The modern cyber realm is a frigid wasteland, plagued by all manner of malicious actors, bots, and malware. At Frost, we understand the nature of the enemies faced by your organization (both physical and virtual), and we provide holistic technology audit and assurance services that are tailored to combat the specific risks you face. Take a moment to browse our site, and take a look at the many services we have available.
Once you’ve looked over our offerings, we encourage to request a free consultation. Today you need a cyber-fortress that will withstand and adapt to the ever changing onslaught of cyber and physical threats. Let us help you build and assess it.
Frost’s entrepreneurial focus and creative approach are a cornerstone of our Technology Assurance and Audit services. We tailor our services to address the needs of each particular client to ensure that technology related risk is addressed in a holistic manner. Here are some of the specialized services we provide:
- SSAE16 (SOC1) Audit Services
- SOC2 and SOC3 Audit Services
- General Technology Assurance and Consulting Services
- GLBA and FFIEC Compliance Auditing and Consulting Services
- HIPAA and HITECH Compliance Consulting Services
- NERC Critical Infrastructure Protection Services
- NERC Critical Infrastructure Protection Services
- Food Defense and Risk Management Services
- and more ….
We develop assurance relationships with our clients that are backed by stellar performance.
Purpose of the Examination:
In today’s global economy, service organizations (“service organization”) or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. The issuance of a service auditor’s report prepared in accordance with SSAE 16 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor’s report, which includes the service auditor’s opinion, is issued to the service organization at the conclusion of a SSAE 16 examination.
SSAE 16 is generally applicable when an independent auditor (“user auditor”) is planning the financial statement audit of an entity (“user organization”) that obtains services from another organization (“service organization”). Service organizations that impact a user organization’s system of internal controls could be application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus.
In an audit of a user organization’s financial statements, the user auditor obtains an understanding of the entity’s internal control sufficient to plan the audit. Identifying and evaluating relevant controls is generally an important step in the user auditor’s overall approach. If a service organization provides transaction processing, data hosting, IT infrastructure or other data processing services to the user organization, the user auditor may need to gain an understanding of the controls at the service organization in order to properly plan the audit and evaluate control risk.
Readiness Assessment and Report Types:
- Readiness Assessment – While not required, Readiness Assessments save money. “False starts” are expensive and inefficient. To prevent “false starts”, Frost, PLLC offers readiness assessments to all new and existing SSAE 16 clients as a preliminary step. Readiness assessments provide an opportunity to evaluate the control environment before beginning the SSAE 16 audit process. Service Organizations benefit by having an opportunity to vet controls with the auditors and ensure that control evidence is available to support SSAE 16 audit testing. At the conclusion of the readiness assessment, you will have a road map to complete your SSAE 16 Type II audit and know the weaknesses within your internal control structure. Readiness assessments save money in the long term and provide your company with the confidence and tools needed to complete a SSAE 16 audit.
- Type I – A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2010). It also includes the independent service auditor’s report (opinion), and the service organization’s description of controls. Information provided by the independent service auditor, including a description of the service auditor’s tests of operating effectiveness and the
results of those tests, and information provided by the service organization (e.g. glossary of terms), are optional in a SSAE 16 Type I report.
In a Type I report, the service auditor will express an opinion on (1) whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date and (2) whether the controls were suitably designed to achieve specified control objectives.
Type II – Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period (e.g. January 1, 2010 to June 30, 2010). It also includes the independent service auditor’s report (opinion), and the service organization’s description of controls, as well as information provided by the independent service auditor, including a description of the service auditor’s tests of operating effectiveness and the results of those tests, and information provided by the service organization (e.g. glossary of terms). In a Type II report, the service auditor will express an opinion on (1) whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date, (2) whether the controls were suitably designed to achieve specified control objectives, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
- Independent Service Auditor’s Report
- Management’s Assertion
- Service Organization’s Description of the System
- User Entity Controls
- Control Objectives, Activities, and for Type II Audits, A Description of the Control Tests Performed
Type 2 Report Timing:
The AICPA suggests the period of review, or time frame which the report covers, should be at least six (6) months. While the standard sets a minimum period of review, the period of review can be set to cover any period of time over 6 months – i.e., six months, nine months or one year.
