Cybersecurity

An effective, comprehensive information security program can lead to better business decisions, a competitive advantage, increased performance, and reduced risks and costs.

We Get It. Cyberattacks are on the rise. While IT organizations have matured and their defenses have become more sophisticated, cyber criminals have found new and innovative ways to attack. Every organization—from banks and manufacturing to retail stores and tech companies—is at risk of being hacked and losing intellectual property, customer information, and other sensitive data. Today, customers, shareholders, and other key stakeholders demand comfort their information is secure and the company is protecting its most valuable assets. How can an organization continue to grow, and increase performance, while protecting its most valued assets?

Having a partner who understands the complex and evolving environment of cybersecurity can make all the difference.

Cybersecurity: Advancing your Information Security Program

Our services are designed to provide you with a full-service way to protect your most valuable assets.

Accretive Solutions has helped hundreds of clients to successfully navigate the Cybersecurity landscape. Regardless of the maturity of your program, Accretive Solutions can help you improve your organization’s security. Whether an organization needs help getting or staying compliant with standards, assessing their current program, developing a cybersecurity strategy and roadmap, or needs to create a disaster recovery program, we have a right-sized solution. Communications, training and knowledge transfer are key components to the success of each engagement.

Customized On-Line Cybersecurity Training

Cyber threats within your organization are increasing each year. It’s more important than ever to ensure that all employees know how to safeguard sensitive information. We work with you to customize both the content and look and feel of a course for YOUR organization so your employees are able to follow cyber security best practices, identify and report threats, and prevent unauthorized access.

Some of the topics our base curriculum covers includes:
  • Module 1: Values and Goals of this Training
  • Module 2: Why Data Security Matters
  • Module 3: What is Information Security?
  • Module 4: Protect Yourself
  • Module 5: Compliance & Regulation
  • Module 6: Reporting Suspicious Activity

How We Have Helped Our Clients

CASE STUDY: Cybersecurity Risk Assessment, Vulnerability Testing, Security Awareness Training, Roadmap and Implementation for a Life Sciences Firm

CHALLENGE

The firm was beginning a rapid growth cycle and was being threatened by hacktivists due to its manufacturing processes. They wanted a review of their cybersecurity defenses and to develop a roadmap to reduce their exposure to these threats.

SOLUTION

Accretive Solutions assessed the client’s security posture through a combination of process walkthroughs and vulnerability assessment testing. From these results, we evaluated our client against its chosen security framework (a combination of SANS top 20 controls, NIST, and ISO) to assess their current state. Next we looked at their desired 18 month end state considering risk tolerance and future growth strategies and identified the key initiatives required to get to the end state. Through a series of workshops, we worked with the client to ensure ownership and buy-in for the initiatives. In addition, we delivered three on-site cybersecurity awareness sessions focusing on the value of the data each employee had access to and their responsibilities in caring for that data. In one of these sessions we worked with senior management to discuss the client’s current state of cybersecurity, their risk exposure, and what remediation required. We completed these tasks: performed a risk assessment, along with internal and external vulnerability and penetration testing; provided social engineering (email, phone, and physical breach exercise); developed a Cybersecurity Roadmap; provided security awareness training for executives and employees.

RESULT

There was a marked increase in employee participation in cybersecurity. The IT team had a clear roadmap and within 12 months had implemented key changes to their environment to reach the 18 month end state.


CASE STUDY: PCI Readiness Assessment and Compliance

CHALLENGE

Our client identified the need to improve their processes. The company had self-assessed in the past but, due to organizational changes, the new executive management team was not comfortable with what the network and security personnel were documenting. Upon further testing, management found major gaps in the environment. An independent assessment was requested.

SOLUTION

We deployed a team consisting of two PCI Qualified Security Assessors (QSA) to perform a gap analysis . The gap analysis identified several areas that required remediation. We partnered with the client to help with remediation and ongoing SME and project management support.

RESULT

The client received a passing PCI Assessment Report on Compliance (ROC) and was able to make significant, positive changes within their environment to increase their security posture.


CASE STUDY: SOC 2 Readiness

CHALLENGE

The company was receiving multiple requests by its customers to get a SOC 2 attestation. While they had good security controls, they had little documentation of their processes and were unclear what their controls were.

