klsCPA also provides IT governance, risk, and compliance advisory services. These include:

 

• Security Risk Assessments (featured below)

• Development of IT Artifacts such as:

  • IT Policies and Procedures

  • Disaster Recovery Plans

  • Record Retention Policies and Procedures and the Record Retention Schedule

 

Security Risk Assessments

 

A Security Risk Assessment or “SRA” is fundamental to many well-known security management frameworks such as ISO 27001/27002 and FISMA (based on NIST SP 800-53), as well as regulations such as the HIPAA Security Rule and the Payment Card Industry (PCI) Data Security Standard (DSS).

 

Scope: The scope of a Security Risk Assessment varies depending upon the sensitive data in scope. Sensitive data can include customer data, personally identifiable information, company confidential/proprietary data, payment card industry cardholder data, or health care industry protected health information, among other types.

 

A key deliverable of a Security Risk Assessment is the inventory of sensitive data. The inventory identifies where sensitive data is stored and transmitted and identifies the networks, servers, applications, data stores, and transmissions involved. The SRA should then focus on the reasonably anticipated threats, vulnerabilities, and risks to the sensitive data.

 

Approach: klsCPA SRAs follow industry standard practices based on the National Institute of Standards and Technology (NIST) 800 Series of Special Publications (SP). More specifically, NIST SP 800-30, Risk Management Guide for Information Technology Systems, as well as NIST SP 800-39, Managing Risk from Information Systems, are relevant to SRA activities.