Cybersecurity Risk Assessments

Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Based on an organization’s structure of internal controls in place, Stetson works with the organization to perform a gap analysis and risk assessment to identify the priorities, constraints, risk tolerances, and assumptions established and used to support operational risk decisions.

A cybersecurity risk assessment is a systematic process for identifying, evaluating, and prioritizing risks and threats, whether internal or external, facing your organization and assists organizations in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals. Risk, measured in terms of impact and likelihood, is the possibility of an event occurring that will have negative impact on the achievement of objectives. Stetson will identify cybersecurity / information security risk based on the results of the gap analysis and missing controls to assess threats that could affect the Confidentiality, Integrity, and Availability of systems and data and the Safety of the people, connected devices, and the physical environment. Overall, when complete, each organization will get a better understanding of the capabilities of defenses required to protect against malicious attacks. In addition, organizations will identify, rank the risks, and prioritize next steps.

A Gap Analysis involves the comparison of actual performance with potential or desired performance of a regulation or framework. Stetson performs cybersecurity / information security / data protection gap analysis based on frameworks such as NIST CSF, NIST 800-53, NIST 800-71, NIST 800-72, CIS18, PCI DSS, HITRUST, NJ MEL, and the soon to be enforced U.S. Department of Defense CMMC to provide organizations with a better understanding of existing cybersecurity policies, procedures, and controls, operating effectiveness as well as identifying the gaps required to be remediated to achieve compliance with regulatory requirements.

‍

Employee CISA Resilience Review Assessment

The Assessment Evaluation and Standardization (AES) Program qualifies individuals to conduct Cybersecurity and Infrastructure Security Agency (CISA) assessments in the active engagement of securing the Nation's physical and cyber infrastructure against threats. Stetson’s professionals are qualified to conduct CISA standard Cyber Risk Assessments to evaluate operational resilience and cybersecurity practices.

Employee Benefits Security Administration U.S. Department of Labor (DOL) Cybersecurity Program Assessment

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals.  Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. The Employee Benefits Security Administration has prepared the best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. Stetson works with your organizations to achieve compliance, identify risks, and enhance the overall cybersecurity program of the organization.

Fraud Risk Assessments

In conjunction with cybersecurity risk assessments, Stetson can also use the Association for Certified Fraud Examiner’s (ACFE) Fraud Risk Assessment tool to identify and address organization’s vulnerabilities to internal fraud. Stetson then uses the results to assist organizations in identifying fraud risks and developing a fraud risk response.

HIPAA Risk Assessment and Compliance Preparation

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards protecting sensitive health information from disclosure without patient's consent. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement HIPAA requirements. The HIPAA Security Rule protects specific information cover the Privacy Rule. Stetson works with your organization to assess current state, identify gaps, and assist meeting HIPAA compliance requirements for BOTH the Privacy and Security Rules.

PCI-DSS Risk Assessment, Gap Analysis, and Compliance Preparation

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC) to enhance cardholder data security and reduce credit card fraud Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions. Stetson works with your organization to assess current state, identify gaps, and assist meeting requirements.

SOC2 Type 2 Report Preparation

A SOC2 Type 2 report, performed by a qualified CPA firm, is an information security internal controls audit report capturing how an organization safeguards customer data and how well those controls are operating as well as cloud security. Organizations that use cloud service providers use SOC2 reports to assess and address the risks associated with third-party technology services. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve SOC2 Type 2 audit readiness.

‍

U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Preparation

To safeguard sensitive national security information, DoD launched CMMC 2.0, a comprehensive framework to protect the defense industrial base (DIB) from increasingly frequent and complex cyberattacks. CMMC will not allow for self-attestation, and every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. By assessing your current policies, procedures, and controls, Stetson can provide recommendations and work with organizations to achieve CMMC 2.0 Level 1 compliance and enhance the overall cybersecurity program of the organization.