CYBERSECURITY ADVISORY

Cybersecurity risk management program and system and organization controls advisory.

Cybersecurity Risk Management Program Advisory

While cybersecurity and information security matters have been important topics now for decades, the reality is most small and mid-sized businesses struggle with practical implementation of a defined and useable cybersecurity risk management program.

Often many of the pieces are in place, however control activities such as strong passwords, network monitoring, or even working with a third-party technology service provider do not typically constitute a cybersecurity risk management program. Nor does this provide business owners with a structured, comprehensive, and relatable view of cybersecurity risk management and the value it can bring to their organization. We intend to help change that.

Our advisory approach relies on both integrated experience and established frameworks when applying cybersecurity, risk management, and internal control considerations. We can assist your business with:

Identifying, assessing, and responding to cybersecurity risks, in a clear and documented, actionable manner;

Understanding and designing a comprehensive cybersecurity risk management program, including applicable to NIST and AICPA frameworks and guidance, such as:
- NIST Cybersecurity Framework
- Description Criteria for Management's Description of the Entity's Cybersecurity Risk Management Program (AICPA);

Data, information, and application classification, inventory, and related control activities;

Advisory and documentation of control criteria and activities, including monitoring activities, and with consideration of guidance found in the Trust Services Criteria (AICPA);

Data privacy policy matters, including applicable to:
- IRS Publication 4557
- Privacy Management Framework (AICPA)
- California Consumer Privacy Act;

Data security breach response planning, including communication and recovery control documentation;

Training and awareness of cybersecurity and business culture implementation, including for board members, management, and employees;

Policy design and documentation.

System and Organization Controls for Cybersecurity

SOC for cybersecurity continues to be a leading area for increased attention and improvement by businesses of all shapes and sizes, including new entrepreneurs. Our experience allows us to assist with unique skill sets and perspectives when addressing system and organization controls for cybersecurity needs. Our approach is to help your organization analyze and define its cybersecurity objectives, risks, and controls, for better management decisions and reporting, as well as third-party interactions.

We can help your business with the following:

Assistance with SOC for Cybersecurity program objectives and control criteria, in accordance with the Description Criteria for Management's Description of the Entity's Cybersecurity Risk Management Program, and Trust Services Criteria promulgated by the AICPA;

Consulting and advisory related to SOC for Cybersecurity examination readiness, including timeline and planning objectives;

SOC for Cybersecurity vs. SOC 2 or SOC 3 reporting advisory and considerations;

Third-Party Service Provider Risk Management

Managed technology services provided by a third-party can range from break-fix support, to full scope technology and equipment management and monitoring. Our team has designed, evaluated, and performed walk-throughs related to the implementation of managed technology solutions for businesses including manufacturers, service providers, and retailers, as well as not-for-profit entities including health and human services, K-12 and higher-education, and municipal organizations, all of varying sizes and complexities. While we don't provide technical services ourselves, we understand the model well, and can help guide and assist your organization with more thorough and critical assessment procedures when managing third-party providers.

Some of the services we assist with include: