Return to flip book view

Jameson Cybersecurity Booklet

Page 1

CYBERSECURITYADVISORY SERVICES

Page 2

Jameson A. Miller, CPA, CISA, CISSPPartner, Cybersecurity Advisory Servicesperforming penetration testing of information systems usingtechnical and social engineering techniques.Jameson maintains current and relevant information technology and financial accounting continuingprofessional education credits including the AICPA’s Cybersecurity Advisory Services and Blockchain forAccounting and Finance certificates. He is a technology and cybersecurity speaker for several industryrelevant conferences, including:Jameson is a member of the AICPA, the Tennessee Society of Certified Public Accountants, ISACA, and ISC2.Jameson is an avid outdoor enthusiast and enjoys volunteering as secretary and treasurer of the board ofdirectors for the Cumberland Trails Conference, a 501(c)3 non-profit organization. Jameson is a licensedCertified Public Accountant with the state of Tennessee, a Certified Information Systems Auditor (CISA)through ISACA, and a Certified Information Systems Security Professional (CISSP) through ISC2.2018 GGFOA Annual Conference speaker, “What is Blockchain and Why Should I Care?”2019 GGFOA Annual Conference Cybersecurity Panelist/Speaker2019 Eight hour CPE Course leader “All Things IT – Are you Protected?” – sponsored by Mauldin & Jenkins2020 Florida Bankers Alliance Cyber Security Symposium Speaker, “Managing Cybersecurity Risk throughan Effective Vendor Management Program”2020 South Carolina Spring Splash, “Technologies Transforming Accounting”2020 GSCPA Non-profit conference, “Data Analytics: Balancing the Good and the Ugly”2020 Octane Conference, “Creating Accessible Documents” and Cybersecurity Panelist/SpeakerASSURANCE | TAX | ADVISORY SERVICESJameson Miller is a Partner and has been with Mauldinand Jenkins since graduation from the University ofTennessee at Chattanooga. He currently leads thefirm’s Cybersecurity Advisory Services practice. Forover 14 years, Jameson has provided audit andadvisory services to public and private entitiesthroughout the Southeast. Jameson’s experienceincludes audits of general controls, applicationcontrols, and cybersecurity risk managementprograms.He also has extensive experience withSarbanes Oxley, SSAE18 Systems and OrganizationControls (SOC) Examinations, National AutomatedClearinghouse Association (NACHA) Operating Rulesand Guidelines Compliance, and Gramm-Leach-BlileyAct (GLBA) compliance program implementation,testing, and reporting. His technical expertise includes

Page 3

Brandon Smith, CPAPartner, Client Advisory ServicesBrandon Smith joined Mauldin & Jenkins in 2008after studying Accounting and Information Systemsat Georgia Southern University. As a Partner basedin the Atlanta Office, he works with organizationsthroughout the Southeast to help deliver a blend ofcapacity building, management consulting andtraditional accounting services.Brandon’s experience includes evaluating internalcontrol, cybersecurity, and risk management policiesand practices. He helps organizations implement andexpand established frameworks to meet operations,reporting, and compliance objectives. Brandon isenthusiastic about transformative technologies andthe impact they have on our clients and theirindustry, as well as the accounting profession.ASSURANCE | TAX | ADVISORY SERVICESHe is a member of ISACA, the AICPA, GSCPA, Georgia Planned Giving Council, and Georgia Center forNonprofits. He is also a volunteer instructor for Nonprofit University’s certificate programs. Brandon holds the AICPA’s Cybersecurity Advisory Services Certificate.Ashton SneedInformation Technology AuditorAshton Sneed graduated from the University of Tennessee at Knoxville in 2019. Ashton graduated with aMaster’s degree in Accounting with a focused concentration in Information Systems. Ashton joined Mauldin& Jenkins in February 2020. Ashton has passed the uniform CPA and CISA examinations and is currentlyworking towards completing the necessary work experience to meet all licensing requirements.OUR TEAM

