THE POWER OF BEING UNDERSTOODAUDIT | TAX | CONSULTING

SECURITY, PRIVACY, AND RISK SERVICES

RISK ADVISORY

PROTECT THE INTEGRITY OF YOUR DATA AND SYSTEMS WITH ENTERPRISE IT SECURITY SERVICES

2

The risk advisory services (RAS) group is a pillar of our consulting practice, and brings a multidisciplinary approach to assessing controls across your business enterprise. A core component of RSM’s RAS practice is the firm’s security, privacy, and risk solution network.

RSM is a national leader in providing such information technology (IT) and security assessment services to clients in a variety of organizational sizes and structures. We have approximately 100 information assurance professionals

nationwide, exclusively serving your technology security- and risk-related needs. Our professionals carry a multitude of industry-recognized certifications, and several of our members are recognized thought leaders within the security industry.

RSM’s security, privacy, and risk services (SPRS) are categorized into five networks with several professional services offered within each respective discipline:

SECURITY, PRIVACY, AND RISK CONSULTING OVERVIEW

New technologies make yesterday’s security, privacy, and risk solutions obsolete. And the list of possible bad outcomes in the battle to protect the integrity of your data is a long one. This is why organizations need to employ enterprise IT security services.

IT SecurityTesting

Compliance and Governance

Payment Card Industry (PCI) Services

Digital Forensics and Incident Response

Security Architecture

• Ethical hacking

• Vulnerability assessments

• Mobile and Web applications

• Databases

• SharePoint

• Wireless networks

• Social engineering

• Management and framework

• Data mapping

• Third-party risk assessment

• State, federal and international regulations

• Industry-specific standards

• Gap analysis

• Qualified Security Assessor (QSA)

• Approved Scanning Vendor (ASV)

• Report on Compliance (ROC)

• Payment application review

• Data preservation and analysis

• Information security incidents

• Data breach

• E-discovery services

• Malware analysis

• Data recovery

• Process integration

• Performance improvements

• Implementation

• Architecture design

• Vendor selection

• Identity and access management

TABLE OF CONTENTS

IT security testing 3

Compliance and governance 5

Payment Card Industry (PCI) services 7

Digital forensics and incident response 8

Security architecture 9

Our certifications 10

3

Computer systems must be protected on two fronts, from the inside and from the outside. Not long ago, computer crime experts estimated that more than two-thirds of all computer attacks and unauthorized access were committed by internal personnel. While internal attacks remain a serious issue, the level and sophistication of outside security threats have greatly increased. Using attack techniques such as social engineering, Web application exploits and custom malware, attackers are bypassing external controls like firewalls with increasing levels of success.

Contrary to what many believe, security testing isn’t a commodity service. Real differences exist in capabilities and depth of testing, but the most drastic differences don’t stem from purely technical factors. Rather than addressing a catalogue of technical findings as the final goal, security testing that delivers real value uses technical methods and results to support business-level risk management.

RSM’s testing teams differentiate themselves by focusing on:

• Systemic issues: Testing results are used to identify the root causes of various types of risks.

• Multifactor risks: While many security testing providers focus exclusively on technical risks and vulnerabilities, true value comes from translating those technical risks into regulatory compliance, legal and operational risks.

• Consistent frameworks: How do you know if testing was performed completely and correctly? How do testers validate that they performed the appropriate levels and types of testing? At RSM, we base testing methodologies on widely accepted frameworks, such as Open Source Security Testing Methodology Manual (OSSTMM), Open Web

Application Security Project (OWASP), Penetration Testing Execution Standard (PTES) and the SANS Institute’s Security Consensus Operational Readiness Evaluations (SCORES).

• Controls assessments: Assessment data is extremely valuable to validate the effectiveness or existence of controls and processes. While general checklist-style audits work well to assess policies governing controls, or to perform spot checks of specific systems, full-security testing is often needed to validate the effectiveness of technical controls across an enterprise.

