INDUSTRY SPECIFIC ASSESSMENTS

Service Description

CAG is available to perform industry assessments and help prepare for an audit or respond to security questionnaires (e.g. PCI, Vendor Screening and Evaluation, etc).
  • Control Framework Assessment
  • Gap Analysis
  • Audit Preparation

Our Methodology

As the baseline of our Information Security Risk Assessment we use the National Institute of Standards and Technology (NIST) Cybersecurity Framework, in addition to any other frameworks or compliance standards relevant to the business (e.g. PCI, GLBA, HIPAA).  There are many information security frameworks in use today. The most common frameworks are listed below:

NIST and Federal Standards

NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST supports innovation in cybersecurity and influences industrial regulations using standards.
NIST Cybersecurity Framework: Standards for all industries, critical infrastructure, cryptographic testing and more.  Learn more.
NIST Special Publications: Federally funded publications. Learn more
NIST SP 800-53: Comprehensive list of technical security and privacy controls.
NIST SP 800-171: Protection of Unclassified Information on Nonfederal Systems

International Standards

ISO 27001: Organizational management of security functions. Learn more.  

Corporate Governance and Audit

SOC Audit: System and Organization Controls (SOC) is a suite of service offerings used by Certified Public Accountants. Learn more.  

SOC for Cybersecurity Engagement – SOC’s newest criteria used for Cybersecurity Risk Management. 

SOC 1: Focused on corporate internal controls. 

SOC 2: Focused on technical controls by applying Trust Services Criteria: Security, Availability, and Processing Integrity, Confidentiality and Privacy. Similar to SOC 1, the SOC 2 may be a Type 1 audit (i.e. suitability of the controls) or Type 2 (i.e. suitability and operating effectiveness of the controls). See webpage for full details.

SOC 3: SOC 3 reports can be freely distributed. They do not include technical details of a SOC 2 report. SOC 2 is a restricted use report.

SOX: Set of relatively new or expanded requirements for all U.S. public company boards, management and public accounting firms. Learn more

Financial Industry

GLBA Law: Requires financial institutions to explain information-sharing practices and safeguard sensitive data. Learn more.

FFIEC Cybersecurity Assessment Tool: FFIEC CAT assists financial institutions to identify their risks and determine their cybersecurity preparedness. Similar to NIST 853 yet tailored to financial industry. Learn more.  

PCI/Credit Cards: An industry-specific set of security standards for sensitive payment card information (e.g. credit card account numbers). Learn more.

Health Industry

HIPAA: Security and privacy of health information.  Learn more

HITECH Act: Strengthens enforcement of HIPAA rules. Learn more.

HITRUST: Provides a cybersecurity framework commonly used in health industry. Learn more.  

Energy Industry

NERC: Assures the reliability and security of the bulk power system in North America. Learn more.  

Education Industry

FERPA: Federal law that protects the privacy of student education records. Learn more.  

United States Government

FISMA: Addresses the cybersecurity practices of the Federal Government. DHS is the lead. Learn more

Additional References - Privacy, Identity Theft and More

Note: Many states such as California have laws relating to privacy, security and data breaches.

FTC leads on privacy related matters. Learn more.

CFPB also has authorities to protects consumers in matters related to privacy and security. Learn more.  
REQUEST MEETING