The Department of Homeland Security (DHS) has embarked on ensuring that all endpoints within the US government prevent, detect, correct and deter vulnerabilities from occurring. DHS has created CDM where each agency will have various tools (e.g. ForeScout, BigFix, RES, Splunk, and Dashboard) installed and deployed on agency networks. This is the largest Cybersecurity effort thus far and requires technical expertise, project management skills, formal training, and more. Your Internal Controls can assist your agency in understanding the requirements of CDM as well as assist in the deployment of the CDM tools.
Continuous Diagnostics and Management (CDM)
FISMA Compliance
FISMA cites many requirements of agencies with regard to complying with laws and regulations. The head of each agency shall be responsible for:
- “Assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems.”
- “Implementing policies and procedures to cost effectively reduce risks to an acceptable level.”
- “Periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented.”
Your Internal Controls can assist your agency by performing a Risk Assessment of all systems at the respective agency. We can then inventory the systems in terms of FISMA reportable systems and then appropriately ensure they are categorized in accordance with FIPS-199. We can put forth a plan to ensure that your agency is complying with FISMA.
Continuous Monitoring
Your Internal Controls can develop a Continuous Monitoring Plan that is appropriate for your agency. Once the Plan is in place, which includes identifying the critical and volatile controls to be assessed each year, we can then identify those remaining controls to be assessed over a three year period. Your Internal Controls has extensive experience in control assessments at many agencies. We have assessed controls for nearly every technology (e.g. Mainframes, Windows, Oracle, phone systems, etc.). We can help your agency by performing the Continuous Monitoring on a quarterly basis and ensuring that any deficiencies noted are written clearly so that they can be remediated timely.
Security Assessment and Authorization (SA&A)
Your Internal Controls personnel have audited and prepared numerous SA&A packages. We have extensive experience in developing Boundary Scope Memos, System Security Plans, Information System Contingency Plans, conducting the FIPS-199 security categorization, and more. We can develop the SA&A package from scratch and bring it to completion where it will be ready for signatures from the Accrediting Official (AO).
Control Deficiency Assessment & Remediation
Many companies / agencies struggle with identifying deficiencies, as well as the classification of those deficiencies (e.g. Significant Deficiency, Material Weakness). It is also challenging to prioritize which deficiencies are remediated first. Our firm can assist your company / agency with the identification and classification of deficiencies, as well as a remediation strategy for resolving the deficiencies. Our experience in formal course instruction and hands-on experience, enables us to be both efficient and effective in remediation efforts.
FedRAMP Readiness
Is your organization considering FedRAMP? The documents required as part of FedRAMP, are based off of the NIST Special Publications (SP), specifically as it relates to the System Security Plan, Information System Contingency Plan, and more. Your Internal Controls has been working with the NIST SP series for many years. We have also assisted our clients in attaining the FedRAMP certification so that they can serve their customers better and offer cloud services.
Privacy Audits
NIST 800-122 documents the elements of Personally Identifiable Information (PII). If your agency has a system with any of those PII elements, a Privacy Threshold Analysis (PTA) must identify if those PII elements can be traced to a person. All agencies in the executive branch of the government must undergo a Privacy audit at least every 3 years. Your Internal Controls can perform the Privacy Audit and provide recommendations in a clear and concise manner.
SOC I and II
If your company / agency is performing services for multiple customers and one of them has requested a SOC report; you have come to the right place. Our personnel have not only partaken on SOC engagements, but we have also developed and taught them in a formal classroom setting for many companies and agencies throughout the continental United States. We can assist your organization with either a SOC 1, 2, or 3, as well as both a Type I and a Type II.
IT Audit
As your financial audit teams perform their financial statement audits; it will be imperative to test the internal controls over the systems, applications, and databases that support the significant line items on the financial statements. Our CEO is also a Certified Public Accountant (CPA).
Your Internal Controls has extensive experience performing General and Application Controls Reviews. Our personnel have worked with several accounting firms, as well as Federal agencies. Our experience extends to various authoritative laws and guidance (e.g. PCAOB, OMB, GAO, NIST, DoD, and other Congressional laws such as IPIA, FFMIA, etc.).
