IT Risk, Cybersecurity & Privacy Services

IT RISK, CYBERSECURITY & PRIVACY SERVICES

IT Risk, Cybersecurity & Privacy Business Risk and Maturity Assessment

• SCORE Report

• Cybersecurity & Privacy Business Risk and Maturity Assessment

• IT Risk Assessment

Threat and Vulnerability Management

• External and Internal Network Attack and Penetration Testing

• Spear Phishing Campaign

• Physical Security Assessment

• Wireless Network Security Assessment

• Server Security Assessment

• Web Application Security Assessment

• Network Device Configuration Reviews

Incident Breach Preparedness and Response

• Incident Response Preparedness

• CyberSecure Incident Response and Forensics

Compliance and Frameworks

• Cyber Compliance Services

 PCI, HIPAA, GDPR, NIST, GLBA, CMMC

• Third-Party Assurance

 SSAE18 (SOC 1, 2, 3, Cybersecurity)

Data Mapping and Other Data Services

• Data Mapping

• Database Creation and Other Data Services

• Data Analytics

IT Risk and Cybersecurity Programs

• Virtual Chief Information Security Officer (vCISO)

• IT Policy and Procedure Development

• Third-Party Risk Management

• Disaster Recovery / BCP

• IT / Cybersecurity Due Diligence

Business walks a fine line between risk and reward. This set of services helps you manage uncertainty around IT Risk, Cybersecurity, and Privacy, so you can focus on what counts

– your business. Let us help you stay OnTRAC!

Internal Audit (Outsourced, Co-Sourced, Staff Augmentation

• Operational

• IT Internal Audit

• Regulatory

• Financial

• Quality Assurance Improvement Program (QAIP)

RISK ADVISORY

SOX 404 Compliance

 Full Outsourced

 Co-Sourced

 Staff Augmentation

Third Party Assurance

• SSAE 18

 SOC 1

 SOC 2

 SOC 3

• Cyber Attest

Risk Management

• Enterprise Risk Management

• Operational Resilience

• Business Process / Internal Control

Due Diligence

• Internal Control

• Information Technology

• Cybersecurity

Audit and Professional Services Firm Support

• External and Internal Audit Support Staff

Augmentation

• Advisory and Consulting Staff

Augmentation

• Subject Matter Specialists

Business walks a fine line between risk and reward. Our Risk Advisory services help you manage uncertainty around Risk, Internal Audit, SOX, and Compliance, so you can focus on what counts – your business. Let us help you stay OnTRAC!

High-Level Cybersecurity Risk Assessment

Understand your exposure to a cyberattack before it happens with our Security, Compliance, and Operations Risk Evaluation (SCORE) Report. This high-level risk assessment is designed for small to mid-sized companies and evaluates several key areas of your company’s technology and compliance environment, including IT operations, physical and logical security, mobile devices recovery, network security, online security, data privacy and security compliance, and system and hardware controls.

Knowing where your most significant risks exists, so you can create and implement solutions to protect your company and your data, is the first step. Through interviews with key members of your IT and management team, the SCORE Report will provide you a de facto roadmap, prioritizing your most significant areas of concern and providing a remediation plan which is designed to be easily understood by executive management and your IT team alike.

KEY COMPONENTS

• Have you evaluated your company’s cybersecurity risk level?

• Do you know how you are protecting your most critical systems and sensitive data?

• How well is your IT department or outsourced IT provider protecting your business?

• Do you know which cybersecurity regulations apply to your business or industry and are you currently compliant?

• Are you prepared to respond and recover from a cyber incident or breach?

KEY COMPONENTS

• See Action on the left

• Understanding of the impact of a breach and how to better protect the company form a breach.

• Identification of the most critical systems, data, and threats to enable the organization to better protect the key systems and data.

• Creation of a prioritized action plan to address identified risks and a de facto roadmap for remediation and compliance.

THE SCORE REPORT™ DELIVERABLES

3

Recommended Solutions

• Have you evaluated your company’s cybersecurity risk level?

• Do you know how you are protecting your most critical systems and sensitive data?

• How well is your IT department or outsourced IT provider protecting your business?

• Do you know which cybersecurity regulations apply to your business or industry and are you currently compliant?

• Are you prepared to respond and recover from a cyber incident or breach?

Issue Action

• See Action on the left

Impact

• Understanding of the impact of a breach and how to better protect the company form a breach.

• Identification of the most critical systems, data, and threats to enable the organization to better protect the key systems and data.

• Creation of a prioritized action plan to address identified risks and a de facto roadmap for remediation and compliance.

CYBERSECURITY & PRIVACY BUSINESS RISK AND MATURITY SERVICES Index

Overview

1

A Cybersecurity and Privacy Business Risk Assessment will identify and prioritize business risks related to cyber threats that are relevant to the client’s organization. Through interviews with key business and IT stakeholders, critical business processes and information assets, and related cyber threats are identified and assessed.

KEY COMPONENTS

In today’s environment, companies are exposed to mounting risks associated with increased business complexity, technology challenges, the growing regulatory environment, and cybersecurity threats and breaches. Business walks a fine line between risk and reward.

The Cybersecurity and Privacy Business Risk and Maturity will help you understand the impact of a breach, identify your most critical systems and data, understand how mature the organization needs to be from a cybersecurity and privacy perspective to protect those key systems and data, identify gaps, and build a roadmap to target maturity.

