Security Strategy

Security strategy represents the approach that an organization takes to protect information and related assets from internal and external sources by mitigating associated risks while adhering to overarching security policy. Security strategy formulation includes activities related to:

1. Control objective definition
2. Determination of an approach to meet control objectives
3. Selection of appropriate controls
4. Performance baseline establishment for reference and associated metrics for comparison
5. Control implementation and testing

Encryption Advisory Services

The encryption of data within a corporation’s network is an important means to securing sensitive information and maintaining the compliance level set forth by specific regulatory compliance requirements that are unique for each corporations business. 

Encryption Advisory services that surround this highly specialized field include:

• Evaluating the specific needs of a corporation in relation to regulatory compliance requirements (HIPAA, SOX)
• PKI verification process, determine the client is not circulating expired certificates    
• Check encryption strength required within a specific compliance requirement
• Verify network traffic flows are properly encrypted from point to point (Virtual Private Networks)

TAAS works closely with clients to customize strategies to ensure expected levels of encryption on their network and beyond.

Forensics

Computer forensics is the science of locating, extracting and analyzing types of data from different devices, then interpreting to serve as legal evidence.  Through computer forensics, deleted files can be recovered, network activity can be tracked, and reports containing a summary of all of the employee’s activities can be generated (among other functions).  During a computer forensics investigation, it is imperative to ensure that no forensics evidence is damaged, destroyed, or compromised by procedures used during the investigation.  It is also imperative to never work on the original evidence, establish and maintain a continuing chain of custody, and document everything.  UHY is very aware that computer forensics will play a great role as computer technology keeps evolving and remains dedicated in providing the necessary expertise to address various needs.

Federal Information Systems Control Audit Manual (FISCAM)

The Chief Financial Officer (CFO) Act of 1990 requires the Office of Management and Budget (OMB) to prepare and submit to Congress a government-wide 5-year financial management plan.  The plan, to be updated annually, should describe planned OMB and agency activities for the next 5 fiscal years to improve the financial management of the federal government.  It should be a vision of how financial management reform will be carried out--a blueprint for change with a set of clear expectations.  Further, the act requires agency CFOs to prepare and annually revise agency plans to implement OMB's 5-year financial management plan.  UHY will ensure that the entity has a comprehensive system general and internal control assessment to support this annual plan and will also serve as the primary source of reference for the general and internal controls compliance level of the system(s) being evaluated.  General controls that are assessed consist of Entity-wide Security Program Planning and Management (SP), Access Controls (AC), Application Software Development and Change Controls (CC), System Software (SS), Segregation of Duties (SD), and Service Continuity (SC).  Another area, outside of the general controls listed above, that UHY can test and assess are application controls of the system(s), if deemed appropriate and applicable based on the overall risk observed after reviewing the general control environment utilizing the FISCAM.

Federal Information Security Management Act (FISMA)

In 2002, the importance of information security was officially addressed through Title III of the E-Government Act, which is FISMA.   FISMA requires every federal agency, and any organizations whose information systems possess or make use of federal information, to develop, document, and implement an agency-wide, risk-based information security program.  FISMA also requires periodic testing and evaluation of the effectiveness of the information security policies, procedures, and practices in place.  While FISMA lays out the required elements of the security program, it doesn’t set any security benchmarks, or provide much in the way of guidance on how to achieve these requirements.  The National Institute of Standards and Technology (NIST) provides this guidance.  NIST was enlisted to support FISMA by developing publications that provide guidance and best security practices to government agencies.

Office of Management and Budget (OMB)-123

OMB Circular No. A-123 defines management's responsibility for internal control in Federal agencies. A re-examination of the existing internal control requirements for Federal agencies was initiated in light of the new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982, are at the center of the existing Federal requirements to improve internal control. This circular reflects policy recommendations developed by a joint committee of representatives from the Chief Financial Officer Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE). The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities.