HomeMy WebLinkAboutDS.3 - Moss Adams
MOSS ADAMS STATEMENT OF QUALICATIONS FOR PROFESSIONAL CYBERSECURITY SERVICES
FOR
COUNTY OF HAWAI’I
__________________________________________________
Amanda McCleary-Moore, Assurance Partner
Spencer Roundy, Managing Director, IT Assurance
Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 www.mossadams.com
June 28, 2024
Mr. Robert Ewbank, Director of Information Technology County of Hawai'i
25 Aupuni Street
Hilo, Hawai'i 96720
Dear Robert,
Moss Adams is pleased to submit our Statement of Qualification (SOQ) and Expression of Interest (EOI) to
provide professional services to the County of Hawai’i and its various departments and agencies. We are
interested in providing solutions to the following needs:
• DS.3) Computer Engineering (Cybersecurity Analysis)
• DS.6) Computer Engineering (Network Analysis) – as it relates to security and data management
Our team has an outstanding track record of providing a variety of IT security and assessment services for
government clients throughout the United States. We’re confident that we provide an approach and team that
are well aligned with your expectations and needs. Moss Adams offers the following:
THE RIGHT SOLUTION. We follow a holistic and comprehensive approach to conducting cybersecurity audits
and assessments as well as other services detailed in this package. Our methodology entails a review of
technical, administrative, and physical security controls. Vulnerability assessment scans alone won’t identify
the majority of threats posed to an organization. A cybersecurity assessment goes beyond a simple scan and
provides the most confidence in an organization’s readiness to protect itself against a threat to its sensitive
data and handle an incident (before it becomes a breach). Our approach focuses on inherent risk in the IT
environment and business operations.
THE RIGHT PEOPLE. Our proposed engagement team consists of full-time professionals who have had
hands-on, practical IT operations experience in maintaining the cybersecurity posture of IT environments.
They are highly credentialed professionals who have earned and maintain certifications including, but not
limited to Certified Information Systems Security Professional (CISSP), Certified Information Systems
Auditor (CISA), Certified Ethical Hacker (CEH), HITRUST Certified Common Security Framework
Practitioner (CCSFP), Certified Information Security Manager (CISM), Payment Card Industry Approved
Scanning Vendor (PCI ASV), Qualified Security Assessor (PCI QSA), Certified HITRUST Quality Professional
(CHQP), Certified Chief Information Security Officer (CCISO), and Project Management Professional (PMP).
We understand the unique needs of government entities and perform dozens of assessments and audits each
year based on the NIST Cybersecurity Framework, CIS 20 Critical Security Controls, ISO/IEC 27001:2022,
NIST SP 800-53, and OWASP, among others.
THE RIGHT EXPERIENCE. Our team conducts multiple cybersecurity assessments for government clients
each year. We’ve performed vulnerability assessments, penetration testing, social engineering tests, and
comprehensive IT security assessments based on industry-accepted best practice frameworks, among other
work. We understand the risks and challenges to protecting IT and operational technology environments that
government organizations contend with each and every day because we’ve been there with similar clients
such as City of South San Francisco, City of Bakersville, City of Veneta, Kenai Peninsula Borough, and
Matanuska-Susitna Borough, to name a few.
THE RIGHT DELIVERABLES. When a recommendations report is either too complex or too technical,
stakeholders and decision-makers can have difficulty understanding why changes are important. This can
result in loss of prioritization or importance in an organization. Our finished report includes two iterations:
one that is sufficiently detailed that your IT security personnel can implement effective actions, and one that
is a concise executive summary of the engagement to explain the services performed and importance of
security to your organization.
We are confident Moss Adams is uniquely qualified to provide these services, and we offer the kind of special
dedication, continuity, and commitment that inspires mutual trust and confidence in projects of this type.
Thank you for considering Moss Adams.