KEY COMPONENTS

Maturity Assessment 2

The Cybersecurity and Privacy Maturity Assessment will identify cybersecurity-related gaps and weaknesses across 9 Cybersecurity and Privacy domains and provide observations, recommendations, and roadmaps to improve client’s overall security posture.

Strategy Governance and Management

Identity and Access Management

Third Party Management

Risk, Compliance & Policy Management

Threat Intelligence and Vulnerability Management

Privacy Operations

Security Architecture and Operations

Incident and Crisis Management

Physical and Environmental Security

• How do you better understand the impact of a breach?

• Do you know your most critical systems and data?

• Do you know your key cybersecurity threats?

• How mature should the company be with Cybersecurity and Privacy and what is the current level of maturity around the key controls?

Issue Action

• See Action on the left

Impact

• Understanding of the impact of a breach and how to better protect the company form a breach.

• Identification of the most critical systems, data, and threats to enable the organization to better protect the key systems and data.

• Target state of Cybersecurity and Privacy maturity, identification of gaps, and roadmap to maturity.

CYBERSECURITY & PRIVACY BUSINESS RISK AND MATURITY DELIVERABLES

• How do you better understand the impact of a breach?

• Do you know your most critical systems and data?

• Do you know your key cybersecurity threats?

• How mature should the company be with Cybersecurity and Privacy and what is the current level of maturity around the key controls?

• See Action on the left

• Understanding of the impact of a breach and how to better protect the company from a breach.

• Identification of the most critical systems, data, and threats to enable the organization to better protect the key systems and data.

• Target state of Cybersecurity and Privacy maturity, identification of gaps, and roadmap to maturity.

NETWORK ATTACK AND PENETRATION TESTING SERVICES

Citrin Cooperman simulates current, real-world attacks against your network to test perimeter security protections, internal network monitoring, and other technologies you have deployed to protect your employees and business. Using non-destructive methods and tactics employed by today’s criminals, we give you a picture of where you are strongest, where you are weakest, and where your security program needs to focus new attention. Our team is your tactical advisor for setting up your electronic defenses and honing them into a solid, effective solution for doing business.

Assess & Model Threats

Assess Exposures

Attack Planning

Issue

• Have you tested your IT environment to make sure there are no vulnerabilities for an attacker to take advantage of?

• Have you performed a penetration test on your environment in the past 12 months?

• Are you comfortable that your network could sustain an attack?

Intrusion

• Is periodic penetration or vulnerability assessments required for compliance?

Action

• See Action on the left.

Impact

• Understand and remediate your company’s vulnerabilities before the hackers do.

• Build a stronger awareness of risks and vulnerabilities within your infrastructure.

• Development of a risk mitigation strategy to enhance your network infrastructure.

• Ensure you meet compliance requirements.

NETWORK ATTACK AND PENETRATION TESTING DELIVERABLES

Citrin Cooperman provides executive-level support and detailed finding reports that are comprehensive and actionable. Our experienced security professionals provide remediation guidance and instruction, and answer questions in the draft review session that ensures understanding both at the technical and business risk level. Reports are written to be easily digestible by all levels of management, while providing supplemental technical components for the IT team.

Deliverables in this package include: 1 Assessment of the controls and safeguards in your systems

A detailed baseline of vulnerabilities and system configuration findings 2

Detailed remediation advice 3

• Have you tested your IT environment to make sure there are no vulnerabilities for an attacker to take advantage of?

• Have you performed a penetration test on your environment in the past 12 months?

• Are you comfortable that your network could sustain an attack?

• Is periodic penetration or vulnerability assessments required for compliance?

Issue Action

• See Action on the left.

Impact

• Understand and remediate your company’s vulnerabilities before the hackers do.

• Build a stronger awareness of risks and vulnerabilities within your infrastructure.

• Development of a risk mitigation strategy to enhance your network infrastructure.

• Ensure you meet compliance requirements.

SPEAR PHISHING CAMPAIGN SERVICES

Citrin Cooperman’s Spear Phishing Campaign is designed to test your users in their abilities to identify and properly respond to phishing attacks. Microsoft recently reported that 91% percent of cyber attacks begin with social engineering emails. Our approach is to ensure that your staff are prepared to detect and avoid these types of email attacks.

Citrin Cooperman security experts will use tools and methods similar to what attackers utilize to profile your organization, and partner with you to develop a realistic attack strategy to test your users. With a sharpened focus on cybersecurity threat intelligence, Citrin Cooperman uses the most current attack vectors to ensure the campaign is conducted with relevance to today’s threat landscape.

• Are your employees aware of the risks associated with spear phishing attacks?

• Are you comfortable that your employees can identify and avoid spear phishing attacks?

• Do you have the means to measure your employee's ability to detect and respond to a spear phishing attack?

PHISING E-MAIL SCENARIO

Enticing emails appearing to be from a trusted source and with spurious URL links embedded in them are used to perform phishing attacks against a large number of users.

The Citrin Cooperman team will provide a scenario that will assess your organization’s users; leveraging realistic e-mails containing URLs, which when clicked will forward the target to a "spoofed/fake" website. The target user may then be prompted to provide their logon credentials and/or other personal information. This can be recorded as evidence of user access. This allows us to successfully test the effectiveness of both security awareness training and technical security controls, with regards to spurious links within e-mails.

1

• See Action on the left

TESTING

Users are evaluated to determine if they took any action when receiving a simulated spear phishing email, including whether they clicked a link within the test email, opened an attachment, or replied to the message

2

REPORTING

An executive report will be provided on a periodic basis that provides a summary of the individuals that were unable to detect and avoid a simulated spear phishing email.

