IT Risk & Compliance Services

Helping protect your digital assets with comprehensive cybersecurity services

In today’s increasingly connected world, your organization faces a number of threats and risks. The FORVIS cybersecurity professionals can help you develop a holistic plan to protect against unforeseen attacks.

Advisory

Building and maintaining an effective cybersecurity program requires a thoughtful, scalable, and tailored approach.

• Cybersecurity Program Development and Alignment
• Ransomware Risk Assessments
• Cybersecurity Awareness Training
• Virtual Chief Information Security Officer (vCISO)
• Virtual Chief Information Officer (vCIO)
• Internal Audit Support
• Policy & Procedure Development
• Access Analyzer
• Third-Party Risk Management (TPRM) Consulting & Assessments
• M&A Cyber Due Diligence
• Business Continuity Planning
• FORVIS 24/7 Managed Security Services

Compliance

FORVIS is experienced with the following cybersecurity standards, frameworks, and regulations.

• Cloud Security Alliance (CSA) Cloud Controls Matrix
• Cybersecurity Maturity Model Certification (CMMC)
• FFIEC – Information Technology (IT) General Control Testing
• ISO 27001/2
• GLBA/FFIEC/InTREx – Financial Institutions
• GLBA – Higher Education
• HIPAA – Healthcare
• DFARS
• NIST 800-53, 800-171
• NY Dept. of Financial Services (NYDFS)
• Payment Card Industry (PCI)
• Sarbanes-Oxley (SOX)

Assessments

Cybercriminals continue to exploit technical and operational vulnerabilities that lead to high-profile and costly data breaches.

• Network Penetration Testing
• Web Application Penetration Testing
• Social Engineering Testing
• Password Assessment
• Dark Web Research
• Incident/Breach Response Assistance
• Targeted System and Operations Audits
• FedLine Assessment Services
• Cybersecurity Risk Assessment

Increasing regulatory scrutiny on handling of sensitive consumer information

The European Union’s Global Data Protection Regulation (GDPR) introduced new minimum standards for increasing transparency of how organizations use consumer information and outlining minimum rights to consumers to define how organizations can use their data.

As the data privacy landscape continues to evolve—and more stringent regulations are passed—we help our clients design and develop privacy solutions that address compliance obligations and protect their brand in the marketplace.

Advisory

Data privacy governance goes far beyond technology solutions and impacts core business processes and data flows.

• Data Discovery and Process Mapping
• Policy and Procedure Development
• Data Privacy Impact Assessments (DPIA)
• Record of Processing Activity (ROPA) Documentation
• Third-Party Vendor Management (TPRM) and Assessments
• Network Security Assessments and Advisory
• Technology Implementation Advisory
• Internal Audit Support

Compliance

FORVIS is experienced with the following cybersecurity standards, frameworks, and regulations.

• California Consumer Privacy (CCPA/CPRA)
• Global Data Protection Regulation (GDPR)
• HIPAA Privacy Rule
• Children’s Online Protection and Privacy Act (COPPA)
• NIST Privacy Framework
• Generally Accepted Privacy Principles (GAPP)
• State Data Breach Notification Rules

Preparing for Certification With CMMC 2.0

In November 2021, the Department of Defense (DoD) affirmed plans to move forward with the Cybersecurity Maturity Model Certification (CMMC) in 2022 to protect Controlled Unclassified Information (CUI), introducing sweeping changes to how contractors comply with requirements. Final rulemaking is underway and implementation guidance is released regularly to clarify expectations for contractors and CMMC assessors.

It is important to note that, while the implementation of CMMC and rollout timeline have changed, CMMC will still be mandatory across the Defense Industrial Base (DIB) and will appear in all contracts over the next several years. FORVIS is an Authorized CMMC 3^rd Party Assessor Organization (C3PAO) and Registered Provider Organization (RPO) with the CMMC Accreditation Body. As a C3PAO, FORVIS can perform CMMC certification assessments, as well as NIST 800-171 and cybersecurity program consulting, for contractors across the country.

