Your stakeholders demand robust security and high availability from your systems. You will benefit from a service provider that brings a thoughtful, client-first perspective, and an engaged responsiveness to your varied needs. We provide unified and agile approach to risk and compliance management across the following suite of services. This is a risk-based approach that maps our clients’ policies, procedures, and controls across multiple regulatory and compliance requirements.
SOC Examinations
Barr Assurance & Advisory, Inc. will assist clients on how service organization control (SOC) reports can improve the efficiency and effectiveness of their efforts to meet customer and other compliance requirements related to operational controls. Three types of SOC reports are defined to address distinct user requirements (SOC 1 / SSAE 16, SOC 2, SOC 3):
- SOC 1 (SSAE 16) focuses on matters relevant to user entities’ internal control over financial reporting (ICOFR).
- SOC 2 reports apply more broadly to operational controls covering security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
- SOC 3 reports are similar to SOC 2 but shorter and allow for more general distribution such as posting to your website.
Healthcare compliance
Protected health information are some of the most valuable pieces of information to both authorized users as well as hackers in the black market. Our service professionals bring clarity and assurance to the complex healthcare rules and risks associated with business associates who handle e-PHI.
ISO Certifications
ISO 27001, ISO 27017, and ISO 27018 are all internationally accepted standards that organizations can achieve a certification over their information security management system. We help prepare our clients for the certification and establish these standards into their own security management systems. In the near future, our audit professionals will be accredited to provide ISO certifications.
FedRAMP
We provide assessments to help our clients with their system security plan (SSP) and FedRAMP initiatives. FedRAMP derived from the Cloud First policy, created in 2010 by the U.S. Office of Management and Budget with the intent to improve efficiency in government service. Through cloud computing, federal agencies consolidate and provision new services faster while at the same time reducing information technology costs. Adoption of the cloud comes with ensuring a secure and trustworthy environment. FedRAMP defines requirements for cloud service provider (CSP) security controls, including vulnerability scanning, incident monitoring, logging, and reporting. June 2014 was the deadline for CSPs in use at federal agencies or CSPs in acquisition for meeting federal cloud computing requirements (e.g., FedRAMP).
Payment Card Industry Services
If you store, process, or transmit credit card data either as a merchant, processor, or service provider then the Payment Card Industry Data Security Standard (PCI DSS) applies to you. This includes colocations, data centers, and managed services providers that don’t even have logical access to card holder data. Our focus is working with these service providers that have customers with PCI compliance demands or need assurance over the PCI requirements the service provider is responsible for.
Penetration Testing
Protecting your critical information is more than policies, procedures, and controls. Our information protection services include penetration testing, vulnerability assessments, and secure development reviews that compliment our clients security management plans and compliance requirements. Our assessment team uses both automated and manual techniques in order to provide the most accurate results and can be performed from both an internal and external testing perspective.
GRC Advisory
Are you just blocking and tackling your way through security? Are you merely compliance driven? Or are you truly being proactive in managing your risks and your third party risks? Organizations need to create a risk-based culture across the entire company, not just in the risk or compliance department. To achieve an effective and integrated information security program requires a sustainable strategy, agile technology tools, and the support of subject matter professionals well versed in governance, risk, and compliance (GRC) programs.