IT Advisory Services

Companies of all sizes sometimes need a little extra guidance navigating the IT landscape. Weaver’s CIO Advisory Services team is there to help fill those gaps, whether it’s an interim Chief Information Officer or assistance creating a strategic technology plan.

Read more information about our CIO advisory services.

To be effective, your organization’s cybersecurity program must provide an ongoing process that assesses risks, identifies threats, creates protections, monitors systems, and enables quick response and recovery. And that cybersecurity process must be embedded into the organization’s governance, not just relegated to a corner of the IT department.

That’s why you need Weaver’s IT Advisory Services — because we understand that cybersecurity has to be built into your organization from the ground up.

We regularly assess systems and processes against a variety of technical and regulatory requirements, including PCI, Red Flags, Sarbanes-Oxley, HIPAA, FDICIA and GLBA, and we are well-versed in the standards and control frameworks used by leading organizations to manage compliance with these regulations, including:

• NIST-CSF
• COBIT 2019
• ISO 27001/27002
• SOC 1, 2 and 3
• SOC for Cybersecurity
• PCI-DSS
• 23 NYCRR 500
• FISMA
• NIST SP 800-53
• FFIEC
• ITIL
• HIPAA

Weaver’s Cybersecurity Services

CYBER RISK MANAGEMENT

• Build/assess cybersecurity programs
• Conduct cyber risk assessments
• Define strategic roadmaps
• Evaluate KPIs for cybersecurity skills and tools

CYBER COMPLIANCE

• Measure your readiness for achieving compliance
• Identify the current compliance state and goal
• Outline a path towards goals
• Verify to others
• Communicate the competitive advantage
• Develop a maintenance program and maturity plan

CYBER OPERATIONS

• Vulnerability assessments
• Penetration tests 
• Network services       
• Web applications       
• Wireless networks
• Social engineering & security awareness 
• E-mail phishing
• USB media drops/baiting     

If your organization provides outsourced services to other businesses, chances are you’ll be requested to demonstrate that you maintain a sound environment of internal control over the transactional data you manage or systems you host on their behalf. The American Institute of Certified Public Accountants (AICPA) has created multiple reporting options to enable you to demonstrate transparency to your customers and prospects.

Learn more here.

Is your company compliant with the PCI Data Security Standard (PCI-DSS)? As a certified PCI QSA firm, Weaver’s IT Advisory team now offers a service that provides payment card industry (PCI) data security assessments and assistance in complying with these stringent standards. 

Among the requirements of the new PCI-DSS standard: 

• Building and maintaining a secure network using firewalls to protect cardholder data, and ensuring that vendor-supplied defaults for system passwords and other security parameters are not used. 
• Protecting cardholder data and encrypting its transmission across open, public networks. 
• Maintaining a vulnerability management program with secure systems and applications, plus regular updates to anti-virus software and programs.
• Implementing strong access control measures by restricting access to cardholder data (both electronic and physical) on a "need to know" basis. 
• Regularly monitoring and testing networks and tracking all access to cardholder data.

Our IT Advisory professionals bring a different level of service to our clients because of our roots as an audit firm. We approach payment card security from a different angle, offering our clients a more holistic, in-depth service offering.

Meet our PCI QSA Certified Providers:

Brian Thomas, CISA, CISSP and partner; and Brittany George, CISA and partner, both in Weaver’s IT Advisory services department, have met the necessary requirements to earn the Qualified Security Assessor (QSA) certification from the PCI Security Standards Council. This achievement positions us as one of the few select accounting firms to offer this level of certification as a QSA firm. 

QSA companies are organizations that have been qualified by the Council to have their employees assess compliance with the PCI Data Security Standard (PCI DSS). Qualified security assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS. Qualified security assessors can be verified through the PCI Security Standards website.

“Big data” is an increasingly popular consulting buzz word associated with using data analytics to generate “big opportunities” for businesses. Beyond the buzz words, organizations cannot afford to ignore the value of their information, regardless of industry or size. The Weaver Analytics team focuses exclusively on performing data analytics-based services to assist clients with analyzing large volumes of data. Our procedures can help establish effective tools to monitor key performance indicators, recognize potential fraud, assist in error detection, present potential efficiency opportunities, and provide useful and objective insights into the operations of businesses that can be found in routinely collected data.

No client is too big or too small. In a digital world, organizations of all sizes generate and have access to tremendous amounts of data. Our team of specialized analytics professionals stand ready to provide advisory services specifically tailored to your company’s needs. Our customized procedures can be performed by our professionals in your IT environment, or we can extract data from your systems and perform analytics procedures on our secure servers.

The International Organization for Standardization (ISO) 27001 standard is the most widely accepted across the world for developing an information security management system. ISO 27001 certification can be beneficial to businesses working with international customers because it signifies that your organization uses standards common with other organizations across the globe. Certification follows a specific process, which includes an audit. 

Whether pursuing the actual ISO 27001 certification or simply implementing security management procedures according to best practices, Weaver’s information security professionals can help.

Our seasoned IT advisory team can help your organization identify potential gaps in the current environment through scoping and planning exercises, development of a risk assessment against the ISO process areas, and an evaluation of current security practices. 

The ISO 27001 standard contains 11 domains that must be addressed. The ISO domains align with other IT and security management frameworks your organization may use including COBIT, ITIL, CSA’s CCM, and the AICPA’s Trust Principles and Criteria (SOC 2).

• Security policy - management direction
• Organization of information security - governance of information security
• Asset management - inventory and classification of information assets
• Human resources security - security aspects for employees joining, moving and leaving an organization
• Physical and environmental security - protection of the computer facilities
• Communications and operations management - management of technical security controls in systems and networks
• Access control - restriction of access rights to networks, systems, applications, functions and data
• Information systems acquisition, development and maintenance - building security into applications
• Information security incident management - anticipating and responding appropriately to information security breaches
• Business continuity management - protecting, maintaining and recovering business-critical processes and systems
• Compliance - ensuring conformance with information security policies, standards, laws and regulations

Weaver’s professionals will help your organization integrate the ISO 27001 requirements into everyday processes, improving the rate of adoption and reducing the rate of error. The resulting deliverable for this effort is a roadmap that will detail potential weaknesses against the ISO requirements and provide recommendations to strengthen the security of your organization. We can also customize an implementation timeline based on your company’s available resources or objectives.

Are system security vulnerabilities adequately addressed within your organization? Is your organization aware of the risks associated with these security threats and vulnerabilities? 

The risk depends on the types of information your organization has. If you have sensitive information about customers, consumers, clients or patients; intellectual property or designs that would be commercially damaging if lost; or if your organization operates critical systems for which unplanned downtime is unacceptable based on customer SLAs or based on cost, then the impact of a security incident can be quite high. Security threats and vulnerabilities therefore pose a higher risk to such organizations and they should perform regular assessments to ensure they are not unnecessarily exposed.

Weaver’s security professionals can perform a variety of procedures to assist your organization to improve its information security profile, including, but not limited to the following:

• Network architecture review
• Internal and external vulnerability assessment scanning
• Information security policy and procedure evaluation (using ISO 27001)
• Social engineering
• Network penetration testing

Deliverables for our security engagements include tailored reports written by our security professionals which describe the results of our assessment. As an accounting firm, we strive to ensure that our deliverables can be understood and used by IT professionals as well as senior management and the board. Although we use automated scanning tools to perform many of our procedures, we believe that our analysis and interpretation of the output from those tools is the value-added component that differentiates our service. We do not provide “canned” output, except as supporting documentation. Our recommendations are based on practical solutions which we discuss with your personnel prior to the completion of fieldwork.