RSM delivers a wide variety of security assessments, including:

• External penetration testing: So-called “black-box” and “white-box” testing, performed from the Internet through the firewall(s) to the internal network.

• Internal penetration testing: Similar to external penetration testing, but performed on your internal network and systems.

• Application-level testing: Analyzing applications to identify vulnerabilities at the application level.

• Application security code reviews: Reviewing application code for insecure programming issues.

• Social engineering testing: Assessing the security awareness of your employees.

• Wireless testing: Examining your wireless technologies to determine if they present an unacceptable level of risk, including their configuration, hardening, usage and the security of endpoints, such as laptops and mobile devices.

IT SECURITY TESTING

With today’s advanced threats, rapidly changing malware and a constantly-shifting legal and regulatory landscape, it’s essential to clearly understand the risks associated with your information technology assets. While a third party may already be conducting your security testing, it might be time for a new perspective—because not all IT security testing is the same.

4

• Extrusion testing: A form of penetration testing determining how easily sensitive information can be pushed from the inside out, testing the effectiveness of data leakage prevention systems, proxies and security monitoring.

• SharePoint testing: Our SharePoint security review examines your organization’s SharePoint platform to identify violations of information security best practices, such as: poor access control security, Web application vulnerabilities, sensitive data disclosure and plain-text data transmissions.

• Mobile application testing: We analyze your mobile applications for various platforms to identify insecure storage, application weaknesses and mobile service-level vulnerabilities.

• Database testing: RSM takes a comprehensive approach to database security, including both penetration testing and security audit of organizational databases, including MSSQL, Oracle and MySQL. We review your database environment and associated documentation, actively try to penetrate your organizational databases, compare configuration settings against industry best practices and make both technical and business recommendations as to how to improve your database security.

5

No matter the capability and extent of an organization’s security technologies, if the processes and methods used to control the technology are weak, the security posture will never reach its full potential, and will likely degrade over time. RSM’s security compliance and governance service network has three major types of offerings:

• Assessing your current status in meeting your regulatory, business and internally driven requirements by comparing them against accepted frameworks

• Helping you design and build new governance models and processes meant to enhance your ability to meet varied requirements

• Assisting you in monitoring the effectiveness of your governance over time through the development of models and metrics, as well as tactical initiatives meant to mature your existing processes

Our governance assessment and governance improvement frameworks start with obtaining a thorough understanding of your information technology’s governance, regulatory requirements and risk management methodologies. This approach results in a focused, risk-based evaluation throughout the assessment cycle, rather than a focus on individual controls. After collaborating with you to understand and assess your information security needs, our professionals help you identify a governance framework to fit your needs. Some widely used governance frameworks include:

• International Organization for Standardization, e.g., ISO 27001/27002

• National Institute of Standards and Technology, e.g., NIST SP800-53

• Governmental standards, such as the Federal Information Security Management Act (FISMA), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), HIPAA/HITECH and others

• Industry best practices from the SANS Institute, the Information Systems Audit and Control Association (ISACA) and the International Information Systems Security Certification Consortium (ISC)2

COMPLIANCE AND GOVERNANCE

Our professionals are constantly developing cost-effective strategies to help organizations maintain compliance with important regulations from various governing bodies. Each regulation presents its own challenges, and we strive to help you meet these challenges through a deep understanding of the regulations and strategies to meet them.

6

If they’re not a good fit, our team helps you adapt or blend standard frameworks, or custom-tailors a unified controls framework to address your unique needs. At a minimum, items typically included in the security, privacy, and risk governance assessment process are:

• Data and system classification

• Policy and governance

• Operational and technical security risks

• Impact of changing business conditions

• Compliance, regulatory and legal exposure

• Business continuity capabilities

• Executive management involvement

• Internal and external security

• Internet and website security

• Security monitoring and incident response

• Physical security

In regards to assessing your current compliance with specific regulations or standards, our teams have extensive experience in:

• HIPAA and HITECH

• FISMA, NIST and NERC CIP

• Federal Deposit Insurance Corp. (FDIC), Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transactions Act (FACTA) (financial institutions)