Sincerely,
Amanda McCleary-Moore
Assurance Partner (541) 732-3865
amanda.mccleary-moore@mossadams.com
Spencer Roundy
Managing Director, IT Assurance (949) 474-2613
spencer.roundy@mossadams.com
Table of
Contents
| Contact Information and Principal Place of Business 1
| Firm Introduction 2
| Education, Training, and Qualifications 3
Risk Advisory and Compliance Experience 3
Cybersecurity Consulting 3
Key Professionals Experience 5
| Recent Projects and Clients 7
| Appendix A: Resumes 8
| We’re All In 11
Moss Adams | Statement of Qualifications for County of Hawai’i 1
Contact Information and Principal Place of Business
Spencer Roundy, Managing Director, is the principal contact for our response and is based in Orange County,
California. He can be reached at:
• Spencer Roundy
Managing Director, IT Assurance
(949) 474-2613
• Moss Adams National Office
999 Third Avenue, Suite 2800
Seattle, WA 98104
We also have more than 30 locations and a presence in nine states: Arizona, California, Colorado, Kansas,
New Mexico, Oregon, Texas, Utah, and Washington.
• Phoenix, AZ
• El Segundo, CA
• Fresno, CA
• Healdsburg, CA
• Napa, CA
• Orange County, CA
• Pasadena, CA
• Sacramento, CA
• Salinas, CA
• San Diego, CA
• San Francisco, CA
• Santa Rosa, CA
• Silicon Valley, CA
• Stockton, CA
• Walnut Creek, CA
• Woodland Hills, CA
• Denver, CO
• Kansas City, KS
• Albuquerque, NM
• Eugene, OR
• Medford, OR
• Portland, OR
• Dallas, TX
• Houston, TX
• Salt Lake City, UT
• Bellingham, WA
• Everett, WA
• Spokane, WA
• Tacoma, WA
• Tri-Cities, WA
• Wenatchee, WA
• Yakima, WA
Moss Adams | Statement of Qualifications for County of Hawai’i 2
Firm Introduction
Moss Adams is a fully integrated professional services
firm dedicated to growing, managing, and protecting
prosperity. With an average of 3,900 professionals over
the last five years and across more than 30 locations, we
work with the world’s most innovative, dynamic, and
promising clients and markets. Through a full spectrum
of consulting, accounting, and wealth management
services, we bring the deep industry specialization and
inspired thinking our clients seek.
Since we put down roots in the Pacific Northwest more
than 110 years ago, we’ve steadily expanded to serve
clients not only in the West, but also across the nation
and globally. Our full range of services includes
consulting (IT, strategy & operations, transactions, and
specialty), accounting (assurance and tax), as well as
individual and institutional wealth management.
Moss Adams is one of the 15 largest US accounting and consulting firms and a founding member of Praxity, a
global alliance of independent accounting firms providing clients with local expertise in the major markets of
North America, South America, Europe, and Asia.
Full-Service Capabilities
We offer a full range of services and specializations that span accounting, consulting, and wealth management
to suit your specific needs.
Our Firm’s Financial Stability
Moss Adams is in a solid financial position with sufficient working capital to meet its existing and future
liabilities. Our firm’s executive committee and partners have a long track record of sound financial management
and are dedicated to ensuring the financial integrity of the business. We have over 4,750 personnel, including
more than 400 partners, and annual revenues in 2023 were $1.26 billion.
Moss Adams | Statement of Qualifications for County of Hawai’i 3
Education, Training, and Qualifications
RISK ADVISORY AND COMPLIANCE EXPERIENCE
Organizations face a range of challenges in today’s a rapidly changing environment. As a full-service
integrated, multidisciplinary firm, our Risk and IT Compliance team excels on assisting growing and changing
organizations with both strategy and effective implementation. We work with organizations and auditors to
assess the adherence of their financial and technological controls with industry best practices and regulatory
compliance standards.
Our assurance and consulting services allow clients to balance governance and compliance so they can
maximize growth while minimizing risk in managing their business needs. Deeply immersed in more than 30
industries, our professionals provide solutions specific to the nuances, challenges, and operations of the sector
in which you work—while customizing plans to meet your unique needs. We help clients achieve compliance
goals, navigate regulatory requirements, develop strategies to mitigate potential business risk exposures,
assess system controls through independent assurance, and identify opportunities to strengthen their operating
environments.
Moss Adams is one of the few CPA firms in the world that is a validated assessor for SOC, PCI DSS,
HITRUST, HIPAA, NIST, and CSA STAR services. Our team of professionals works together to address any
aspect of compliance and the management of associated risks ensuring you only need to meet with our audit
team once, instead of working with different teams for each compliance standard and framework. For our
clients, this means a streamlined, efficient, and cost effective experience.