It is recommended that a report be issued at least annually, allowing the user organizations and user organization auditors to assess the control risk for the financial statement assertions impacted by the services provided by your company.
Depending on the type and scope of the report, the Frost service auditor’s fieldwork procedures will typically take one to three weeks to be completed and the reporting drafting and issuance process is completed within 30 days of fieldwork completion.
The SOC 2 and SOC 3 reports involve a similar underlying evaluation, but the target audiences for the reports differ.
The SOC 2 report is specifically known as a “Report on the Controls at a Service Organization Relevant to Security, Availability, Process Integrity, Confidentiality, and/or Privacy” (referred to as the “Trust Service Principles”). The SOC 2 report can be used to evaluate adherence to any or all of the five listed trust services. The service organization will decide which of the five Trust Service Principles it wants to be evaluated against. A service organization’s controls will be evaluated against the applicable Trust Services Criteria (each of the five Trust Service Principles are supported by specific underlying Criteria. The Criteria are essentially pre-defined generic control objectives that the service organization’s illustrative control must adequately address.
The intended users of the SOC 2 are members of the Service Organization’s management team, and user entities that require an understanding of the entities controls around the applicable Trust Service Principles.
Both Type I and Type II SOC 2 reports are available. A Type I report views controls as of a certain period of time, and is used to gain an understanding of the Service Organization’s systems and controls. A Type II report involves the testing of control effectiveness across a period of time (usually 6 months or more). (The Type II report is typically preferred because it tests the effectiveness of controls over a period of time.)
A SOC 2, Type II report, has the following components: 1) a determination regarding whether management fairly presented its system; 2) a determination regarding the suitability of the controls with regard to their ability to meet the applicable Trust Services Criteria; 3) a determination regarding whether the controls included in the description were operating effectively to meet the applicable Trust Services Criteria; and 4) if addressing the privacy principle, a determination regarding whether management complied with its privacy practices.
The SOC 3 report is specifically known as a Trust Services Report. The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a Service Organization related to the five Trust Service Principles. Because the reports are general use in nature, they can be freely distributed or posted on a website. (This adds an additional marketing element to the report). The SOC 3 audit essentially involves a SOC 2, Type II evaluation, but the corresponding report does not contain a detailed description of the service auditor’s tests of controls and the associated results. Additionally, a determination regarding the fairness of management’s system description is not provided. The SOC 3 report only provides the auditor’s report regarding whether the system being evaluated achieved the targeted Trust Service Principle(s) and associated Criteria.
SOC2 & 3 Readiness Assessments
Readiness Assessments save money. “False starts” are expensive and inefficient. To prevent “false starts”, Frost, PLLC offers readiness assessments to all new and existing SOC 2 & 3 clients as a preliminary step. Readiness assessments provide an opportunity to evaluate the control environment before beginning the audit process. Service Organizations benefit by having an opportunity to vet controls with the auditors and ensure that control evidence is available to support SOC 2 & 3 audit testing.
At the conclusion of the readiness assessment, you will have a road map to complete your audit and know the weaknesses within your internal control structure. Readiness assessments save money in the long term and provide your company with the confidence and tools needed to complete a SOC 2 and/or SOC 3 audit.
SOC Logo Usage
The Service Organization SOC Logo can be used by any service organization for a period of 12 months following the date of receiving a SOC report. A qualified opinion does not affect the use of this logo, however, a service organization must observe AICPA’s Service Organization SOC Logo Terms, Conditions, and Guidelines. More information can be obtained here: www.aicpa.org.
If you are a financial institution faced with the myriad of compliance requirements brought about by the GLBA 501(b) Safeguards rule and the associated FFIEC Handbooks, Frost has GLBA 501(b) and FFIEC consulting solutions to meet your needs. We can perform assessments to address your compliance with the GLBA 501(b) Safeguards Rule, and the associated FFIEC IT Handbooks.