• U.S. federal and state privacy laws

• EU Data Protection Directive and Safe Harbor Principles

• Third-party risk management activities, such as BITS and Standardized Information Gathering (SIG)

We often perform tactical activities meant to support our governance work, including:

• Data discovery exercises meant to identify the types and quantity of sensitive information within an environment, as well as the controls over such data

• Internal and external security testing

• Employee awareness examinations via surveys, interviews and social engineering testing

7

• PCI-compliant ASV scanning: This scan, which can only be performed by an ASV, fulfills Data Security Standard (DSS) requirement 11.2 for all PCI in-scope, Internet-facing cardholder data (CHD) systems.

• PCI-compliant penetration testing: These annual internal and external network and applicationlevel tests determine, if possible, vulnerabilities in systems and devices that can be leveraged to access cardholder data.

• PCI DSS assessment and remediation services: This review will assess your organization against the controls listed in the PCI DSS or self-assessment questionnaire (SAQ) as necessary, and provide recommendations and feedback for remediating any identified gaps.

• PCI Report on Compliance (ROC): This independent validation of PCI DSS compliance provides your organization with a ROC that can be submitted to the organization’s acquirer, or directly to one of the card brands.

• Payment application (PA) Report on Validation (ROV): This independent validation of licensed applications, involving the authorization or settlement of payment card transactions, is used to certify payment applications with the PCI SSC. Once certified, PA DSS applications will be listed on the PCI SSC website for use by merchant organizations.

• Payment card data discovery: The PCI DSS ROC engagement requires scoping the environment for determination of what will be defined as the cardholder data environment (CDE). Our data discovery searches locations where card data should not reside to determine if data leaks have occurred from the CDE, expanding the scope of the PCI ROC.

• Business as usual (BAU) checkup: While the PCI DSS is considered a “point in time” audit, version 3.0 of the PCI DSS adds guidance to make the PCI DSS a “business as usual” ongoing function. Our BAU checkup service provides periodic updates and monitoring of PCI controls to verify security and compliance is maintained year-round.

PAYMENT CARD INDUSTRY (PCI) SERVICES

Named by the PCI Securities Standards Council (SSC) as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), RSM has an experienced team of information security consultants who help your organization develop and maintain a complete security program.

8

Whether you need an experienced team to provide forensic response services on short notice, or assistance in developing your internal forensic and response capabilities, we’re ready to help. Our team has more than a decade of experience in all aspects of forensics and response, including: investigative support, evidence collection and analysis, post-event vulnerability assessment and remediation, expert witness testimony and law enforcement liaison activities.

Identifying and attempting to retrieve possible evidence from computers and related systems calls for a series of careful steps. Our team uses an approach designed to:

• Protect your computer systems and evidence from any possible alteration, damage, data corruption or virus introduction

• Discover all files on the subject system, including existing normal files, deleted, yet remaining files, hidden files, password-protected and encrypted files

• Recover discovered deleted files

• Reveal the contents of hidden, temporary or swap files used by application programs and the operating system

• Access protected or encrypted files when possible and legally appropriate

• Analyze all potentially relevant data found in special (and typically inaccessible) areas of a disk

• Develop an overall computer system analysis process, and a listing of all possibly relevant files and discovered file data

• Investigate the larger enterprise environment, including firewalls, security monitoring solutions, network devices and other systems critical to understanding the events at hand

• Provide expert consultation or testimony as required

DIGITAL FORENSICS AND INCIDENT RESPONSE

When a crisis hits, you need the advice and counsel of professionals on the forefront of digital forensic examination techniques—advisors with deep knowledge of the industry and the latest trends and threats.

9

In addition, for more complex issues, the RSM SPRS group contains a service network meant to deliver extensive solutions to many of the challenges you encounter. This architecture offering focuses on providing the infrastructure necessary for you to effectively manage your risks. It contains two primary approaches: assisting you in hardening and maturing your existing environment, or working on your behalf to rebuild or enhance your environment.