CYBERSECURITY CONSULTING
Cybersecurity, at its core, is about protecting what’s valuable to you as an organization. For some, that might
mean protecting valuable customer data—credit card information, Social Security numbers, or patient health
care records. For others, intellectual property, the contents of an agreement, and personal finance and tax
records may be the most valued asset.
Our Cybersecurity Consulting practice has been providing consulting services for more than two decades. We
offer our clients a variety of services that include:
More than 1,500
annual risk and
IT compliance
ENGAGEMENTS
More than 1,700
risk and IT
compliance
CLIENTS SERVED
More than 350
risk and IT
compliance
PROFESSIONALS
Moss Adams | Statement of Qualifications for County of Hawai’i 4
Cy
b
e
r
s
e
c
u
r
i
t
y
C
o
n
s
u
l
t
i
n
g
• IT security assessments
• Penetration testing
• Disaster recovery and business continuity
planning
• Social engineering
• Compliance assessments (FISMA, NIST,
COBIT, ITIL, and ISO)
• Network security design
• HIPAA security assessments
• Cloud Security Alliance audits
• Web application penetration testing
• Technology audits
• Intrusion detection reviews
• Security policy and procedure development
and review
• Data classification
IT
Co
m
p
l
i
a
n
c
e
• PCI DSS QSA and ASV services
• HITRUST and HIPAA compliance
• SOC 1, 2, and 3 examinations
• IT internal audit
• Sarbanes-Oxley (SOX) services
• SysTrust® and WebTrust®
• FedRAMP
• FISMA and NIST SP 800-series security
assessments
• ISO 27001 compliance and certification
• Cybersecurity Maturity Model Certification
(CMMC)
• Microsoft vendor DPR attestations
IT
C
o
n
s
u
l
t
i
n
g
• Cost-benefit analysis
• Technology assessments
• IT risk assessments
• IT governance
• IT strategic planning
• Performance audits
• Organizational development
• Profit leakage solutions
• SDLC and change management analysis
• E-commerce and mobile computing reviews
Our approach for conducting cybersecurity audits and assessments uses multiple best practice frameworks
including National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST Special
Publication (SP) 800-53, NIST SP 800-115, NIST SP 800-171, Department of Homeland Security, CIS Security
Controls, ISO/IEC 27001 services (provided by Moss Adams Certifications LLC), FedRAMP, PCI DSS, ITIL,
HIPAA, and COBIT. Our offensive security assessments follow best practices, such as the Penetration Testing
Execution Standard (PTES), Open Source Security Testing Methodology Manual, and the Open Web
Application Security Project (OWASP). The results of our assessments will empower you to make strategic
decisions to help keep your IT systems and data safe and operational.
We’ve helped hundreds of clients over the past 20 years in the ever-evolving cybersecurity field. The table
below quantifies our experience by projects completed between 2021 and 2023.
Cybersecurity Experience by the Numbers Total Project Count
Cybersecurity, IT Organization, and Risk Assessments and IT Security Audits 150
FedRAMP Assessments 134
HIPAA and HITRUST Assessments 52
ISGC, FDICIA, and Other Reviews 138
ISO Audits and Assessments (offered through Moss Adams Certifications LLC) 251
Moss Adams | Statement of Qualifications for County of Hawai’i 5
Cybersecurity Experience by the Numbers Total Project Count
PCI DSS Compliance Services 338
Penetration Testing, Vulnerability Assessment, and Social Engineering 579
Policy and Procedures Development, Control Reviews, Disaster Recovery
Planning, and Strategic Planning 50
KEY PROFESSIONALS EXPERIENCE
We think one of our key differentiators is the staff we assign to our projects. Clients regularly praise our staff on
their industry knowledge, professionalism, and practical approach. We assign an engagement team based on
their skillsets, experience, education, and certifications that align to your project requirements. All are full-time
Moss Adams employees, are used to working as a team, and hit the ground running for every engagement.
