Industry Experience



Organizations that store, process or transmit electronic protected health information (ePHI) must be HIPAA compliant. Meaningful Use attestation requires HIPAA compliance as part of a book of evidence submittal.  

We have expertise in assessments for accountable care, covered entities, ambulatory groups, revenue cycle management, and healthcare IT service providers.

Retail / Payments


Merchants and/or Service Providers (using credit card and debit card processing) require annual PCI DSS compliance and attestation with various PCI security tasks, operations and reporting.  We have experience with universities, financial organizations (issuing banks, credit unions, etc), service providers, and special expertise with international airports having complex, dual merchant and multi-tenant service provider requirements.



Banks, federal credit unions, and financial institutions must conform to the FFIEC cyber security maturity model and enable secure online banking, while wealth management firms must adhere to FINRA / SEC-OCIE requirements. Financial services in New York must adhere to NYS DFS requirements. 

All financial organizations have a combination of requirements from GLBA, FFIEC, PCI DSS depending on their transactional functions and use of credit cards. We have experience with all of these types of financial organizations



Colleges and universities fall under broad multi-regulatory requirements covering private, personally identifiable information (PII), grades and transcripts falling under FERPA law, ePHI for students for infirmaries, nursing, and medical teaching schools under HIPAA law, and potentially PCI DSS where cardholder data is prominent  (bookstores, cafeterias, vendors/merchants, etc.).  We have expertise addressing all of these multi-regulatory requirements for higher education entities.

Service Provider


IT, Application service providers,  Internet service providers, Telecomm & Cloud Service providers generally need:  SOC 1, SOC 2, ISO2700X readiness assessments, annual IT security assessments and ongoing security testing. 

Publicly Traded Firms are looking for: SOX / ISO 27001 – 27005 / 3rdParty Vendor Risk Assessments.  

We have experience with service providers and these types of requirements.



We have hands-on experience building and updating System Security Plans falling under FISMA (NIST SP800-53R4) law requirements and security control implementation for government contractors and federal agencies. Federal Contractors that store, process or transmit controlled unclassified information (CUI) must comply with NIST SP800-171.

We work with state, county, and city governments that are under various regulatory compliance laws and mandates including privacy.