At Apex, we measure our success by our clients’ success. To meet this objective, we have to be the best at what we do and, in order to be the best, we have to be discerning and focused in the services we provide.  As such, we dedicate all our resources to the provision of outstanding client support services in one distinct area: IT regulatory compliance and cyber security assessments/audits and implementation support services.  A more detailed listing of our offerings follows:

IT REGULATORY COMPLIANCE

∙ Internal IT regulatory compliance assessments and/or audits on behalf of management (internal)
∙ External IT regulatory compliance assessments and/or audits on behalf of OIG or the Audit Committee (external)
∙ IT governance best practices assessments
∙ IT controls design and implementation on behalf of management (internal assessments)
∙ Independent Verification and Validation (IV&V) of application systems against functional and technical requirements
∙ Staff augmentation

IT governance best practices and regulatory compliance implementation support, including, but not limited to, the following:
∙ IT project planning and/or Project Management Office (PMO) support
∙ IT Policies and procedures development & implementation support
∙ Enterprise-wide systems architecture and strategic planning
∙ Business Impact Analysis (BIA) and Risk Assessments

Click Here to view an IT Regulatory Compliance Project Synopsis.

IT AUDIT READINESS

∙ IT controls design and implementation
∙ IT governance best practices and regulatory compliance implementation support, including, but not limited to…(note: see service areas listed above)
∙ IT audit readiness (and governance best practices) assessments (includes fast-turnaround Quick Strike assessments)
∙ Development of Corrective Action Plans (CAPs [or POA&Ms]) for control deficiencies
∙ Implementation support or independent validation & verification of CAP closure activities
∙ Staff augmentation

Support services during the course of external audits:
∙ PMO support
∙ External auditor liaison support
∙ Development of (and preparation for) anticipated controls-implementation evidence requests
∙ Facilitation of management responses to external auditor controls-implementation evidence requests
∙ Audit Preparation Exercises including mock control-effectiveness interviews and walkthroughs prior to management representative meetings with external auditors
∙ Negotiations with external auditors regarding the validity of audit findings, i.e., control deficiencies

Click Here to view an IT Audit Readiness Project Synopsis.

CYBER SECURITY

∙ System Assessment and Authorization support in compliance with DoD/Federal Civilian information assurance requirements (such as the risk management framework)
∙ Cyber security control assessments & implementation support
∙ Penetration Testing at the application, system and network levels
∙ Risk Assessment and determination of risk levels (includes the review and incorporation of the results of prior assessments, code reviews and vulnerability scans)
∙ Identification of deviations from policies and/or acceptable configurations such as DISA STIG implementation analysis
∙ Cyber Hunt services including the development and/or utilization of industry or organization based threat platforms and identification of enterprise-wide risks
∙ Risk response recommendations such as risk acceptance, avoidance, mitigation, sharing or transference steps
∙ Implementation of risk mitigation measures (or independent validation & verification of the implementation of these measures)
∙ Staff augmentation

Cyber security governance support:
∙ Enterprise-wide security architecture
∙ Cyber security policies and procedures development & implementation support
∙ Incident Response support including incident analysis, remediation and system restoration

The suite of automated tools utilized in the delivery of our Cyber Security services include, but are not limited to, the following:

∙ Penetration Testing: Kali Linux (OS) MetaSploit and Wireshark [Packet sniffer (analyzer)]
∙ Incident Response Tracking: Hunting Range [incident log monitoring and tracking tool]
∙ Incident Follow-up Repository: SharePoint and other file management tools.
∙ Vulnerability Scanner: ACAS (DoD)/NESSUS
∙ Static Code Analyzers: HP Fortify and IBM AppScan
∙ DoD RMF Compliance Tools: eMASS (and equivalent tools)

Click Here to view an Cyber Security Project Synopsis.

We have a proven track record in implementing the below Acts, Mandates, Standards, and Guidance:

Acts & Mandates

∙ OMB Circular A-123
∙ DoD’s Financial Improvement Audit Readiness (FIAR)
∙ OMB Circular A-130
∙ Federal Information Security Management Act (FISMA)
∙ DoD Instruction 8510.01 (Risk Management Framework for DoD)
∙ DoD Instruction 8500.01 and DoD Directive 8570.01
∙ Managing Information as a Strategic Resource (OMB Circular A-130)
∙ Management’s Responsibility for Internal Control (OMB Circular A-123)
∙ Chief Financial Officers Act (CFO Act) – Audits of financial statements
∙ DoD’s Financial Improvement Audit Readiness (FIAR)
∙ Health Insurance Portability and Accountability Act (HIPAA)
∙ Privacy Act
∙ Sarbanes-Oxley Act

Standards & Guidelines

∙ OMB Circular A-123
∙ ISACA Certified Information System Auditor Best Practices
∙ Federal Information System Controls Manual (FISCAM)
∙ NIST Special Publications 800-18, 800-30, 800-37, 800-53, 800-57, 800-60 and 800-64
∙ Federal Information Processing Standards (FIPS) Publications 199 and 200
∙ Security Technical Implementation Guides (STIGs)
∙ Committee on National Security Systems Instruction (CNSSI) 1253
∙ Command Cyber Readiness Inspections (CCRI) standards
∙ ISO/IEC 27001 and 27002: Information Technology Security Techniques and Code of Practice for Information Security Controls
∙ Consumer Private Network Information (CPNI) standards
∙ SANS Institute standards including “SANS top 20 critical security controls”
∙ Information Security Forum (ISF) Standard of Good Practice for Information Security
∙ Control Objectives for Information and Related Technology (COBIT)
∙ Information Technology Infrastructure Library (ITIL)
∙ Requirements for physical protection of licensed activities in nuclear power reactors against radio-logical sabotage (CFR Title 10 Part 73.55)
∙ Payment Card Industry Data Security Standard (PCI DSS)
∙ Statement on Standards for Attestation Engagements No. 18 (SSAE 18)
∙ Project Management Body of Knowledge (PMBOK)