Governance, Risk and Compliance Services

Cryptoforensics’ Governance, Risk and Compliance Services provide organizations with the security, risk and compliance expertise to help them develop their strategic cybersecurity and governance programs.
Our offerings include:

1. Cybersecurity Program (ISO 21001) Creation

It is true that several growing IT organizations may not have the foundational programs in place to address key areas of security and risk. It’s also true that more established organizations may not have updated their existing programs to meet new business and organizational challenges. In either case, it is safe to surmise that the typical organization lacks the proper insight, resources or knowledge to design or update effective security programs that incorporate known best practices tailored to their organizations.

Our Process & Approach to Cybersecurity program development:

  • Project Planning & Rules of Engagement
  • Engagement
  • Gap Analysis vs. Best Practices
  • Program Development
  • Program Descriptions
  • Governance Charters
  • Policies & Programs
  • Standards Mapping
  • Delivery of Corporate Information Security Program Document that includes
  • Charters
  • Policies
  • Standards

Cryptoforensics’ Cybersecurity & Governance Program development offerings can help your organization to establish or update its critical foundational programs to a robust level. Whether the challenge is in the area of Corporate Information Security Program, a Computer Incident Response Plan or more specialized programs, our cybersecurity experts can help your organization to accelerate the maturity of its IT and cybersecurity organization based on industry and observed best practices.

We assure that in a few short weeks, your organization can have a robust security program in place compared to the months it can take to develop programs in a resource-constrained environment. The program at a minimum will include development of program descriptions, charter development, policy development and standards mapping to heighten the overall cybersecurity posture.

Our deliverable objectives will include:

  • Obtain and create listing of information systems and assets
  • Determine threats to assets
  • Identify organizational vulnerabilities
  • Identify technical vulnerabilities
  • Document current controls and security processes
  • Identify security requirements and considerations per regulatory requirements
  • Measure initial and residual compliance, reputation and direct loss risk
  • Make compliance part of your corporate security program

2. Third Party Security Risk Management

Organizations that challenged by compliance requirements such as HIPAA, SOX, PCI DSS, Basel Laws, GLBA and other regulations must ensure that the vendors accessing their assets and systems are compliant with the relevant regulations. Like it or not, organizations that lose sight of the fact that when they outsource a function to 3rd parties the ultimate responsibility for all compliance requirements remains with them usually pays a heavy price when things go wrong.

The typical vendor risk management process is used to plan, assess and mitigate these risks that third-party vendors present. Cryptoforensics has handled vendor management functions for clients including banks, regional energy producers, retailers, and small to medium sized law firms.
Our third party risk mitigation services can help your organization to effectively identify and mitigate risks posed by 3rd party service providers in critical risk areas such as information security, service delivery, supply chain processing, financial processing, reputation, and regulatory compliance.
It is foolhardy of organizations to sacrifice the protection of sensitive financial, health or other personal data or their reputation by not understanding the true nature of their vendor’s privacy and security practices. It pays to be proactive. We can help you to gain clear visibility into the business impact of third-party risk through its direct links to specific business elements such as processes and lines of business. Our experts can issue and analyze the responses to third-party self-assessments, and also conduct detailed audits of third parties based on self-assessment findings and other organization-defined assessment criteria.

The typical benefits of our methodology to your organization will include:

  • Mitigates Vendor Risk through more comprehensive vendor assessments
  • Simplify tracking of vendor responses to increase management’s visibility to potential third party compliance issues
  • Eliminate redundant and potentially erroneous vendor data through consolidation of all vendors and contract info in one easy-to-use application, accessible anywhere and anytime
  • Implement tools that are flexible and configurable for creating custom questionnaires, allowing vendors to complete surveys online and easily submit responses electronically
  • Federated vendor chain that captures vendor information, services they provide, key documentation, and related risks.
  • Automated Assessment Workflow that includes questionnaire distribution, completion, and response submission.
  • Proactive Notification and Collaboration Support that provides the necessary automated communication vehicles to keep vendors and analyst teams engaged during the assessment process.
  • Comprehensive Reporting for viewing vendor and service information including related risks, vendor assessment summary/status/timetables, Issues and Project tracking, Findings reports and charts, etc.

3. DR/BC Operational Plan Development and Implementation

The ever increasing cyberthreats from terrorist attacks, natural disasters, hackers, and viruses have highlighted the need for organizations to prepare Disaster Recovery and Continuity of Operations plans. Cryptoforensics’ experts understand these threats as well as your essential functions and aim to deliver high availability of systems and infrastructure every day, not just in times of crisis. Using an enterprise-wide approach, we identify essential business functions, assess your state of operations, and then recommend policies to reduce disruptions and risks, train your staff in preparedness techniques, and provide documentation and control for critical systems and networks.

Cryptoforensics will ensure that the solution will fit within the overall framework of your risk management and enterprise security requirements, change management practices, incident response policies and procedures, and Certification & Accreditation (C&A) life cycle. Additionally, all Cryptoforensics’ solutions meet requirements set forth in several governemnt specifications, including OMB A-130, HSPD 20, DoD 3020.26, and DoDI 3020.45 and further follow NIST guidance for COOP planning (800-34) and testing/training/exercises (800-84).