The first approach is primarily focused on the concepts of defense-in-depth, as well as the effectiveness of the security program. Implementing defense-in-depth concepts within a client environment is based on the simple idea that the exploitation of one vulnerability should not lead to the downfall of the entire environment. Having a network that is properly segmented, monitored and hardened will force an assailant to succeed in a series of attacks, in order to reach their goal. This structure will often lead to them abandoning the effort or being discovered before real damage is done.

Working with clients on the effectiveness of their security program typically entails taking existing technologies, and leveraging them to achieve much greater success than they are currently delivering. It is a discouraging, but often true fact, that many organizations are only deriving a fraction of the value of most of their existing security technologies, and our goal is to increase that value with as few new purchases as possible.

When a client wishes to enhance or completely rebuild their environment, RSM teams are on hand to help from the ground up. Our most typical services within the space include:

• System builds and designs, including hardened configurations

• Logging and monitoring solutions, such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), and security information and event management (SIEM)

• Specific data protection technologies, such as data loss prevention (DLP) and tokenization

• Identity and access management (IdM/IaM) solutions

• Patch and vulnerability management solutions

• Design and implementation of secure systems development life cycle (SDLC) programs

• Design and deployment of incident response plans

SECURITY ARCHITECTURE

Security testing, risk assessments, governance reviews and other such services are often viewed as having the primary goal of identifying weaknesses within an organization. RSM is purposeful within each of our assessment areas in going another level deeper and pairing our findings with pragmatic recommendations meant to address those issues.

10

• GIAC Certifications

-GSEC – GIAC Security Essentials Certification

-GCIH – GIAC Certified Incident Handler

-GCIA – GIAC Certified Intrusion Analyst

-GCFW – GIAC Certified Firewall Analyst

-GPEN – GIAC Certified Penetration Tester

-GREM – GIAC Certified Reverse Engineer of Malware

-GCFE – GIAC Certified Forensic Examiner

-CFA – GIAC Certified Forensic Analyst

• CISA – Certified Information Systems Auditor (security networking)

• CISSP – Certified Information System Security Professional

• CISM – Certified Information Security Manager

• CGEIT – Certified in the Governance of Enterprise IT

• CEH – Certified Ethical Hacker

• CompTIA Security+

• CRMA – Certification in Risk Management Assurance

• CIPP – Certified Privacy Professional

• Payment Card Industry (PCI)

-QSA – Qualified Security Assessor

-ASV – Approved Scanning Vendor

-PCI Payment Application (PA)

• OSCP - Offensive Security Certified Professional Certification

OUR CERTIFICATIONS

Our IT consultants, many with extensive industry experience, hold a variety of professional certifications, including:

11

SELECTED MEDIA AND SPEAKING APPEARANCES

Our security, privacy, and risk advisors are frequently sought out by media outlets, and as featured speakers and panelists at large conferences and events. Our experience has been leveraged in several different mediums, including:

Media appearances

• USA Today • Los Angeles Times • The Wall Street Journal • Fortune • The Washington Post • Kansas City Business Journal • Healthcareinfosecurity.com

• Secprodonline.com

• Govinfosecurity.com

• Financier Worldwide • Fox News

Speaking engagements

• Institute of Internal Auditors (IIA)

• Information Systems Audit and Control Association (ISACA)

• Information Systems Security Association (ISSA)

• Blackhat Conference

• Def Con Hacking Conference

• Open Web Application Security Project (OWASP) Conference

• Central Association of College and University Business Officers (CACUBO) Conference

• Independent Community Bankers of America (ICBA)

• American Apparel Footwear Association (AAFA)

• Minnesota Municipal Beverage Association

• SecureWorld

• Rochester Security Summit

• National Association of Corporate Directors (NACD)

+1 800 274 3978 rsmus.com

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP.

© 2017 RSM US LLP. All Rights Reserved.br-nt-ras-all-0717