IT Policies and Procedures Development
Your Internal Controls has had hands-on experience assisting corporations and agencies with their policies and procedures. We have developed policies and procedures as well as audited against them. Our primary experience has been with the following:
- Risk Assessment
- Continuity of Operations Plans (COOP), Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
- Systems Development Life Cycle (SDLC)
- Configuration Management (CM)
- IT Strategic Plans
- Security Awareness & Training
- System Security Plans
- Incident Response Policies
- Data Center, Backup & Recovery
- Audit & Monitoring
- Rules of Behavior / Acceptable Use Policy
- Service Level Agreements (SLA)
- Separation of Duties Matrices
- Anti-Virus
- Fraud
- Internal Controls
Data Reliability Assessments
The GAO has released guidance on how to address Data Reliability. The methodology to be used is quite flexible and can be elements of the FISCAM, complemented with Section 300 of the FAM. In order to effectively assess Data Reliability, an agency must seek the advice of a firm that has appropriate experience. Your Internal Controls has extensive formal course instruction as well as hands-on experience in assessing Data Reliability.
POA&M Management
Does your agency have many Plan of Actions and Milestones (POA&M)? Do you feel like your agency is getting more POA&Ms opened then you are closing them? Your Internal Controls recognizes that agencies undergo many types of audit and compliance engagements such as Financial Statement Audits, FISMA, A-123, GAO, etc. Your agency may be presented with deficiencies from a variety of audits. Your Internal Controls can assist your agency in consolidating those deficiencies, thereby reducing the total number. We can also prioritize, which of those POA&Ms need to be remediated first. Lastly, we can also be your advocate to your auditors as some of the POA&Ms may not even be deficiencies, but rather just a misunderstanding.
OMB Circular A-123
Your Internal Controls has worked extensively in documenting, testing, and remediating internal controls against the respective federal laws, regulations, and guidance. We can assist your organization with regards to complying with the latest A-123 circular. Our CEO, Mr. Jack Heyman, has developed and taught formal courses covering A-123 for many agencies throughout the Federal government.
Perimeter Reviews & Assessments (Firewalls, Routers, IDS, etc.)
In the course of IT audits, it may become necessary to perform a deeper review over the perimeter. Your Internal Controls has experience in assessing firewall structures and designs (e.g. static vs. state inspection). We have reviewed firewall designs and tested against them using known exploits (e.g. restrictions on inbound traffic from an internal IP address). We have developed proprietary programs and can assist your organization in assessing if the perimeter has been secured via the firewall, intrusion detection and prevention systems, and more.
Data Center Reviews (Physical & Environmental)
How secure is your data center? What is the current level of humidity? If you’re not sure of these answers; then you may wish to employ the resources of Your Internal Controls. We have extensive experience working throughout the government and Fortune 500 companies. We can perform detailed procedures and tests to assess the level of both physical and environmental security surrounding the data center.
Sarbanes-Oxley
We have hands-on experience developing frameworks, leading teams, and executing plans, while complying with the AICPA and the PCAOB, as well as incorporating best practices from CoBIT and COSO. Our experience has been working with the external audit team, as well as assisting management. We have worked with publicly traded companies and large accounting firms.
Social Engineering
Social Engineering is a fascinating topic. An organization can have the best logical and physical controls; however if an employee submits his / her password over the phone to a suspected Help Desk employee (e.g. another person in disguise); then the entire security infrastructure has been compromised. It is absolutely essential to augment any IT control structure with Social Engineering. It is amazing how many organizations invest time and money in hardware and software, and yet a security compromise can occur with a simple lack of security awareness. Our firm has performed extensive Social Engineering and has been quite successful at retrieving data which should have been kept private. Our experience has been for both physical and logical social engineering. We have gained access to secure facilities as well as compromised the security of networks using social engineering.
Security Awareness Training
Does your organization require all employees undergo security awareness training on an annual basis? Do you require the same for contractors and vendors? Your Internal Controls has provided this training in a formal classroom setting to numerous organizations both in the government and for Fortune 500 companies. Also, as an added bonus we will provide the CPE credits for the training we provide.
Incident Response Management
Has your organization had any security incidents? Is your organization running vulnerability scanning on a periodic basis (e.g. monthly, quarterly, etc.)? Your organization may be exposed to the outside, which can leave you open for exploitation. Your Internal Controls can assist in developing Incident Response procedures as well as help you simulate real incidents so that your IT staff are prepared and can contain an incident if and when you get one.
Forensics
In the unfortunate event that your organization suspects foul play; there may be a need for a forensics audit. This essentially means that data needs to be combed to identify the source of the foul play. Our knowledge of IT security, auditing, and forensics can assist your organization in identifying the source (e.g. person or organization), and how the infraction occurred. It will be necessary to review logs, and trace the data to the source of origination, as well as perform an array of other tasks.