RECOMMENDATIONS

Recommendations are provided with enough detail so that the firm can modify their processes and their security awareness training program.

• Train your employees to detect and avoid spear phishing attacks.

• Test and measure you employee's ability to detect and avoid spear phishing attacks.

• Use spear phishing campaign results to focus future employee trainings on highest pockets of risk.

SPEAR PHISHING CAMPAIGN DELIVERABLES

Citrin Cooperman provides periodic executive level reports that synthesize findings into a comprehensive, and actionable framework. Our experienced security professionals provide remediation guidance and instruction, and answer questions in the draft review session that ensures understanding both at the technical and business risk level.

Deliverables in this package include:

1 Detailed accounting of the users targeted and what actions they have taken

An analysis of the incident response program specific to reporting incidents of phishing, Business Email Compromise (BEC) and Social Engineering

• Are your employees aware of the risks associated with spear phishing attacks?

• Are you comfortable that your employees can identify and avoid spear phishing attacks?

• Do you have the means to measure your employee's ability to detect and respond to a spear phishing attack?

Recommendations for enhancing the organization’s security awareness training 3

Supplement spear phishing campaigns with other attack vectors (e.g., susceptibility to accessing USB drives left in the office environment) 4

• See Action on the left

Impact

• Train your employees to detect and avoid spear phishing attacks.

• Test and measure your employee's ability to detect and avoid spear phishing attacks.

• Use spear phishing campaign results to focus future employee trainings on highest pockets of risk.

.

PHYSICAL SECURITY ASSESSMENT SERVICES

A Physical Security Assessment is essential to ensure procedures are followed for access to secure areas. Citrin Cooperman’s approach is either through social engineering or through control bypass. Once inside an unauthorized area, access to computers, networking equipment, or sensitive files and documents will be attempted.

Issue

• How vulnerable are your physical locations to infiltration?

Citrin Cooperman’s Physical Security Assessment is designed to evaluate the strengths of your physical security controls and your employees in their ability to follow procedures, be alert, and be willing to challenge people they don’t recognize.

• Social Engineering Attacks include posing as a field service technician who needs access to the phone closet to upgrade equipment, or posing as an employee visiting from another location.

• Are you adequately protecting the physical assets which contain your sensitive data?

• Are your employees able to detect unauthorized access to your physical locations?

• Once facility access has been acquired, we will attempt to gain access to systems and sensitive data or plant our own device inside your network for remote access.

Action

• See Action on the left.

• The physical assessment will include a review of access controls and monitoring systems. 1

SOCIAL ENGINEERING

Deception and pretexting to gain access to restricted areas.

Escalation of public access areas to controlled access areas using technical or human manipulation.

PHYSICAL CONTROLS SURVEY 2 3

Review of server room configuration, evaluation of security measures in and around the facilities.

Review physical control processes such as visitor logs, clean desk, and visitor escorts.

Impact

• Bolster the physical security of your company locations.

• Detect and remediate physical vulnerabilities before unauthorized individuals do.

• Improve employee awareness and ability to prevent unauthorized access to physical locations.

PHYSICAL SECURITY ASSESSMENT DELIVERABLES

Citrin Cooperman delivers an assessment of their results in attempting to gain physical access to sensitive areas through physical interaction with employees, either through pretexting or through avoidance techniques such as tailgating users and bypassing door controls. As with other cybersecurity deliverables, reports are written to be understandable at all levels of the organization. Deliverables in this package include:

1 Detailed documentation on activities performed with attention to any successful breaches of facility security

2

A detailed description of the physical security measures encountered

4 Focused analysis of shortcomings noted in the assessment, including evidence of successful breach

3

Issue

• How vulnerable are your physical locations to infiltration?

• Are you adequately protecting the physical assets which contain your sensitive data?

• Are your employees able to detect unauthorized access to your physical locations?

5

An assessment of the efficacy of the company’s physical security measures

Recommendations for security enhancements, to include procedures as well as hardware

Action

• See Action on the left.

Impact

• Bolster the physical security of your company locations.

• Detect and remediate physical vulnerabilities before unauthorized individuals do.

• Improve employee awareness and ability to prevent unauthorized access to physical locations.

INCIDENT / BREACH PREPAREDNESS & RESPONSE SERVICES

We live in a world where it isn’t a matter of if, but when a company will have a cyber incident. Whether your incident results from a hacker or accidentally by an employee, our rapid response team will assist you in responding to the attack, mitigate the attack from inflicting additional damage, and determine what was comprised with the goal of restoring your IT environment to full capacity with minimal disruption.

THE SERVICE MODELS

Proactive Planning

An appropriate and effective response to a cyber attack begins long before the hacker infiltrates your network. Our team of experts can help by evaluating risk, designing response strategies, and implementing understandable policies and procedures.

Incident/Breach Response 2

When impacted by a cyber incident or breach, ensuring you have a team ready to jump into action is key. Our incident response team is available 24/7/365 and is battle tested in guiding our clients through a prompt and effective response.

Post Breach Remediation 3

One an incident is contained, the real work begins. Ensuring that all your vulnerabilities have been identified and remediated can be a significant task. Our team can assist management in identifying the gaps between your environment and best practices with the goal of protecting your infrastructure.

Detection, Forensics & Analysis

KEY COMPONENTS

Containment, Eradication & Recovery

Assist with guiding internal personnel through the process of gathering relevant information to identify attack methods and determine whether an incident has occurred. Direction will be provided to identify the data impacted and size of the incident. Incident documentation will be created to establish a timeline of events for lessons learned or legal proceedings if pursued.

Post Incident Activity

Provide to ensure any active compromise is contained. We work with system administrators and management to develop a plan for eradication and recovery. Plan will take into consideration data preservation (in anticipation of litigation) as well as functional impact, information impact, and recoverability.

Provide guidance regarding documentation and evidence preservation. Direction can also be provided regarding breach notification if necessary in compliance with legal and regulatory demands

If your organization does not have the resources and expertise in-house to avoid or quickly respond to a cyber-incident, you can rest assured with CYBERSECURE - your cybersecurity resource and breach recovery solution

• Does your organization understand its risk of cyber attack?

• Does your company have an incident/breach response plan in place?

• Have you tested your incident/breach response plan?

• Are roles and responsibilities during an incident clearly defined?

• Do you believe your company is prepared to respond to a cyber attack?

• Do you have a third-party incident response and forensics firm on retainer?

Issue Action

• See Action on the left.

Impact

• Understand your company’s risk associated with a cyber attack.

• Establish an incident/breach response plan designed and tested to guide your company through a prompt and effective response.

• Ensure your team is prepared to quickly respond at the first signs of an attack.

• Verify your response plan is operating as designed.

THE SERVICE METHODOLOGY

PREPAREDNESS & RESPONSE DELIVERABLES

SAMPLE DELIVERABLES

• Does your organization understand its risk of cyber attack?

• Does your company have an incident/breach response plan in place?

• Have you tested your incident/breach response plan?

• Are roles and responsibilities during an incident clearly defined?

• Do you believe your company is prepared to respond to a cyber attack?

• Do you have a third-party incident response and forensics firm on retainer?

Issue Action

• See Action on the left.

Impact

• Understand your company’s risk associated with a cyber attack.

• Establish an incident/breach response plan designed and tested to guide your company through a prompt and effective response.

• Ensure your team is prepared to quickly respond at the first signs of an attack.

• Verify your response plan is operating as designed.

CYBERSECURE INCIDENT

RESPONSE AND FORENSICS

It’s not a matter of “IF,” it’s a matter of “WHEN” your company will be breached. Our CyberSecure advisory solution is designed for small businesses who want the peace of mind that they have a rapid response team in place to help them react and recover during a cyber incident.

This package includes:

1 Front-of-the-line access to our rapid response breach recovery team and network partners

One free spear-phishing test to gauge your employees’ ability to identify an attack 2

• Does your organization understand its risk of cyber attack?

• Does your company have an incident/breach response plan in place?

• Are roles and responsibilities during an incident clearly defined?

• Do you believe your company is prepared to respond to a cyber attack?

• Do you have a third-party incident response and forensics firm on retainer?

Issue Action

• See Action on the left.

Impact

• Establish an incident/breach response plan designed and tested to guide your company through a prompt and effective response.

• Ensure your team is prepared to quickly respond at the first signs of an attack.

• 24/7/365 Citrin Cooperman team ready to assist in your response.

• Discounted pricing on all Citrin Cooperman’s TRAC Practice cyber services.

CYBER COMPLIANCE SERVICES

• Does your organization understand the cyber compliance requirements based on your business, industry or location?

THE SERVICE MODELS

Initial Year Compliance

For companies who are just beginning down the path to compliance, our customizable approach to initial year implementation will guide your team through the gap assessment, remediation, compliance testing, reporting and on-going sustainment.

Annual Sustainment 2

Compliance with cyber regulations and standards is not a one-time exercise – it’s an annual event. Our team will ensure your organization maintains your annual compliance requirements by collecting artifacts and completing requisite reporting.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing compliance structure and execute discrete compliance activities as needed to supplement your team.

KEY COMPONENTS

Citrin Cooperman has dedicated professionals experienced in navigating the ever-changing landscape of privacy and cybersecurity regulations and providing compliance services to help clients meet their regulatory responsibilities. Whether it be PCI DSS, HIPAA, GDPR, CMMC or any of the constantly evolving state cybersecurity regulations or standards, our experienced team can guide you through the nuances and pitfalls of compliance. 1

FOCUS AREAS

• Do you have a team in place to evaluate your progress towards meeting requisite compliance requirements?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

• See Action on the left

Impact

• Understanding of the cyber regulations and standards that apply to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

CYBER COMPLIANCE DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

• Does your organization understand the cyber compliance requirements based on your business, industry, or location?

• Do you have a team in place to evaluate your progress towards meeting requisite compliance requirements?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

Issue Action

• See Action on the left

Impact

• Understanding of the cyber regulations and standards that apply to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

PCI DSS COMPLIANCE SERVICES

• Does your organization understand your compliance requirements under the Payment Card Industry Data Security Standard?

THE SERVICE MODELS

Initial Year Compliance

If you are a merchant that processes payment cards or a service provider that affects the security of payment cards, we can help guide you towards meeting the strict requirements of the Payment Card Industry Data Security Standard (PCI DSS). Whether you need an assessment of your compliance efforts, assistance with remediating any gaps, or a Qualified Security Assessor (QSA) to provide you with a sustainment program to stay compliant, our team of certified experts are ready to help you. 1

For companies who are just beginning down the path to PCI compliance, our customizable approach to initial year implementation will guide your team through the gap assessment, remediation, compliance testing, reporting and on-going sustainment.

Annual Sustainment 2

Compliance with PCI is not a one-time exercise – it’s an annual event. Our team will ensure your organization maintains your annual compliance requirements by collecting artifacts and completing requisite reporting.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing compliance structure and execute discrete compliance activities as needed to supplement your team.

KEY SERVICE OFFERINGS

• Have you evaluated whether you can reduce the annual cost of PCI compliance?

• Are your currently compliant with PCI DSS?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

• See Action on the left

• Understand how the PCI DSS applies to your company, the efforts required to comply, and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

PCI DSS COMPLIANCE DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

Index

• Does your organization understand your compliance requirements under the Payment Card Industry Data Security Standard?

• Have you evaluated whether you can reduce the annual cost of PCI compliance?

• Are your currently compliant with PCI?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

Issue Action

• See Action on the left

Impact

• Understand how the PCI DSS apply to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

HIPAA COMPLIANCE SERVICES

• Does your organization understand your compliance requirements under HIPAA and HITECH?

THE SERVICE MODELS

Initial Year Compliance

If you maintain protected health information (PHI) for your customers, you are required to meet the imposing obligations of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Our experts have decades of experience with helping business’s meeting HIPAA’s administrative, physical, and technical safety standards in order to properly protect protected health information. 1

For companies who are just beginning down the path to HIPAA compliance, our customizable approach to initial year implementation will guide your team through the gap assessment, remediation, compliance testing, reporting and on-going sustainment.

Annual Sustainment 2

Compliance with HIPAA is not a one-time exercise – it’s an annual event. Our team will ensure your organization maintains your annual compliance requirements by assisting with your annual risk assessment, collecting artifacts and documenting your compliance.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing compliance structure and execute discrete compliance activities as needed to supplement your team.

KEY SERVICE OFFERINGS

• Have you evaluated whether you could reduce the annual cost of HIPAA compliance?

• Are your currently compliant with HIPAA?

• Do you perform an annual risk assessment?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

• See Action on the left

• Understand how HIPAA and HITECH applies to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

HIPAA COMPLIANCE DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

• Does your organization understand your compliance requirements under HIPAA and HITECH?

• Have you evaluated whether you can reduce the annual cost of HIPAA compliance?

• Are your currently compliance with HIPAA?

• Do you perform an annual risk assessment?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented an annual sustainment plan to ensure continued compliance?

Issue Action

• See Action on the left

Impact

• Understand how HIPAA and HITECH applies to your company, the efforts required to comply, and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

CMMC COMPLIANCE SERVICES

If you are a company doing business with the Department of Defense (DoD) and are required to gain a certificate from a thirdparty auditor for Cybersecurity Maturity Model Certification (CMMC), we can help guide you through the strict requirements of CMMC. Whether you need a Security Risk Assessment (SRA), Plan of Action (POA) , System Security Plan (SSP), assistance with remediating gaps, or a future Assessor (C3PAO) to perform the audit for your certification, we are here to help.

THE SERVICE MODELS

1

Initial Year Compliance

For companies who are just beginning down the path to CMMC, our customizable approach to initial year implementation will guide your team through the gap assessment, remediation, compliance testing, reporting and on-going sustainment.

Annual Sustainment 2

Compliance for the CMMC is not a one-time exercise – you must continue to monitor compliance. Our team will ensure your organization maintains compliance through a sustainment program that monitors for compliance, collects artifacts and updates the SRA, POA and SSP documents.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing compliance structure and execute discrete compliance activities as needed to supplement your team.

KEY SERVICE OFFERINGS

• Does your organization understand your compliance requirements for the CMMC?

• Have you evaluated whether you could reduce the ongoing cost of CMMC?

• Are your currently compliant with NIST 800171??

• Have you performed the SRA, and developed the POA and SSP?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented a sustainment program to maintain compliance?

• See Action on the left

• Understand how the CMMC applies to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

CMMC COMPLIANCE DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

• Does your organization understand your compliance requirements for the CMMC?

• Have you evaluated whether you can reduce the ongoing cost of CMMC?

• Are your currently compliant with NIST 800171??

• Have you performed the SRA, and developed the POA and SSP?

• Are you retaining artifacts to support your compliance efforts?

• Have you implemented a sustainment program to maintain compliance?

Issue Action

• See Action on the left

Impact

• Understand how the CMMC applies to your company, the efforts required to comply and a roadmap and resource plan to ensure compliance.

• Efficient and effective gap assessment, remediation, and sustainment team backed by years of industry and regulation-specific experience.

• Focus on reduction of effort and cost of compliance.

THIRD-PARTY ASSURANCE SERVICES

As defined by the American Institute of Certified Public Accountants (AICPA), SOC (System and Organization Controls) for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. These reports can be provided for a defined period of time or as of a point in time, depending on the needs of user entities.

Our third-party assurance services are provided in accordance with the AICPA’s Statements on Standards for Attestation Engagements (SSAEs), specifically SSAE 18, a clarification and recodification of SSAE 16.

SOC REPORT COMPARISON

security, availability, processing integrity, confidentiality, or privacy

Reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy

Issue

• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?

• Are you unsure of which reporting type would be best for your organization and customers?

• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?

Types

A type 2 report includes a description of the CPA’s tests of controls and results Description of service organization’s system

opinion on the fairness of presentation of the

suitability of

and in a type 2 report, the operating effectiveness of controls A type 2 report includes a description of the CPA’s tests of controls and results An unaudited system description used to delineate the boundaries of the system

• An independent, third party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.