Learn More

IT audits and general control testing evaluates your institution’s control environment based on current policies, applicable law, regulations or guidelines. Our tests can help assess your ability to safeguard assets, maintain data integrity, and effectively achieve security objectives. Below are some of the tests our FORVIS professionals can perform for you:

• FDICIA IT Key Control Testing
• SOX IT Key Control Testing
• Customized IT Internal Audit Control Testing

Helping prepare for an ISO 27001 Certification and providing guidance on performing Stage 1 and Stage 2 audits.

Those organizations operating at an international scale are faced with a unique challenge associated with information security and privacy assurance. Our team of Lead Auditors is well positioned to support you with understanding the process to prepare for an ISO 27001 Certification as well as to perform Stage 1 and Stage 2 audits. ISO/IEC 27001 and ISO/IEC 27002 are the main ISO standards that provide organizations with the opportunity to enhance their information security. ISO/IEC 27001 is primarily a framework to assist organizations in managing information security, while ISO/IEC 27002 specifies implementation guidance for information security controls specified within ISO/IEC 27001. FORVIS’ team members are ready to support you with preparing for and pursuing an ISO 27001 Certification.

FORVIS offers various ISO 27001 solutions to help meet your organization’s needs:

• ISO 27001/27002 Readiness Assessment – The ISO 27001 Readiness Assessment is designed to support organizations in evaluating the statement of applicability and potential nonconformities associated with an ISO 27001 Certification.
• ISO 27001 Internal Audit Services – A key component of ISO 27001 readiness and compliance is the maintenance of an internal control monitoring function. Our Lead Auditors’ knowledge and experience of ISO 27001 allows them to support your organization efficiently and effectively with the internal audit requirement. 
• ISO 27001 Certification – Performing Stage 1 and Stage 2 audits results in the submission of the recommendation for certification to one of FORVIS’ Certification Bodies partners.

Protect Your Business & Customer Data

Our PCI compliance services include:

• PCI Reports on Compliance Assessments – provide independent validation of PCI DSS compliance in the form of a RoC that can be submitted to an acquiring bank or the major card brands. This is a requirement for merchants with more than 6 million VISA or MasterCard transactions per year.
• PCI Readiness Assessments – assess an organization’s readiness against PCI DSS controls and advise on strategies to close remediation gaps. The implementation of DSS v3.0 places additional security requirements on organizations that should be addressed prior to full compliance audits. Readiness assessments help organizations ensure they can demonstrate full compliance with the latest version of the PCI DSS.
• Self-Assessment Questionnaire (SAQ) Assistance – assess your tools for self-evaluation of PCI DSS compliance. This is a requirement for merchants with fewer than six million VISA or MasterCard transactions per year or service providers with fewer than 300,000 transactions per year.
• PCI Compliant Network Penetration Testing – identify potential network and application vulnerabilities that jeopardize cardholder data security.

Tackling Information Technology Risk & Compliance Challenges

For businesses engaged in mergers and acquisitions, information technology risks can derail a deal. When you purchase a company, you own its data—past, present and future—which can have a significant impact on valuation. FORVIS helps your company identify information technology and data risk associated with a transaction.

Helping You Mitigate Risk

Our goal for each transaction is to arm our clients with the appropriate information to allow them to make important decisions about proceeding, renegotiating, restructuring or withdrawing from a potential transaction. Information technology risk can affect a company’s value in many ways:

• Technology Governance and Strategic Initiatives
• Direct & Long-Term Remediation Costs
• Increased Cyber Insurance Cost
• Scalability and Functionality Failures
• Hidden or Buried IT Costs
• Significant Business Interruption

To help you manage these risks, our team assesses information technology areas and compliance activities of the target company or acquisition to determine if services and processes are secure, streamlined and efficient, and support continuity of operations post transaction.