPA firm, is an information security internal controls audit report capturing how an organization safeguards customer data and how well those controls are operating as well as cloud security. Organizations that use cloud service providers use SOC2 reports to assess and address the risks associated with third-party technology services. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve SOC2 Type 2 audit readiness.

‍

U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Preparation

To safeguard sensitive national security information, DoD launched CMMC 2.0, a comprehensive framework to protect the defense industrial base (DIB) from increasingly frequent and complex cyberattacks. CMMC will not allow for self-attestation, and every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve CMMC 2.0 compliance.