Page 4

ASSURANCE | TAX | ADVISORY SERVICESOUR TEAMJoshua Adams, CISSP, CISAInformation Technology Senior ManagerJoshua Adams graduated from Western Governors University with a Bachelor’s degree in InformationTechnology. Joshua has over seven years of experience related to information technology auditing,information security and operations management. Joshua’s industry experience includes financial institutionsand GLBA compliance program implementation, testing and reporting. He also has experience performingSSAE 18 SOC Examinations. He has technical expertise performing information systems vulnerabilityassessments, IT risk assessments, and penetration testing of information systems using both technical andsocial engineering techniques. Joshua is a Certified Information Systems Security Professional (CISSP) and amember of ISC2. Joshua is also a Certified Information System Auditor and Member of ISACA.Ryan Meades, CISAInformation Technology Senior AssociateRyan Meades is an information technology specialist that has been with Mauldin & Jenkins since September2017. He graduated from East Tennessee State University with a Bachelors’ degree in InformationTechnology. Since starting with Mauldin & Jenkins, Ryan has specialized in SSAE18 SOC audits, penetrationtesting, social engineering, and regulatory compliance audits in accordance with the GLBA and NACHA. Ryanis a Certified Information System Auditor and a member of ISACA.Mia FletcherInformation Technology AssociateMia Fletcher is an information technology specialist that has been with Mauldin & Jenkins since May 2019.She graduated from the University of Tennessee at Chattanooga with a Bachelor’s degree in InformationTechnology in December 2019. Her specialized experience includes penetration testing, social engineering,and other related information security projects. Mia is currently pursuing the Certified Ethical Hacker (CEH)certification offered through the EC-Council.Ben Barendse, CISAInformation Technology Senior AssociatePrior to joining Mauldin & Jenkins in April 2020, Ben Barendse worked as an Information Security Officer andQuality Assurance Manager for an international software development company that built and maintains amedical software as a service platform. Ben’s experience includes the development and implementation ofHIPAA Compliance programs and management of Cybersecurity readiness and response programs. Hecurrently holds an active CompTIA Security+ CE certification, is a Certified Information System Auditor, andis a member of ISACA.

Page 5

ASSURANCE | TAX | ADVISORY SERVICESOur Vulnerability Assessments identify vulnerabilities that could present security risks to the City. We perform independent,detailed vulnerability scans of the City’s servers, workstations and other network devices. We look for known exposures on thecomputers and network devices, including missing patches, insecure configurations, and Trojan horse programs.The vulnerability scans and subsequent testing do not result in changes to any computers or network devices, nor are theycompromised in any way. The tests only involve requesting information from the networks and computers and analyzing theresponses.We perform a preliminary review of the scanning results while on site and perform additional testing, if necessary, to confirm scanresults and to provide additional information in specific situations.Software-only approaches to detecting vulnerabilities are incomplete and sometimes inaccurate. Our approach to vulnerabilityanalysis goes much further. We would review the Organization’s IT-related documents, conduct interviews with key IT personneland visually inspect the Organization’s equipment and facilities to gain an understanding of the Organization’s IT environment.Based on the Organization’s specific IT environment, we would perform an in-depth analysis of the results of the vulnerabilityscans and all other information collected to produce a composite view of security weaknesses in the Organization’s ITenvironment. Our analysis, based on well-established security principles, focuses on the most significant ways the Organizationcan improve its overall IT security posture.Our vulnerability assessments present metrics that the Organization can use to gauge the progress of its Information SecurityProgram. This allows us to chart the Organization’s progress and better test the effectiveness of the Organization’s PatchManagement and Configuration Management programs in a dynamic information security environment.Finally, we provide the Organization with a configuration audit of different network devices based on the Center for InternetSecurity (CIS) Best Practices. Our Vulnerability Assessment will provide your Organization with a point in time snap shot of itspatching cadence. Verizon’s 2017 Data Breach Investigations Report analysis showed that only 61% of organizations completetheir patching process and patches not completed after 12 weeks tend to go unpatched. Additional or more frequentVulnerability Assessments can be performed at the Organization’s request.Cybersecurity Advisory ServicesSystems Vulnerability Assessment

Page 6

While active attacks are easier to detect, they typically execute an actof theft or cause disruptions in normal computer processing moreseverely than a passive attack. Attackers can trick individuals intocooperating and often play upon the victim’s natural desire to help.When combined with other technical attacks, social engineering isthe most successful way to compromise an organization’s network.Our Social Engineering procedures allow the Organization to test theeffectiveness of its firewall, intrusion prevention system, othertechnical controls, and its employee security awareness. We work withthe appropriate level of leadership to plan and execute socialengineering campaigns using a pre-determined combination ofspear-phishing, web sites with “malicious” payloads, documents withembedded “malicious” code, and/or other client-side exploits.Social EngineeringASSURANCE | TAX | ADVISORY SERVICESAn External Penetration Test serves to identify additional external vulnerabilities and weaknesses of an organization’s networks andcomputers. We conduct our test in two phases. In the first phase, we act with limited knowledge of an organization’s externalnetwork, also known as a black box test. We perform reconnaissance and information gathering using publicly available informationabout the organization. During the second phase, we use network information discovered during the first phase to perform portscanning, service enumeration, vulnerability scanning, and exploitation attempts.An Internal Penetration Test serves to validate the conclusions reached during the separate Vulnerability Assessment. Maliciousactors can gain access to the internal network by remotely exploiting vulnerabilities on a client machine or by gaining physical accessto a client machine or network access point. We conduct an Internal Penetration Test on an organization’s internal network, behindits firewall(s) and other perimeter defense mechanisms. An internal penetration test is a realistic assessment of an organization’sinformation security controls and incident response procedures and tests the organization’s ability to defend its critical data from amalicious attacker already on its internal network. Our goal is to gain administrative access to an organization’s network byidentifying and exploiting vulnerabilities on the organization’s network devices.We utilize widely adopted penetration testing methodologies that include information gathering, service enumeration, vulnerabilityscanning, and exploitation. While these methods are thorough and consistent with best practices, they cannot find all vulnerabilitiesand weaknesses. The Organization should be aware that other vulnerabilities and weaknesses may exist, and new ones arediscovered every day.External & Internal Penetration TestingWhen combinedwith othertechnical attacks,social engineeringis the mostsuccessful way tocompromise anorganization’snetwork.