The FFIEC IT Examination Handbooks cover various topics such as: audit, business continuity planning, development and acquisition, E-banking, information security, management, operations, outsourcing technology services, retail payment systems, supervision of technology service providers, and wholesale payment systems. Additional information regarding the Handbook requirements can be found here.
Once we have finished our assessment, we will assist you in developing a remediation plan to sure up any deficiencies identified. Moreover, during the remediation process, our expert legal and technical staff can tailor policy and procedures, and technical design specs that will assist you in quickly implementing remediation in the form of a sustainable compliance program. Additionally, Frost’s expert penetration testing team stands ready to provide state-of-the-art penetration testing services, that will assist you in meeting the expectations of your compliance committee and regulators.
The FFIEC Information Security Booklet discusses the benefits of a penetration test that subjects a system to “real-world” attacks. The three phase nature of the Frost penetration testing process is modeled to mirror real-world intrusion attempts, in line with FFIEC recommendations. In fact, the Frost methodology is a combined penetration test and vulnerability assessment that mirrors the penetration testing approach recommended in the FFIEC Information Security Booklet.
On the consulting side, Frost stands ready to offer assistance in risk assessment, responding to regulatory inquires, audit preparation, policy and procedure drafting, employee training, and general consulting.
Whether you need a consultant to assist you along the way, or you are looking for an independent assessment of your GLBA and FFIEC compliance program, Frost has solutions to fit your needs.
The Federal Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with a primary goal of protecting the confidentiality and security of healthcare information. The early focus of HIPAA was on the privacy and security of “Protected Health Information” being transacted by Covered Entities. Protected Health Information can basically be defined as “individually identifiable health information.” In 2009, the security portion of the rule was expanded to include Business Associates of Covered Entities.
The HIPAA Privacy Rule seeks to limit the use and exposure of patient personal health information. The HIPAA Security Rule seeks to ensure that administrative, physical, and technical safeguards are in place to ensure the confidentiality, integrity, and security of electronic PHI. Lastly, the HIPAA Breach Notification rule requires Covered Entities and Business Associates to provide notification of unsecured PHI breaches. Unsecured is typically understood to mean “non-encrypted.”
Whether you are a HIPAA Covered Entity or a Business Associate, Frost can tailor a HIPAA / HITECH Compliance Assessment to meet your needs. Read below to learn more about Frost’s HIPPA consulting services:
Frost, leveraging its unique blend of legal and technical expertise, will perform a robust assessment of your organizations compliance with the HIPAA Security, HIPAA Privacy, and HIPAA Breach Notification rules. Furthermore, upon the identification of deficiencies, Frost staff will assist you in preparing remediation plans to quickly address any shortcomings and return you to HIPAA / HITECH compliance.
Specifically, Frost’s HIPAA consulting services include:
- HIPAA policy and procedure development.
- System diagramming services.
- The required HIPAA Risk Assessment (including a robust HIPAA network scanning and HIPAA penetration testing component).
- Physical inspections.
- Responding to regulatory inquiries.
- HIPAA staff training
- HIPAA audit preparation.
- Acting in the role of an “outsourced” HIPAA compliance department.
Legal Staff + Technical Staff = Frost, your “one-stop” shop for your HIPAA consulting solution.
To learn more about the HIPAA audit protocols (how you will be assessed), click here.
In 2007, the Federal Energy Regulatory Commission designated NERC as the Electric Reliability Organization, thus making NERC’s CIP Reliability Standards mandatory within the United States. These NERC CIP Reliability Standards address the security of cyber assets essential to the reliable operation of the electric grid, and to date, are the only cyber security standards in place across critical infrastructures in the United States.
The Frost staff has extensive technical and legal experience in the NERC CIP arena, and FROST currently offers the following NERC CIP consulting services:
- Registered Entity CIP Compliance Evaluations,
- Cyber Vulnerability Assessments,
- Program Development and Procedure Drafting Services,
- Employee Training & Development,
- CIP Version 5 Gap Analysis & Transition services, and
- Penalty and Settlement Negotiation Services.
In addition to the services noted, we maintain an ongoing relationship with our clients. We are here to answer questions as standard modifications occur, or to assist you with responding to Regional, NERC, or FERC inquiries.
