Loading...
HomeMy WebLinkAboutDS.3 - Moss Adams MOSS ADAMS STATEMENT OF QUALICATIONS FOR PROFESSIONAL CYBERSECURITY SERVICES FOR COUNTY OF HAWAI’I __________________________________________________ Amanda McCleary-Moore, Assurance Partner Spencer Roundy, Managing Director, IT Assurance Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 www.mossadams.com June 28, 2024 Mr. Robert Ewbank, Director of Information Technology County of Hawai'i 25 Aupuni Street Hilo, Hawai'i 96720 Dear Robert, Moss Adams is pleased to submit our Statement of Qualification (SOQ) and Expression of Interest (EOI) to provide professional services to the County of Hawai’i and its various departments and agencies. We are interested in providing solutions to the following needs: • DS.3) Computer Engineering (Cybersecurity Analysis) • DS.6) Computer Engineering (Network Analysis) – as it relates to security and data management Our team has an outstanding track record of providing a variety of IT security and assessment services for government clients throughout the United States. We’re confident that we provide an approach and team that are well aligned with your expectations and needs. Moss Adams offers the following: THE RIGHT SOLUTION. We follow a holistic and comprehensive approach to conducting cybersecurity audits and assessments as well as other services detailed in this package. Our methodology entails a review of technical, administrative, and physical security controls. Vulnerability assessment scans alone won’t identify the majority of threats posed to an organization. A cybersecurity assessment goes beyond a simple scan and provides the most confidence in an organization’s readiness to protect itself against a threat to its sensitive data and handle an incident (before it becomes a breach). Our approach focuses on inherent risk in the IT environment and business operations. THE RIGHT PEOPLE. Our proposed engagement team consists of full-time professionals who have had hands-on, practical IT operations experience in maintaining the cybersecurity posture of IT environments. They are highly credentialed professionals who have earned and maintain certifications including, but not limited to Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), HITRUST Certified Common Security Framework Practitioner (CCSFP), Certified Information Security Manager (CISM), Payment Card Industry Approved Scanning Vendor (PCI ASV), Qualified Security Assessor (PCI QSA), Certified HITRUST Quality Professional (CHQP), Certified Chief Information Security Officer (CCISO), and Project Management Professional (PMP). We understand the unique needs of government entities and perform dozens of assessments and audits each year based on the NIST Cybersecurity Framework, CIS 20 Critical Security Controls, ISO/IEC 27001:2022, NIST SP 800-53, and OWASP, among others. THE RIGHT EXPERIENCE. Our team conducts multiple cybersecurity assessments for government clients each year. We’ve performed vulnerability assessments, penetration testing, social engineering tests, and comprehensive IT security assessments based on industry-accepted best practice frameworks, among other work. We understand the risks and challenges to protecting IT and operational technology environments that government organizations contend with each and every day because we’ve been there with similar clients such as City of South San Francisco, City of Bakersville, City of Veneta, Kenai Peninsula Borough, and Matanuska-Susitna Borough, to name a few. THE RIGHT DELIVERABLES. When a recommendations report is either too complex or too technical, stakeholders and decision-makers can have difficulty understanding why changes are important. This can result in loss of prioritization or importance in an organization. Our finished report includes two iterations: one that is sufficiently detailed that your IT security personnel can implement effective actions, and one that is a concise executive summary of the engagement to explain the services performed and importance of security to your organization. We are confident Moss Adams is uniquely qualified to provide these services, and we offer the kind of special dedication, continuity, and commitment that inspires mutual trust and confidence in projects of this type. Thank you for considering Moss Adams. Sincerely, Amanda McCleary-Moore Assurance Partner (541) 732-3865 amanda.mccleary-moore@mossadams.com Spencer Roundy Managing Director, IT Assurance (949) 474-2613 spencer.roundy@mossadams.com Table of Contents | Contact Information and Principal Place of Business 1 | Firm Introduction 2 | Education, Training, and Qualifications 3 Risk Advisory and Compliance Experience 3 Cybersecurity Consulting 3 Key Professionals Experience 5 | Recent Projects and Clients 7 | Appendix A: Resumes 8 | We’re All In 11 Moss Adams | Statement of Qualifications for County of Hawai’i 1 Contact Information and Principal Place of Business Spencer Roundy, Managing Director, is the principal contact for our response and is based in Orange County, California. He can be reached at: • Spencer Roundy Managing Director, IT Assurance (949) 474-2613 • Moss Adams National