SOLUTION

We deployed a seasoned consultant to perform a gap analysis using our partner templates (SSAE 16 Professionals). The gap analysis identified several areas that required remediation. We worked with the client to document policies and procedures and to identify and implement controls. The consultant was actively engaged in helping the client explain the rationale for the new controls to employees and to facilitate adoptions.

RESULT

The client received an unqualified SOC 2 opinion and was able to make significant, positive changes within their environment to increase their security posture.


CASE STUDY: IT Security Plan for Professional Services Firm

CHALLENGE

A professional services firm was purchased by an equity firm with the goal of improving processes to position it for an IPO. With inadequate internal controls to comply with the additional regulatory scrutiny for public companies, the CIO requested the development of a plan, specifically around IT security controls.

SOLUTION

We developed a compliance matrix to identify key systems and infrastructure; inventoried employee skillsets and current tools; created a suite of controls based on recognized security standards; developed minimum security baselines for all identified key systems and infrastructure; provided guidance on pushing configuration changes through the environment; configured an existing tool to perform regular automated audits based off minimum security baselines; and developed a process to manage and remediate exceptions to the automated audits.

RESULT

We developed an internal controls environment that could be managed with limited effort by the small IT department—no additional headcount was needed--while still easily demonstrating compliance. The new environment leveraged the organization’s IT department’s current skills and tools and training was provided where gaps in skills were identified.


CASE STUDY: Cybersecurity Audit for International Semiconductor Company

CHALLENGE

Internal audit had little visibility into the operating effectiveness of the security practices within the organization and no security expertise on staff.

SOLUTION

We worked with the Director of Internal Audit to identify the highest priority information security targets within the company based on security events, growth strategy, revenue, and risk to intellectual property. Using a NIST-based approach, we evaluated the policies of the organization against the NIST framework, identified gaps, and suggested remediation based on the goals of the organization. We assessed gaps to the framework and any inconsistencies across relevant departments and audited controls that were deemed operational using a PCAOB sampling approach.

RESULT

Policies were updated to be consistent with NIST. Significant inconsistencies in security implementation within the organization were identified and remediated.


CASE STUDY: Threat Detection and Monitoring for an International FinTech Company

CHALLENGE

The client was implementing its first threat detection and monitoring capability and did not have in-house security expertise to evaluate and implement tools.

SOLUTION

We started by defining the systems and key security events that needed to be monitored. We advised the CTO on tools that could meet the budget and requirements. After identifying possible implementation issues with the tools, we implemented the chosen tool across all in scope systems, including ensuring that appropriate logging was being conducted on each in-scope application. Once the tool was operational, we assisted in evaluating results and developing a process to address alerts. We completed these tasks: evaluated the systems and security events; selected and evaluated threat monitoring tool; implemented threat monitoring tool; developed procedures for threat monitoring; provided staff for security operations; and provided training for threat monitoring.

RESULT

The threat monitoring tool was implemented within a three-week period. Key personnel were trained on how to evaluate alerts. The company has a sustainable threat monitoring program.


CASE STUDY: Business Continuity, Disaster Recovery, and Incident Response for an International Technology Company

CHALLENGE

The company had some localized disaster recovery efforts, but did not have business continuity, incident response, nor disaster recovery plans. The lack of these plans had become an issue for sales into larger clients and for achievement of their SOC 2 certification. The Board was also concerned about the company’s ability to withstand a major disaster.

SOLUTION

We worked with key management to understand the company’s goals during a disaster, the business data and systems that were most critical to its operations, the business activities necessary to achieve these goals and then to prioritize these activities. In addition, we took a deep dive to understand the processes, as well as tolerable downtime, recovery point objective, and recovery time objective. We developed department level business continuity plans. We worked with senior management to define the decision-making process and ownership within the company in the event of an incident. All of this information was developed into an overall business continuity plan (both customer-facing as well as internal use) and an incident response plan.

RESULT

With plans in place, this client could sell into larger clients and achieve SOC 2 certification. In addition, this work addressed several high priority availability incidents that arose over the next few months with minimal disruption.