To support our efforts, we have more than 50 cybersecurity professionals on the team. Our professionals have
earned recognition and an outstanding reputation for our services based on a solid track record and
discriminating analysis. They are highly credentialed and qualified specialists who have earned and maintain
certifications including:
Governance, Risk and Compliance Certification
(CGRC)
Certified Public Accountant
(CPA)
Certified Chief Information Security Officer
(CCISO)
CompTIA Certified
(A+, SECURITY+, NETWORK+ CYSA+)
Certified Data Privacy Solutions Engineer
(CDPSE)
GIAC Critical Infrastructure Protection
(GCIP)
Certified Ethical Hacker
(CEH)
HITRUST Certified Common Security Framework Practitioner
(HITRUST CCSFP)
Certified HITRUST Quality Professional
(CHQP)
Microsoft Certified Systems Engineer
(MCSE)
Certified in Risk and Information Systems Control
(CRISC)
Offensive Security Certified Professional
(OSCP)
Certified Information Security Manager
(CISM)
Payment Card Industry Approved Scanning Vendor
(PCI ASV)
Certified Information Systems Auditor
(CISA)
Payment Card Industry Qualified Security Assessor
(PCI QSA)
Certified Information Systems Security Professional
(CISSP)
Systems Security Certified Practitioner
(SSCP)
Certified in the Governance of Enterprise IT
(CGEIT)
Cisco Meraki Network Associate
(CMNA)
GIAC Web Application Penetration Tester
(GWAPT)
GIAC Security Essentials Certification
(GSEC)
Moss Adams | Statement of Qualifications for County of Hawai’i 6
Continuing Professional Education
Our Cybersecurity Consulting practice is continually adding highly qualified staff skilled in multiple IT- and
cybersecurity-related disciplines. Additionally, Moss Adams invests in the team by providing a multitude of
continuing professional education opportunities to attend classroom training, conferences, and virtual training to
build upon and enhance their cybersecurity skills to serve the changing needs of our clients.
Notably, Moss Adams requires its professional staff to attend at least 120 hours of continuing professional
education (CPE) every three years. Averaging more than 40 hours of industry-specific CPE every year, our
professionals regularly exceed those requirements—as well as those of the various industry certifying
organizations.
Of course, our focus on education isn’t just about quantity. It’s also about the quality of training our people
receive. They participate in external training to keep them in touch with industry standards and trends.
Additionally, we have a dedicated learning and development department responsible for providing year-round
internal CPE to support the ongoing education process. We invest in our staff by providing a multitude of
continuing professional education opportunities to attend classroom training, conferences, and virtual training to
build upon and enhance their skills to serve the changing needs of our clients.
Employee Background Checks
One of the highest priorities of our firm is to attract, select, and hire qualified people. Our firm runs a thorough
background check on final candidates for all positions. This includes but is not limited to partners, full-time
employees, part-time employees, temporary employees (on the Moss Adams payroll), rehires, and interns.
Background checks on all individuals may include a social security number trace as well as verification of
education, criminal records, and a consumer credit check. We also confirm records related to any PCAOB and
SEC violations or sanctions.
Investigations for experienced staff- and senior-level professionals, as well as client service support
professionals, include reference checks, verification of prior employment, and professional license/certification
and membership verifications. Investigations for manager- and partner-level professionals include all previously
described checks as well as county civil and federal civil searches. Our hiring policies help provide reasonable
assurance that each employee has the requisite capabilities, competence, and commitment to ethical
principles.
Moss Adams | Statement of Qualifications for County of Hawai’i 7
Recent Projects and Clients
Client Name Contact Services Rendered in
Preceding Year?
Kamehameha Schools Mia Okinaga, Vice President of Internal Audit
567 South King Street
Honolulu HI 96813
(510) 367-3895
miokinag@ksbe.edu
Yes
2023 Cybersecurity Risk
Management Assessment
City of Bakersfield Gregory Pronovost, Director Technology Service
1501 Truxtun Ave Bakersfield, CA 93301
(661) 326-3506
gpronovost@bakersfieldcity.us
Yes
2023 IT Governance Policy Development
2022 IT Organizational Assessment and Strategic Plan
City of South San Francisco Tony Barrera, Director of Information Technology
329 Miller Avenue South San Francisco, CA 94080
(650) 877-8500
tony.barrera@ssf.net
Yes
2023 Disaster Recovery Plan Development
2022 NIST Cybersecurity
Framework Assessment with Network and Web Application Penetration Testing
Multnomah County Dennis Tomlin (CISO)
501 SE Hawthorne Blvd, Suite 531 Portland OR 97214
(503) 988-9387
dennis.tomlin@multco.us
Yes
2023 HIPAA Security Assessment & Pen Test
Snohomish County Public Utility District Jim Herrling, Sr. Manager, Treasury, Risk
2320 California St. Everett, WA 98201
(425) 783-8303
jlherrling@snopud.com
Yes
2023 HIPAA Security Risk Assessment
2023 PCI SAQ B
2023 Quarterly PCI ASV Scanning & Annual External Penetration Test
Moss Adams | Statement of Qualifications for County of Hawai’i 8
Appendix A: Resumes
Working with the right team of professionals makes all the difference to your engagement. The team members
we’ve thoughtfully selected to meet your specific needs have years of relevant experience. But more than that,
you’ll find they bring an optimistic perspective focused on helping you explore and embrace emerging
opportunity. Your Moss Adams team will personally engage with your team and bring a new level of energy and
enterprise to your engagement.