Page 7

A firewall typically separates an organization’s internal network from the Internet and is often the first line of defense againstoutside attackers. A firewall restricts the addresses and services on the internal network that an outside user can access. In addition,firewalls can restrict the level of access internal users have to the Internet. Firewall access rules depend heavily on the security ofleast privilege, which states the level of access should be limited to only what is necessary.We review the configuration of an organization’s firewall to identify any significant weaknesses in the settings and access controlrules and provide suggestions to address them. We analyze firewall configurations with respect to well-established securityprinciples and industry-standard practices.Firewall Configuration ReviewASSURANCE | TAX | ADVISORY SERVICESEmployees need Cybersecurity Awareness Training to protect themselves, their organization, and others against cyber-attacks. Bymaking employees aware of threats and how they present, as well as the procedures to follow subsequent to threat identification,you strengthen one of the most vulnerable areas of an organization. Our four-hour training session assists employees withunderstanding their impact to their organization’s cyber risk, and provides them with best practices for maintaining their personalcybersecurity hygiene. Cybersecurity relevant topics can include, but are not limited to:Terminology, concepts, trends, predictionsThreats and commonly used attack vectorsResponse and mitigation strategiesEffective vendor risk managementPersonal cybersecurity hygieneAvoid falling victim to social engineeringCybersecurity case studiesCybersecurity Awareness Training

Page 8

CYBERSECURITY RISK MANAGEMENT PROGRAMThe following sections describe the cybersecurity framework that we deploy to evaluate organizations’ cybersecurity posture.Cybersecurity Risk Management Programs (CRMPs) do not, nor intend to, form a serial path or lead to a static desired end state.Instead, effective CRMPs continuously assess the design and implementation of controls within an organization’s operationalculture that specifically address dynamic cybersecurity risks.Cybersecurity should be an important and amplifying component of an organization’s risk management. To better address theserisks, the Cybersecurity Enhancement Act (“CEA”) of 2014 updated the role of the National Institute of Standards and Technology(“NIST”) to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners andoperators. NIST was charged with identifying a prioritized flexible, repeatable, performance-based, and cost-effective approach,including information security measures and controls that may be voluntarily adopted to help organizations identify, assess andmanage cybersecurity risks. NIST previously developed a cybersecurity framework (version 1.0) under Executive Order 13636,“Improving Critical Infrastructure Cybersecurity.” Under the CEA the development of NIST’s cybersecurity framework hascontinued evolving and on April 16, 2018 NIST released version 1.1 of its “Framework for Improving Critical InfrastructureCybersecurity” (the “Framework” or “NIST Cybersecurity Framework”).The Framework focuses on using business drivers to guide cybersecurity activitiesand considering cybersecurity risks as part of theorganization’s risk managementprocess. While the Framework was developed toimprove cybersecurity riskmanagement of critical infrastructure, it can be used byany organization withinany sector or community. The Framework enablesorganizations – regardless ofsize, degree of risk, or cybersecurity sophistication toapply the principles and bestpractices of risk management to improve security andresilience.The Framework is not a one-size-fits-all approach to managing cybersecurity risk,and organizations will continue to have unique risks – different threats, differentvulnerabilities, and different risk tolerances. The Framework allows organizationsto customize practices and determine activities that are important to criticalservicedelivery and can prioritize investments to maximize the impact of eachdollar spent.Ultimately, the Framework is aimed at reducing and better managingcybersecurityrisk.The Framework remains effective and supports technical innovation because it istechnology neutral, while also referencing avariety of existing standards,guidelines, and practices that evolve with technology. The use of existing andemerging standards willenable economies of scale and drive the development of effective products, services and practices that meet identified marketneeds. The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program.Alternatively, an organization without an existing cybersecurity program can use theFramework as a reference to establish one. Itis intended to be useful to companies, government agencies, and not-for-profit organizations regardless of their focus or size.Framework for Improving Critical Infrastructure CybersecurityOur cybersecurityassessments are designedto be performedconcurrently andcontinuously to form anoperational culture thataddresses the dynamiccybersecurity risk.ASSURANCE | TAX | ADVISORY SERVICES