Our Disaster Recovery & Continuity of Operations Offerings include:

  • Site-specific threat assessments
  • Detailed contingency plans development
  • Operations framework implementation
  • Standard operating procedures development
  • Training staff through classroom instruction, workshops and computer-based methods
  • Direct procedural and performance drills
  • Standard and customized automated support systems implementation

Concrete benefits of our services include:

  • Improve ability to avoid or reduce business disruption
  • Minimize ad hoc reorganization, duplication and confusion
  • Provide detailed guidance for restoring normal operations without disrupting key activities
  • Avoid unnecessary expenses resulting from unexpected outages
  • Prepare employees to effectively deal with contingencies

4. Regulatory Compliance Readiness and Privacy Gaps Reviews

It is needless to state that today, organizations are facing more intense pressure from increasing regulation and investigations by federal regulators, state attorneys generals and others prompting extensive reviews, audits and litigation in a variety of industry practices. Whether dealing with an urgent issue or addressing compliance more broadly, organizations need to have comprehensive programs in place to address their risks of noncompliance with state, federal and international laws. Organizations need the expertise required to review their cybersecurity-related operations from all perspective to ensure that applicable regulatory requirements are being met.

  • Cryptoforensics’ Regulatory Compliance Readiness Review offerings include the following:
  • Health Information Portability and Accountability Act (HIPAA)
  • The Sarbanes-Oxley Act of 2002 (SOX)
  • SSAE 16 SOC II & ISAE 3402 Readiness Review
  • Privacy Gap Assessment

i. HIPAA Compliance Review
HIPAA was passed 1996 to address the security and privacy of health care data. Following this, the government then enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act) as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and signed into law on February 17, 2009. The HITECH Act amended HIPAA with significant changes to data breach notification, enforcement, and penalties. Cryptoforensics’ HIPAA compliance review is carried out as a gap assessment to review the client’s operational systems and processes to identify areas of non-compliance. Our experienced Team Members have worked with many organizations in the commercial, government, and health and human services sectors; including providers and service organizations.
The benefits of our approach include:

  • Ascertainment of Compliance with the HIPAA/HITECH
  • Precise identification and articulation of non-compliant areas and specification of actions are needed to comply with the HIPAA Security and Privacy Rules
  • Clear avoidance of likely punitive damages that could result from a ePHI/PHI compromise
  • Credible third party objective demonstration of HIPAA/HITECH compliance
  • Drastic reduction of the cost, confusion, and complexity of HIPAA/HITECH compliance
  • Drastic reduction of the cost, confusion, and complexity of HIPAA/HITECH compliance

Cryptoforensics’ multi-stage Approach and Methodology to HIPAA Gap Assessment include the following:

  • Pre Audit Stage during which we map out critical information processes in order to determine if regulatory controls have an impact on your business. The goals here are to:
    • Evaluate the effectiveness of the organization’s HIPAA compliance program
    • Validate the current HIPAA controls
    • Keep the organization up-to-date on any new HIPAA requirements, threats, and liabilities
  • Onsite Visit Stage during which we:
    • Introduce engagement participants and define roles
    • Review engagement activities
    • Review any applicable documentation
    • Document the in-scope HIPAA business process and supporting technologies
    • Perform data flow analysis and map HIPAA processes to technical infrastructure
    • Document the existing controls used to protect ePHI/PHI
    • Identify gaps against the NIST 80-53 framework for HIPAA Security Rule
    • Identify gaps against the GAPP framework for HIPAA Privacy Rule
  • The Documentation (Reporting) Stage during which we:
    • Conduct on-site interview and information gathering to assess HIPAA compliance status
    • Outline strategic recommendations to mitigate identified control gaps

ii. The Sarbanes-Oxley Act of 2002 (SOX) Section 404 Compliance Review

Cryptoforensics’ SOX Readiness Review is designed to assess an organization’s preparedness for compliance. By conducting a thorough gap analysis, our consultants will assess the current control environment by identifying strengths and providing recommendations for areas that need improvement. As part of our detailed recommendations, we will provide a prioritized listing of controls that should be considered for implementation or enhancement prior to the audit.

In addition, Cryptoforensics will provide SOX-specific process documentation examples (flowcharts and Risk Control Matrices), test script templates, an inventory of baseline policies and procedures required and key forms. A SOX Readiness Review is a valuable, cost effective assessment that will give you a good idea of where you currently are and where you need to be.

