Cyber Security Assessments and IT Audits

SysAudits offers a variety of cyber security services that include Federal mandated FISMA assessments and IT audits.

FISMA Assessments and Audits

The Federal Information Security Management Act (FISMA) is a federal law under the E-Gov Act that was enacted to increase the security posture of government agency federal systems, bureaus, departments and their supporting entities. For Federal agencies that are required to comply with FISMA, the requirement extends to compliance with their 3rd party providers which may include outsourced data centers, application providers, and cloud service providers.

SysAudits offers a variety of services to assist in meeting FISMA compliance from an operational OCIO and an Inspector General (IG) audit perspective. OCIO pre-assessments can assist IT leadership in identifying weaknesses in meeting FISMA and assist in developing plans of actions and milestones prior to an Audit assessment. The value in an internal self-assessment is identifying weaknesses prior to an external audit. Audit assessments are clearly performed as an independent audit to determine an organization compliance in meeting FISMA. Both findings and recommendations are identified with reporting to meet the Cyberscope reporting deadline.

SysAudits staff have extensive experience on both the Audit and CIO perspective. This perspective brings value in performing pre-assessments and audits which makes SysAudits stand out amongst other consulting firms. SysAudits methodology consists of assessing, testing and reviewing information systems through in-depth assessment of NIST defined management, operational, and technical testing of controls. The following represents services provided by SysAudits:

• FIPS 199 categorization, FIPS 200 and agency control selection.
• Security controls assessment.
• Authorization recommendation of system and continuous monitoring.
• Security Assessment Plan (SAP), Rules of Engagement (ROE), and Security Assessment Report (SAR) development.
• Penetration testing.
• Internal Vulnerability testing.
• Wireless and mobile security assessments.
• Application, database, and infrastructure vulnerability scanning and results interpretation.
• Architecture and system boundary assessments.
• Secure configuration management administration and operations.
• Network design and third-party service provider evaluations.
• Contingency system planning and additional guidance based on your agency’s requirements.
• Compliance program pre-assessments.
• FISMA documentation development, including System Security Plan (SSP), Contingency Plan (CP), Incident Response Plan (IRP), Configuration Management Plan (CMP), Privacy Impact Assessment (PIA), and FIPS 199 Security Categorization, Policies, Procedures, etc.

IT Audits

SysAudits has extensive experience in performing all types of IT audits that include audits of:

• Vulnerability management programs.
• General and application controls.
• Disaster recovery, business continuity, and backup and recovery.
• Event management, incident response, and remediation.
• Penetration testing.
• Internal vulnerability testing.
• Secure configuration management.
• Complete data center and outsourced service provider physical, environmental, and access controls.
• Cloud Planning.
• System development life cycle for new applications and enhancements.
• IT Contracting and procurement.
• IT Contract re-design, consolidation, and enterprise re-architect of enterprise IT contracts.
• IT contract investigation and litigation support: cost mischarging; contract close outs under terminations for convenience and performance.
• IT policy and procedures.
• OCIO and IT Organizational Assessments (structure, personnel, and services)
• Many others.