We work hard to maintain an up-to-date awareness of changes in the NERC CIP realm. Through our constant analysis of NERC CIP related news, and ongoing attendance at NERC and Regional sponsored training events, our NERC CIP consulting staff stands ready to address your NERC CIP challenges at the instant regulatory changes occur.
Additionally, because we are a full service Technology Audit/Consulting Organization, we have all the solutions you need to assess your corporate side environment as well. From penetration testing to Enterprise Risk Planning (ERP) implementation consulting, we have customized solutions to address your needs. We can provide you with full service technology solutions.
The sprint to CIP Version 5 compliance has begun. Don’t get left behind.
Click the consultation request link to schedule a free consultation regarding how Frost can assist you in meeting your NERC CIP needs.
Visit the NERC Site to learn more about the NERC CIP Version 5 transition.
On February 12, 2013, the President issued Executive Order 13636, which highlighted that “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” In an effort to combat this threat, the President directed “the National Institute of Standards and Technology [(“NIST”)] to lead the development of a framework to reduce cyber risks to critical infrastructure (the NIST “Cybersecurity Framework”).” On February 12, 2014, NIST responded by publishing version 1.0 of the Cybersecurity Framework. The Cybersecurity Framework was made applicable to (but is not limited to) the following sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Health Care and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation Systems, and Water and Wastewater Systems.
As outlined by NIST, “[t]he Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” However, NIST goes on to state that “the Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, and different risk tolerances – and how they implement the practices in the Framework will vary.”
Frost, utilizing its unique skill set, can assist your organization in adopting the NIST Cybersecurity framework, which will in turn provide added assurance to your customers and stakeholders that your organization is operated in a secure manner that ensures the protection of critical infrastructure assets.
Frost will assist you in:
- Developing a Current Risk Profile,
- A Target Risk Profile, and
- Developing an Action Plan to Migrate from the Current to the Target Profile.
Many commentators believe the NIST Cybersecurity Framework represents the forerunner to a future mandatory compliance regime. With cyber threats growing on a daily basis, now is the time to adopt this framework. Rely on Frost’s cyber consulting expertise to aid you in this endeavor.
To read more about the NIST Cybersecurity Framework, visit the NIST Site.
Do you think you may have suffered an external or internal malicious intrusion on your systems?
If so, it’s time to put Frost’s Digital Forensics Services to work for you. Choose our professional, expert, staff to lead your investigation. We offer pristine acquisition, analysis, and reporting processes that will aid you in reconstructing events and drawing conclusions.
Cyber Litigation Support and Expert Testimony Services
Is your legal team searching for experts with blended cyber and legal backgrounds to assist you with an upcoming case or on an ongoing basis?
At Frost, we have the blended skill set you are looking for. We are ready to support your staff with expert knowledge, whether you require assistance in evidence review, trial prep, or expert testimony.
We are a national firm serving clients across the United States. If you would like to discuss any of the services offered above in more detail.
Please contact us today for a free consultation regarding our digital forensics and expert testimony services.
Frost has maintained a strong presence in the Food and Agriculture sector throughout its history. Drawing on one of its core areas of expertise, in conjunction with its expanding skill set in the area of IT Risk Assurance, Frost offers unparalleled services in Food Defense and Risk Management. At a time of increasing “hacktivism,” “agroterrorism,” and the growing threat of cyber and physical terrorism, the processing and technological infrastructure of our nation’s agricultural and food production facilities are at a higher risk of malicious attack. Whether it be through industrial espionage or malicious sabotage, a whole host of malicious actors would like nothing more than to harm this core component of our nation’s critical infrastructure. At Frost, we will help you perform risk assessments to evaluate risks to your operations, and we will then assist you in the development of mitigation strategies to prevent those risks from being exploited across both your physical and digital processing systems.
Frost’s unique blend of service offerings, from audit to penetration testing, allows Frost to design a service package that will both assess and sustain your cyber and physical security maturity. From the corporate network to your plant control systems, Frost can provide you with unparalleled views into the strengths and weaknesses of your organization’s security posture.
Leveraging internationally recognized frameworks such as Cobit and the NIST Cyber Security Framework, Frost can assist you in taking your cyber food defense to the next level. Not only do we understand the cyber risks you face, our unique operational knowledge of the food industry give us increased insight into the real world risks posed by cyber attacks against your network and plant control systems.
Protect your customers, protect your stakeholders, and ultimately help protect America today, by leveraging Frost’s Food Defense and Risk Management Consulting Services.
Please contact us today for a free consultation regarding your cyber food defense.
Network and Application Penetration Testing and Vulnerability Assessment Services
At Frost, we offer a varied array of penetration testing and vulnerability assessment services. We will tailor a test to meet your needs, from a generic test, to a test specific to a regulatory framework (GLBA/FFIEC, HIPAA/HITECH, NERC CIP).
I. Three Levels of Base Network Penetration Testing Services:
- Three Phase Testing Methodology:Phase 1: Outsider – Social engineering tests (phishing emails, malware, manipulation, etc).To begin the penetration test, Frost’s Red Team (the pentesting team) is given the company name, contact info and very little else, only enough to ensure Frost has the correct target. Using open source resources, such as open databases and directories, Frost tries to find enough information to attack the network. This is a purely black-box* style test, where the attacker is an outsider with very little inside information.Phase 2: Familiar Party – Outside footprint (routers, servers, hosted structure, etc).Phase 2 represents a hybrid approach where the attacker has some inside knowledge but is not an insider (such as a third-party contractor). In this phase Frost would ask some minimal architecture questions and other information that could be used against the network.Phase 3: Insider Threat – Inside footprint (workstations, file servers, printers, phone systems, etc).Phase 3 simulates an insider, with direct knowledge of the environment and company operations. This phase can be carried out in a number of ways, including provisioning a limited user account that the penetration testing team would try to escalate to administrative rights or by taking credential information that normally could not be accessed by outsiders.Each testing phase could potentially involve a myriad of automated scanning tools and manually scripted attacks, depending on the nature of the client systems.Following the conclusion of testing, the client will be provided with a detailed report that outlines the vulnerabilities identified along with recommended methods to mitigate those vulnerabilities.In addition to the electronic testing described above, on-site physical security can also be tested. In an on-site test, Frost staff attempt to trick employees into believing they are a vendor employee, or perhaps upper management from out of town, in an attempt to gain access to the building and facilities, and eventually access client systems.
- Single Phase Testing Methodology:In a single phase test, the client provides a list of targets to the Red Team (ethical hackers) at the beginning. Red Team utilizes manual attacks and automated tools to attempt network breaches and privilege escalation both internally and externally. A report is assembled that identifies the deficiencies uncovered along with guidance for mitigating those deficiencies.
- Automated Vulnerability Assessment/Scanning Methodology:Under the Frost Vulnerability Assessment/Scanning Methodology, the client provides a list of targets to the Red Team (ethical hackers) at the beginning. Scans are run against client systems using automated scanning tools. A report is assembled using the automated tools along with guidance regarding how to address identified deficiencies. (This offering is restricted to clients with small to medium sized networks).
II. Application Penetration Testing
Application penetration tests are normally conducted as white box tests, where the client will create an account on a non-production copy of the application and provide the credentials, target list, and some information about the application to the Red Team before the test begins.
The Red Team will first test the web application without credentials and determine if it is possible to bypass the authentication mechanism completely and gain access to the authenticated environment without proper credentials. In either event, the Red Team will then test the authenticated environment, seeking to elevate their access to a privileged/admin account, or retrieve data from the backend database that is beyond their credentials/access, or cause modification/damage to the environment itself, which could be used by an attacker to infect the legit users of that application.
The Red Team will test the input validation mechanisms throughout the application, attempting among other tasks: SQL injections (SQLi)9, cross-site scripting (XSS), cross-site request forgery (XSRF), and code execution.
Being that this type of test is conducted as a white box, there may be more communication with the client as the test progresses and questions arise about the backend technology.
Read more about the topic of social engineering (a growing component of Frost’s penetration testing services) here.