• Stronger relationships with customers through anticipation and effective management of risks and compliance.

• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.

THIRD-PARTY ASSURANCE DELIVERABLES

THE SERVICE METHODOLOGY

by Citrin Cooperman

SAMPLE DELIVERABLES

Not sure which SOC is right for you? Let us help you decide!

• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?

• Are you unsure of which reporting type would be best for your organization and customers?

• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?

Action

• See Action on the left

• An independent, third-party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.

• Stronger relationships with customers through anticipation and effective management of risks and compliance.

• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.

DATABASE CREATION AND DATA ANALYTICS SERVICES

Citrin Cooperman’s database creation and data analysis services are designed to distill your organization’s raw data into crucial information. Our team has the expertise you need to help you maximize the value of your data so that it can fuel the success of your business. As your needs evolve, Citrin Cooperman will be there to provide the future enhancements you need to remain one step ahead of the competition.

1 2 3

With decades of database development and data analysis experience, Citrin Cooperman’s data team is standing by, on-call and available to assist with the solution you need to leverage your data to get the critical information you need to optimize your decision-making capabilities. Citrin Cooperman’s approach is to work with you to determine your “wish list” of what you would like to get from your data. From there, our team will work with your organization to develop a plan to create the exact tool you need and then deliver it according to your timeframe. Here are a few examples of what we can provide:

KEY SERVICE OFFERINGS

• Does your company collect a large amount of data, but are not able to get good information out of the systems to manage your business?

• Do you have time-intensive manual processes which take up a significant amount of your team's time on a recurring basis?

• Does it take a significant amount of time to respond to senior management’s requests for financial information?

• Is management responsible for merging data from several different systems or sources?

• See Action on the left

• Data entry interfaces to greatly streamline the accurate collection of raw data.

• Analytics to “slice and dice” data into charts, pivot tables, reports and actionable information built to your specific needs.

• Conversion tools to automate the process of retrieving and standardizing data from disparate sources and formats.

DATABASE CREATION AND DATA ANALYTICS DELIVERABLES

The database creation and analysis services will help your organization harness your data and transform it into information that will help you make more rapid, accurate and informed business decisions. Whether you are looking for a data entry solution that provides efficiency and uniformity to the data collection process or whether you need to extract actionable information from your data, our team can help you develop the solution you need. Deliverables

• Does your company collect a large amount of data, but are not able to get good information out of the systems to manage your business?

• Do you have time-intensive manual processes which take up a significant amount of your team's time on a recurring basis?

• Does it take a significant amount of time to respond to senior management’s requests for financial information?

• Is management responsible for merging data from several different systems or sources?

Issue Action

• See Action on the left

Impact

• Data entry interfaces to greatly streamline the accurate collection of raw data.

• Analytics to “slice and dice” data into charts, pivot tables, reports and actionable information built to your specific needs.

• Conversion tools to automate the process of retrieving and standardizing data from disparate sources and formats.

Virtual CISO (vCISO)

In today’s world, the IT department is focused on keeping the computers and servers running, printers printing, and networks humming. Professionals in these departments are typically armed with years of experience maintaining infrastructure and ensuring hardware and software is kept in well-operating order. To protect this infrastructure, they have installed a web of firewalls and anti-virus solutions to keep outsiders from impacting performance.

But in the wild, hackers have changed the game. While attacking a company’s network defenses is still a strategy, the hackers have begin compromise emerging vulnerabilities – remote connections, mobile devices, social media, and the weakest link, human users. Years of technical experience cannot keep pace with the hackers who spend every day looking for the latest vulnerability to exploit. A Chief Information Security Officer’s (CISO) role is designed to keep pace with the hackers, be aware of emerging risks, and protect the company’s data, but they come with a high price tag for most small companies.

INTRODUCING the Virtual CISO (vCISO)

TRAC’s vCISO service offers a network of our top security professionals who will work with your organization to provide all of the essential cybersecurity strategy and support one would expect from an in-house senior executive, without the steep investment of executive compensation and their associated benefits package.

The Citrin Cooperman vCISO team will conduct a comprehensive risk assessment of a company’s security posture to identify weaknesses and optimize their security standing. Acting either as a permanent resource for your team or as interim CISO, our vCISO will step in to establish security standards, implement controls, and respond rapidly to incidents. Our goal is to keep pace with the risks associated with your business and industry and align your IT security environment with best practices and regulations.

1

Annual Risk Assessment

Initial understanding of the company‘s existing IT security posture and infrastructure and identification of gaps, vulnerabilities, and risks associated with your company, business, and industry.

2

Development of Annual and Three-Year IT Security Strategy

In conjunction with executive management, IT, and the results of the Annual Risk Assessment, develop a corporate IT security strategy and executable plan, prioritized for short-term and longterm needs.

3

Monitoring of Strategy Deployment

Monitor IT and managements execution of the IT security plan, with established check-points throughout the year and supplement the team with resources, if and when needed.

• Are your employees aware of the risks associated with spear-phishing attacks?

• Are you comfortable that your employees can identify and avoid spear-phishing attacks?

• Do you have the means to measure your employee's ability to detect and respond to a spear-phishing attack?

• See Action on the left.

Impact

• Train your employees to detect and avoid spear-phishing attacks.

• Test and measure you employee's ability to detect and avoid spear-phishing attacks.

• Use spear-phishing campaign results to focus future employee trainings on highest pockets of risk.