Page 9

An Overview Of The NIST Cybersecurity FrameworkThe Framework provides a common taxonomy and mechanism fororganizations to:The Framework is a risk based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core,the Framework Implementation Tiers, and the Framework Profiles. Each component of the Framework reinforces theconnection between business/mission drivers and cybersecurity activities.The Framework Core (the “Core”) is a set of cybersecurity activities, desired outcomes, and applicable references that arecommon across critical infrastructure sectors. The Core presents industry standards guidelines, and practices in a mannerthat allows for communication of cybersecurity activities and outcomes across the organization from the executive level tothe implementation/operations level. The Framework Core consists of five concurrent and continuous functions – Identify,Protect, Detect, Respond, and Recover. When considered together, these Functions provide a high level, strategic view ofthe lifecycle of the organization’s management of cybersecurity risk. The Core then identifies underlying key Categories andSubcategories – which are discrete outcomes – for each Function, and matches them with example Informative Referencessuch as existing standards, guidelines and practices for each subcategory. The Core is not a checklist of actions to perform.1. Describe their current cybersecurity posture2. Describe their target state for cybersecurity3. Identify and prioritize opportunities for improvement within the contextof a continuous and repeatable process4. Assess progress toward the target state and5. Communicate among internal and external stakeholders aboutcybersecurity riskNIST CYBERSECURITY FRAMEWORKIDENTIFY PROTECT DETECTRESPONDRECOVERAnomalies & EventsSecurity ContinuousMonitoringDetection ProcessResponse PlanningCommunicationsAnalysisMitigationImprovementsRecovery PlanningImprovementsCommunicationsAsset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk ManagementStrategySupply Chain RiskManagementAwareness & TrainingInformation ProtectionProcesses & ProceduresProtective TechnologyData SecurityMaintenanceIdentity Management &Access ControlASSURANCE | TAX | ADVISORY SERVICES

Page 10

The Framework Implementation Tiers provide a context on how an organization views cybersecurity risks and the process tomanage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit thecharacteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize anorganization’s practices over a range from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal,reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization shouldconsider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives,and organizational constraints.A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from theFramework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practicesto the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improvingcybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop aProfile, an organization can review all of the Categories and Subcategories and, based on business/mission drivers and a riskassessment, determine which are most important; it can add Categories and Subcategories as needed to address the organization’srisks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, whilefactoring in other business needs including cost-effectiveness and innovation.TIER 1 TIER 2 TIER 3 TIER 4RISK MANAGEMENT PROCESSINTEGRATED RISK MANAGEMENT PROGRAMEXTERNAL PARTICIPATIONPARTIALRISK INFORMED REPEATABLE ADAPTIVEBUSINESSOBJECTIVES THREATENVIRONMENT REQUIREMENTS &CONTROLSCYBERSECURITY PROFILEFRAMEWORKFUNCTIONSI D E N T I F YP R O T E C TD E T E C TR E S P O N DR E C O V E RASSURANCE | TAX | ADVISORY SERVICES

Page 11

ASSURANCE | TAX | ADVISORY SERVICESBecause of the variety of ways the Framework can be used or leveraged by an organization, phrases such as “compliance with theFramework” can be confusing and mean something entirely different to various stakeholders. Instead, the Framework is designed tobe used as a utility – a structure and language for organizing and expressing compliance with an organization’s own cybersecurityrequirements. The Framework is designed to help an organization answer fundamental questions, including “How are we doing?”Then the organization can move in a more informed way to strengthen their cybersecurity practices where and when deemednecessary. The better an organization is able to measure its risk, costs and benefits of cybersecurity strategies and steps, the morerational, effective, and valuable its cybersecurity approach and investments will be. Our approach to the use of the Framework isdescribed in further detail within the Proposed Engagement Phases section of this proposal.How to use the Framework

Page 12

CONTACT US TODAYAlbany | Atlanta | Birmingham | Bradenton | Chattanooga | Columbia | Macon | Sarasota | SavannahJameson A. Miller, CPA, CISA, CISSPMauldin & Jenkins, LLC(423) 785-1380JMiller@mjcpa.com QUESTIONS?ASSURANCE | TAX | ADVISORY SERVICESTOGETHER WE CAN Do Anything