Cryptoforensics’ SOX compliance review is focused on section 404 and designed around the COSO internal control framework, the IT Governance Institute’s CobiT and industry best practices. Cryptoforensics will apply a top-down, risk-based approach to identify the most effective and efficient ways to appropriately reduce effort and compliance cost through better risk assessment, scoping and use of technology. Our offerings are designed to meet each client’s unique needs. Whether our arrangement is full outsourcing, co-sourcing or consulting, our team will work closely with the process owners, management and external auditors to ensure all compliance initiatives are met on schedule, on budget and in the highest quality. Our offerings here include:

  • Project planning and management
  • Risk assessment, scoping and materiality
  • Documentation, testing and remediation of risks and controls
  • Communication with external auditors, executive management and the audit committee
  • Cost reduction by evaluating risks, optimizing controls, implementing risk-based testing and streamlining the overall compliance effort

At Cryptoforensics, we regard SOX as an opportunity to continuously improve business processes and performance rather than a mere exercise in compliance. Our consultants will thus help your organization to achieve compliance in the most efficient and cost effective manner.

iii. SSAE 16 SOC II & ISAE 3402 Preparedness Review

Cryptoforensics can perform a readiness assessment that can help your organization assess the controls in place to meet the Trust Services Principles and Criteria with the goal of ensuring preparedness for the SOC 2 examination and help reduce or eliminate the possibility of a qualified opinion or reporting exceptions.

Cryptoforensics’ experts will work collaboratively with your management teams to perform a detailed readiness review and provide a gap matrix that identifies controls that would pass right away, controls that would partially fail, and controls that would fail and require remediation. Organizations that fall into the following categories should benefit from our offerings:

  • Any service organization that seeks a cost-effective method to assess its preparedness for an eventual service audit.
  • Any service organization has not recently undergone a financial or regulatory audit
  • Any service organization that prefers an internal-use-only report for the purposes of identifying any current controls deficiencies.
  • Any service organization that plans to perform a Type 2 service audit as its initial audit.

Concrete benefits of our service offerings include:

  • Clear identification of expectations for future audit, including time commitments that may be necessary from key client personnel will be clearly communicated.
  • An internal-use-only report is provided to the client that creates the basis for improving the overall control environment.
  • The description of controls is drafted and ready to be used for the subsequent audit.
  • Strengths and weaknesses in the current control structure are clearly communicated to the client.
  • The client has sufficient time to remediate any gaps in the control structure.
  • The client has access to obtain immediate responses from Cryptoforensics’ professionals regarding the impact potential changes to services or controls may have on the upcoming audit.
  • The scope of the subsequent audit, and specifically the control objectives and related control activities, are refined based upon the Readiness Assessment results.

Typical deliverables from our engagement will include:

  • Detailed project plan for the project
  • Comprehensive questionnaires and an information request list allowing the client’s personnel to gather documentation in advance of fieldwork
  • A Readiness Assessment report containing the description of controls for use in the subsequent service audit
  • Any additional reporting requirements specific to the new SSAE 16 and/or ISAE 3402 standards
  • Identification of controls currently in place for each in-scope control objective
  • A prioritized listing of controls that should be considered for implementation or enhancement prior to the execution of the service audit
  • Additional observations and gaps noted during the assessment

iv. Privacy Gap Assessment and Review

As a result several high profile breaches, states have enacted their own laws providing additional protection, including Massachusetts’ 201 CMR 17. Similarly, numerous international laws have been adopted, including the European Directive, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Further, more than 50 countries have enacted omnibus data privacy laws covering the private sector, including Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties.

Cryptoforensics’ Privacy Gap Assessment offering will compare your privacy program against applicable law and industry best practices such as.

  • Privacy Principles
  • Management
  • Notice
  • Choice and consent
  • Collection
  • Use, retention, and disposal
  • Access
  • Disclosure to third parties
  • Security for privacy
  • Quality, Monitoring and enforcement

Cryptoforensics will adopt a staged-approach to any Privacy Gap Assessment assignment, as follows:

  • A Gap Assessment/Pre-Audit stage during which we map critical information processes and data flow to determine applicable law and business impact. During this stage, we will
    • Evaluate the effectiveness of your privacy program
    • Leverage the Privacy Maturity Model to determine what gaps currently exist
    • Validate privacy controls
    • Determine remediation cost-justification
  • A Privacy Gap Assessment onsite visit stage during which we will
    • Introduce engagement participants and define roles
    • Review engagement activities
    • On-site interview and information gathering to assess compliance status
    • Review any applicable documentation
    • Process Mapping during which we will document the high level in-scope systems and technical infrastructure
    • Requirements Analysis where we will document the existing controls used to protect in-scope data assets
    • Identify gaps against applicable law
  • The Reporting stage during which we will:
    • Outline strategic recommendations to mitigate identified control gaps
    • Identify risk-based compliance gaps to build a remediation roadmap

Our approach is carefully designed to benefit your organization in several ways, including:

  • Identification and compliance with applicable privacy law and regulatory guidance
  • Proper third party objective demonstration of compliance
  • A prudent voidance of severe fines and regulatory action
  • Client-centric program for safeguarding personally identifiable information
  • Projected and drastic reduction in the cost, confusion, and complexity of compliance

Our Comprehensive Suite of Solutions and Services . ..


Today, most enterprises try to deal with cybersecurity threats by focusing inwardly through conducting vulnerability assessments, making detailed network maps, and in some cases, deploying robust patch management processes to continuously monitor their networks and systems. While this approach provides some benefits, against many cyber threats it's ineffective. Most corporate networks are so large and complex that it's simply too difficult to identify all of their assets, or all of their vulnerabilities, and patch them fast enough. Today's cyber wrongdoers are sophisticated, well-funded, and patient—they use a wide range of techniques to penetrate even well-protected enterprises...