DEVELOPMENT SERVICES

Many companies have challenges in developing clear, concise and well–organized IT and cybersecurity policies. Policies must be useable, workable and realistic while demonstrating compliance with regulatory mandates. Working with our team of experienced professionals, your organization will have appropriate and best practice policies to help your security program run smoothly, gain broader adoption, improve compliance and reduce risks.

KEY COMPONENTS

 The requirement that is used for making decisions

 What we need to prove to meet the policy

 How we achieve the objective

 What activities we perform

• Are your company’s IT and cybersecurity policies documented?

• Is your company required to have documented policies and procedures to comply with a regulatory standard or framework?

• Have your existing policies and procedures been vetted by an experienced professional to align with best practices?

• Have your employees been trained to understand and comply with your IT security policies and procedures?

Issue Action

• See Action on the left

Impact

• Designed IT and security policies and procedures created for your company and in line with COBIT, NIST, SANS and/or ISACA.

• Policies and procedures which take into consideration applicable regulations and standards.

• Implementation guidance, including options for employee training, to ensure effective implementation of the policies and procedures.

PROCEDURE DEVELOPMENT DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

• Are your company’s IT and cybersecurity policies documented?

• Is your company required to have documented policies and procedures to comply with a regulatory standard or framework?

• Have your existing policies and procedures been vetted by an experienced professional to align with best practices?

• Have your employees been trained to understand and comply with your IT security policies and procedures?

Issue Action

• See Action on the left

Impact

• Designed IT security policies and procedures created for your company and in line with CIBIT, NIST, SANS, and/or ISACA

• Policies and procedures which take into consideration applicable regulations and standards.

• Implementation guidance, including options for employee training, to ensure effective implementation of the policies and procedures.

THIRD-PARTY RISK MANAGEMENT SERVICES

Third-Party Risk Management (TPRM) is the process of identifying, assessing, and controlling risks presented throughout the lifecycle of your relationships with third-parties. A successful TPRM program begins in the procurement stage of a new relationship, provides guidance for maintaining and monitoring that relationship, and ends with an exit strategy for termination.

Our TPRM service model and methodology is customizable to your organization’s exact needs and provides you with access to our deep bench of technical and expert resources, so you can stay OnTRAC.

OUR APPROACH

• Does your organization have an existing TPRM function or need to implement a new TPRM function?

• Does your TPRM function have the technical knowledge to effectively monitor third-party risks?

• Does your TPRM function have the resource capacity to timely monitor third-party risks?

Introductory meetings between your stakeholders and our team to kick-off project.

Gain an understanding of current-state third-party vendor risk management efforts.

Development of a third-party risk management program that is customized to fit your exact needs, including policies and procedures, questionnaires, inventory templates, etc. to be used in the next phase to assess existing vendors, and any new vendors on an initial and recurring basis.

With management’s assistance, accumulate a thorough inventory of existing third-party vendors (e.g. business owner survey).

• See Action on the left

Perform and/or provide supplemental support for initial vendor assessments and reassessments of existing vendors on an ongoing, as needed basis.

• Alignment of TPRM program ongoing monitoring efforts with strategic business objectives to keep your organization heading in the right direction.

Perform risk assessment of existing vendors using methodology and templates developed in previous phase.

• Cost optimization delivered through an efficient and effective TPRM methodology that adds back value to your organization.

• TPRM talent – where and when you need them by tapping into a deep bench of technical and expert resources.

TPRM METHODOLOGY & DELIVERABLES

TPRM METHODOLOGY

Policies & Procedures

SAMPLE DELIVERABLES

Third-Party Vendor Inventory Compilation

Inherent Risk Assessments

Vendor Due Diligence Questionnaires

Residual Risk & Ongoing Monitoring

• Does your organization have an existing TPRM function or need to implement a new TPRM function?

• Does your TPRM function have the technical knowledge to effectively monitor third-party risks?

• Does your TPRM function have the resource capacity to timely monitor third-party risks?

• See Action on the left

Impact

• Alignment of TPRM program ongoing monitoring efforts with strategic business objectives to keep your organization heading in the right direction.

• Cost optimization delivered through an efficient and effective TPRM methodology that adds back value to your organization.

• TPRM talent – where and when you need them by tapping into a deep bench of technical and expert resources.

INTERNAL AUDIT SERVICES

Index

THE SERVICE MODELS

KEY COMPONENTS

Full Outsourced Model

An Internal Audit should be an independent function within your organization that continuously and objectively evaluates your compliance with regulatory standards, your efficiency and effectiveness throughout your operations, and your ability to anticipate risk and respond with agility. 1

Our full outsourced approach provides your organization with exactly that – an independent and objective Internal Audit function with access to the firm’s bench of technical and expert resources while eliminating employee carrying costs.

Co-Sourced Model 2

Our co-sourced approach is a partnership between your existing Internal Audit function and our team, to provide you with technical and expert resources to fill particular skill gaps, without the need to hire full-time resources.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing Internal Audit function, for an agreed-upon length of time, without any long-term commitments.

COMPLIANCE VALUE ADD FORESIGHT

FOCUS AREAS

• Does your organization have an Internal Audit function?

• Is your Internal Audit function perceived to add value to your organization, in excess of the cost of the function itself?

• Does your Internal Audit function have the technical knowledge to successfully execute audits in complex and/or high-risk areas?

• Does your Internal Audit function have the resource capacity to timely execute the audit plan?

