At Apex, we measure our success by our clients’ success. To meet this objective, we have to be the best at what we do and, in order to be the best, we have to be discerning and focused in the services we provide.  As such, we dedicate all our resources to the provision of outstanding client support services in one distinct area: IT regulatory compliance and cyber security assessments/audits and implementation support services.  A more detailed listing of our offerings follows:

IT REGULATORY COMPLIANCE (and governance best practices)

∙ External IT regulatory compliance assessments and/or audits on behalf of the OIG or the Audit Committee
∙ Internal IT regulatory compliance assessments and/or audits on behalf of management
∙ Enterprise-wide internal audit methodology development to address the integration of all compliance requirements and to eliminate redundancies
∙ External auditor liaison support
∙ IT governance best practices assessments
∙ IT governance best practices and regulatory compliance implementation support, including, but not limited to, the following:
∙      ∙ ∙ ∙ IT policies and procedures development and implementation
∙      ∙ ∙ ∙ IT controls design and implementation
∙      ∙ ∙ ∙ Business Impact Analysis (BIA) and Risk Assessment
∙      ∙ ∙ ∙ Project planning and/or Project Management Office (PMO) support
∙ Independent Verification and Validation (IV&V) of application systems against functional and technical requirements
∙ Staff augmentation

Click Here to view an IT Regulatory Compliance Project Synopsis.

IT AUDIT READINESS

∙ Enterprise-wide internal audit methodology development to address the integration of all compliance requirements and to eliminate redundancies
∙ IT governance best practices and regulatory compliance implementation support, including, but not limited to, the following:
∙      ∙∙∙ [note: see sub-service areas listed above]
∙ IT audit readiness (and governance best practices) assessments (includes fast-turnaround Quick Strike assessments)
∙ Development of Corrective Action Plans (CAPs [or POA&Ms]) for control deficiencies
∙ Implementation support or independent validation & verification of CAP closure activities
∙ Support services during the course of external audits:
∙      ∙∙∙ PMO support
∙      ∙∙∙ Development of (and preparation for) anticipated controls-implementation evidence requests
∙      ∙∙∙ Facilitation of management responses to external auditor controls-implementation evidence requests
∙      ∙∙∙ Audit Preparation Exercises including mock control-effectiveness interviews and walkthroughs prior to management representative meetings with external auditors
∙      ∙∙∙ Negotiations with external auditors regarding the validity of audit findings, i.e., control deficiencies
∙ Staff augmentation

Click Here to view an IT Audit Readiness Project Synopsis.

CYBER SECURITY

∙ System Assessment and Authorization support in compliance with DoD/Federal Civilian information assurance requirements (such as the risk management framework)
∙ Cyber security control assessments & implementation support
∙ Penetration Testing at the application, system and network levels
∙ Risk Assessment and determination of risk levels (includes the review and incorporation of the results of prior assessments, code reviews and vulnerability scans)
∙ Identification of deviations from policies and/or acceptable configurations such as DISA STIG implementation analysis
∙ Cyber Hunt services including the development and/or utilization of industry or organization based threat platforms and identification of enterprise-wide risks
∙ Risk response recommendations such as risk acceptance, avoidance, mitigation, sharing or transference steps
∙ Implementation of risk mitigation measures (or independent validation & verification of the implementation of these measures)
∙ Cyber security governance support:
∙      ∙∙∙ Enterprise-wide security architecture
∙      ∙∙∙ Cyber security policies and procedures development & implementation support
∙      ∙∙∙ Incident Response support including incident analysis, remediation and system restoration
∙ Staff augmentation

The suite of automated tools utilized in the delivery of our Cyber Security services include, but are not limited to, the following:
∙ Network Traffic Analysis: Wireshark [Packet sniffer (analyzer)]
∙ Penetration Testing: Kali Linux (OS) MetaSploit and Wireshark [Packet sniffer (analyzer)]
∙ Incident Response Tracking: Hunting Range [incident log monitoring and tracking tool]
∙ Incident Follow-up Repository: SharePoint and other file management tools.
∙ Vulnerability Scanner: ACAS (DoD), NESSUS and Qualys Cloud Platform
∙ Static Code Analyzers: HP Fortify and IBM AppScan
∙ DoD RMF Compliance Tools: eMASS (and equivalent tools), RSA Archer and STIG Viewer

Click Here to view an Cyber Security Project Synopsis.

We have a proven track record in implementing the following Acts & Mandates and Standards & Guidelines:

Acts & Mandates

∙ Federal Managers’ Financial Integrity Act (FMFIA)
∙ Federal Financial Management Improvement Act (FFMIA)
∙ Chief Financial Officers Act (CFO Act) – Audits of financial statements
∙ Federal Information Security Modernization Act (FISMA) for civilian agencies and DoD Instruction 8510.01 (Risk Management Framework for DoD IT) for DoD agencies
∙ Managing Information as a Strategic Resource (OMB Circular A-130)
∙ Management’s Responsibility for Internal Control (OMB Circular A-123)
∙ Health Insurance Portability and Accountability Act (HIPAA)
∙ Privacy Act
∙ National Defense Authorization Act (NDAA)
∙ DoD Instruction 8500.01 and DoD Directive 8570.01
∙ DoD’s Financial Improvement Audit Readiness (FIAR)
∙ Sarbanes-Oxley Act

Standards & Guidelines
  • ∙ ISACA Certified Information System Auditor Best Practices
  • ∙ Federal Information System Controls Manual (FISCAM)
  • ∙ NIST Special Publications 800-18, 800-30, 800-37, 800-53, 800-57, 800-60 and 800-64
  • ∙ Statement on Standards for Attestation Engagements No. 18 (SSAE 18)
  • ∙ Federal Information Processing Standards (FIPS) Publications 199 and 200
  • ∙ SANS Institute standards including “SANS top 20 critical security controls”
  • ∙ ISO/IEC 27001 and 27002: Information Technology Security Techniques and Code of Practice for Information Security Controls
  • ∙ Information Security Forum (ISF) Standard of Good Practice for Information Security
  • ∙ Control Objectives for Information and Related Technology (COBIT)
  • ∙ Information Technology Infrastructure Library (ITIL) standards
  • ∙ Payment Card Industry Data Security Standard (PCI DSS)
  • ∙ Security Technical Implementation Guides (STIGs)
  • ∙ Committee on National Security Systems Instruction (CNSSI) 1253
  • ∙ Command Cyber Readiness Inspections (CCRI) standards
  • ∙ Consumer Private Network Information (CPNI) standards
  • ∙ Requirements for physical protection of licensed activities in nuclear power reactors against radiological sabotage (CFR Title 10 Part 73.55)
  • ∙ Project Management Body of Knowledge (PMBOK)