0BBryan Schader, CISSP, CISA, CCSFP, CHQP, Cybersecurity Partner
Professional Experience
Bryan has worked in public accounting, supporting IT and security audit and
consulting since 2008 and leads our Cybersecurity Consulting Services. His
focus is driving integration across SOC and cybersecurity compliance
engagements including ISO 27001, PCI, FedRAMP, and HITRUST.
He works primarily in the technology industry, supporting SaaS companies of
all sizes. Bryan’s primary client focus is with ISO certification, where he leads
the firm’s certification body in delivering a variety of ISO certification standards.
Bryan has extensive experience working with client IT and security control
environments. Over his career, he led teams to help clients design and build
control environments, perform testing in support of SOX attestations, and SOC
1 and SOC 2 engagements.
Prior to joining Moss Adams, Bryan worked with the Risk Assurance Practice
of a Big Four firm for seven years.
Professional Certifications
• Certified ISO 27001 Lead Auditor
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• HITRUST Certified Common Security Framework Practitioner (CCSFP)
• HITRUST Quality Assessor (CHQP)
• Training Provider & Examiner Certification Scheme (TPECS)
Professional Affiliations
• Member, International Society of Sustainability Professionals (ISSP)
Education
• MS, information systems management, Brigham Young University
Moss Adams | Statement of Qualifications for County of Hawai’i 9
1BSpencer Roundy, CISA, CRISC, Managing Director
Professional Experience
Spencer has worked in IT compliance since 2004. He provides SOX
compliance, IT compliance, and consulting through IT audits and assessments
to clients in the highly regulated financial services industry, prioritizing
cybersecurity and information security risks and controls.
Spencer has led risk assessments of internal IT controls related to all aspects
of IT security and domains, from governance and technology strategy to data
management and third-party vendor management and business continuity
planning.
Spencer has strong knowledge in translating business processes into IT
definitions; understanding business and IT risks; identifying, assessing,
designing, and testing information technology and security controls; and
defining and evaluating access security measures at operating system,
database, and application layers.
Prior to joining Moss Adams, Spencer worked at a Big Four firm and led
external and internal IT audits across multiple industries.
Education
• BS, information systems, Brigham Young University
Moss Adams | Statement of Qualifications for County of Hawai’i 10
2BChristian Hansen, CISA, CISSP, Partner
Professional Experience
Christian has worked in IT consulting since 2007. He manages our
cybersecurity consulting practice and participates as a team member for most
cybersecurity consulting audits and assessments.
Prior to joining Moss Adams, Christian spent time with a Big Four firm as part
of their IT Advisory Service practice, and at a financial institution as part of the
Internal IT Audit group.
Since joining Moss Adams, Christian has worked with clients to document and
develop controls and procedures as part of their FedRAMP, FISMA, HIPAA,
HITRUST, SOX compliance, and SOC reporting initiatives.
Professional Certifications
• Certified Information Systems Security Professional (CISSP)
Education
• MBA, University of Utah
• BS, information systems, Brigham Young University
Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Moss Adams Certifications LLC.
Investment advisory services offered through Moss Adams Wealth Advisors LLC.
Moss Adams | Statement of Qualifications for County of Hawai’i 11
We’re All In
At Moss Adams, we’re all in, personally engaging with clients to help them anticipate, prepare for, and embrace
the future. We’re committed to doing everything in our power to meet and exceed your expectations.
Our goal—to serve you for the long term so you can focus on your business.
Let us show you what Moss Adams can do for you.