Issue Action

• See Action on the left

Impact

• Alignment of the audit plan with strategic business objectives to keep your organization heading in the right direction.

• Cost optimization delivered through an efficient and effective audit methodology that adds back value to your organization.

• Internal audit talent – where and when you need them by tapping into a deep bench of technical and expert resources.

INTERNAL AUDIT SERVICES DELIVERABLES

THE SERVICE METHODOLOGY

SAMPLE DELIVERABLES

• Does your organization have an Internal Audit function?

• Is your Internal Audit function perceived to add value to your organization, in excess of the cost of the function itself?

• Does your Internal Audit function have the technical knowledge to successfully execute audits in complex and/or high-risk areas?

• Does your Internal Audit function have the resource capacity to timely execute the audit plan?

Issue Action

• See Action on the left

Impact

• Alignment of the audit plan with strategic business objectives to keep your organization heading in the right direction.

• Cost optimization delivered through an efficient and effective audit methodology that adds back value to your organization.

• Internal audit talent – where and when you need them by tapping into a deep bench of technical and expert resources.

SOX 404 SERVICES

As required by Section 404(a) of the Sarbanes-Oxley Act of 2002 (SOX 404), companies are required to complete certain annual compliance activities related to their assessment of the operating effectiveness of internal control over financial reporting (ICFR). Such annual compliance activities related to management’s assessment of the operating effectiveness of ICFR generally include the elements outlined below.

Our SOX service models and methodology are customizable to your organization’s exact needs and provide you with access to our deep bench of technical and expert resources, so you can stay OnTRAC.

THE SERVICE MODELS

1

Full Outsourced Model

Our full outsourced approach provides your organization with exactly that – an independent and objective Internal Audit function, with access to the firm’s bench of technical and expert resources, while eliminating employee carrying costs.

Co-Sourced Model 2

Our co-sourced approach is a partnership between your existing Internal Audit function and our team to provide you with technical and expert resources to fill particular skill gaps, without the need to hire full-time resources.

Staff Augmentation 3

Our staff augmentation approach deploys a certain number of our professionals to operate within your existing Internal Audit function for an agreed-upon length of time, without any long-term commitments.

THE SOX METHODOLOGY

• Account Balances

• Classes of Transactions

Scoping

• Systems/Applications

Process Walkthrough

• Process documentation (e.g. narrative or flowchart)

• Test of design

Control Testing

• Test of operating effectiveness

• Business process controls

• IT general controls (ITGCs)

Remediation

Issue

• Does your organization have an existing SOX function or need to implement a new SOX function?

• Does your SOX function have the technical knowledge to successfully execute testing in complex and/or high-risk areas?

• Does your SOX function have the resource capacity to timely execute the testing plan?

• Identification of deficiencies

• Monitoring of corrective actions

• Re-testing of controls

Reporting

• Summary of testing results

• Assessment of all deficiencies (e.g. significant, material weakness)

• See Action on the left

Impact

• Alignment of the SOX testing plan with strategic business objectives to keep your organization heading in the right direction.

• Cost optimization delivered through an efficient and effective SOX methodology that adds back value to your organization.

• SOX talent – where and when you need them by tapping into a deep bench of technical and expert resources.

SOX 404 DELIVERABLES

SOX READINESS ASSESSMENT

If your organization is aware of an impending requirement to comply with SOX 404, we can perform a SOX readiness assessment prior to the first year of compliance to ensure your organization is ready.

Our SOX readiness assessment follows the same methodology for actual compliance using a preliminary scoping approach but allows our team to assist management with their remediation efforts.

SAMPLE DELIVERABLES

DESIGN

• Does your organization have an existing SOX function or need to implement a new SOX function?

• Does your SOX function have the technical knowledge to successfully execute testing in complex and/or high-risk areas?

• Does your SOX function have the resource capacity to timely execute the testing plan?

Issue Action

• See Action on the left

Impact

• Alignment of the SOX testing plan with strategic business objectives to keep your organization heading in the right direction.

• Cost optimization delivered through an efficient and effective SOX methodology that adds back value to your organization.

• SOX talent – where and when you need them by tapping into a deep bench of technical and expert resources.

THIRD-PARTY ASSURANCE

As defined by the American Institute of Certified Public Accountants (AICPA), SOC (System and Organization Controls) for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. These reports can be provided for a defined period of time or as of a point in time, depending on the needs of user entities.

Our third-party assurance services are provided in accordance with the AICPA’s Statements on Standards for Attestation Engagements (SSAEs), specifically SSAE 18, a clarification and recodification of SSAE 16.

SOC REPORT COMPARISON

availability, processing integrity, confidentiality, or privacy

Reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy

seal) Types

A type 2 report includes a description of the CPA’s tests of controls and results Description of service organization’s system

type 2 report includes a description of the CPA’s tests of controls and results An unaudited system description used to delineate the boundaries of the system

• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?

• Are you unsure of which reporting type would be best for your organization and customers?

• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?

Issue Action

Impact

• An independent, third party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.

• Stronger relationships with customers through anticipation and effective management of risks and compliance.

• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.

THIRD-PARTY ASSURANCE DELIVERABLES

THE SERVICE METHODOLOGY

by Citrin Cooperman

SAMPLE DELIVERABLES

Not sure which SOC is right for you? Let us help you decide!

• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?

• Are you unsure of which reporting type would be best for your organization and customers?

• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?

Action

• See Action on the left

• An independent, third-party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.

• Stronger relationships with customers through anticipation and effective management of risks and compliance.

• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.