Office 999 Third Avenue, Suite 2800 Seattle, WA 98104 We also have more than 30 locations and a presence in nine states: Arizona, California, Colorado, Kansas, New Mexico, Oregon, Texas, Utah, and Washington. • Phoenix, AZ • El Segundo, CA • Fresno, CA • Healdsburg, CA • Napa, CA • Orange County, CA • Pasadena, CA • Sacramento, CA • Salinas, CA • San Diego, CA • San Francisco, CA • Santa Rosa, CA • Silicon Valley, CA • Stockton, CA • Walnut Creek, CA • Woodland Hills, CA • Denver, CO • Kansas City, KS • Albuquerque, NM • Eugene, OR • Medford, OR • Portland, OR • Dallas, TX • Houston, TX • Salt Lake City, UT • Bellingham, WA • Everett, WA • Spokane, WA • Tacoma, WA • Tri-Cities, WA • Wenatchee, WA • Yakima, WA Moss Adams | Statement of Qualifications for County of Hawai’i 2 Firm Introduction Moss Adams is a fully integrated professional services firm dedicated to growing, managing, and protecting prosperity. With an average of 3,900 professionals over the last five years and across more than 30 locations, we work with the world’s most innovative, dynamic, and promising clients and markets. Through a full spectrum of consulting, accounting, and wealth management services, we bring the deep industry specialization and inspired thinking our clients seek. Since we put down roots in the Pacific Northwest more than 110 years ago, we’ve steadily expanded to serve clients not only in the West, but also across the nation and globally. Our full range of services includes consulting (IT, strategy & operations, transactions, and specialty), accounting (assurance and tax), as well as individual and institutional wealth management. Moss Adams is one of the 15 largest US accounting and consulting firms and a founding member of Praxity, a global alliance of independent accounting firms providing clients with local expertise in the major markets of North America, South America, Europe, and Asia. Full-Service Capabilities We offer a full range of services and specializations that span accounting, consulting, and wealth management to suit your specific needs. Our Firm’s Financial Stability Moss Adams is in a solid financial position with sufficient working capital to meet its existing and future liabilities. Our firm’s executive committee and partners have a long track record of sound financial management and are dedicated to ensuring the financial integrity of the business. We have over 4,750 personnel, including more than 400 partners, and annual revenues in 2023 were $1.26 billion. Moss Adams | Statement of Qualifications for County of Hawai’i 3 Education, Training, and Qualifications RISK ADVISORY AND COMPLIANCE EXPERIENCE Organizations face a range of challenges in today’s a rapidly changing environment. As a full-service integrated, multidisciplinary firm, our Risk and IT Compliance team excels on assisting growing and changing organizations with both strategy and effective implementation. We work with organizations and auditors to assess the adherence of their financial and technological controls with industry best practices and regulatory compliance standards. Our assurance and consulting services allow clients to balance governance and compliance so they can maximize growth while minimizing risk in managing their business needs. Deeply immersed in more than 30 industries, our professionals provide solutions specific to the nuances, challenges, and operations of the sector in which you work—while customizing plans to meet your unique needs. We help clients achieve compliance goals, navigate regulatory requirements, develop strategies to mitigate potential business risk exposures, assess system controls through independent assurance, and identify opportunities to strengthen their operating environments. Moss Adams is one of the few CPA firms in the world that is a validated assessor for SOC, PCI DSS, HITRUST, HIPAA, NIST, and CSA STAR services. Our team of professionals works together to address any aspect of compliance and the management of associated risks ensuring you only need to meet with our audit team once, instead of working with different teams for each compliance standard and framework. For our clients, this means a streamlined, efficient, and cost effective experience. CYBERSECURITY CONSULTING Cybersecurity, at its core, is about protecting what’s valuable to you as an organization. For some, that might mean protecting valuable customer data—credit card information, Social Security numbers, or patient health care records. For others, intellectual property, the contents of an agreement, and personal finance and tax records may be the most valued asset. Our Cybersecurity Consulting practice has been providing consulting services for more than two decades. We offer our clients a variety of services that include: More than 1,500 annual risk and IT compliance ENGAGEMENTS More than 1,700 risk and IT compliance CLIENTS SERVED More than 350 risk and IT compliance PROFESSIONALS Moss Adams | Statement of Qualifications for County of Hawai’i 4 Cy b e r s e c u r i t y C o n s u l t i n g • IT security assessments • Penetration testing • Disaster recovery and business continuity planning • Social engineering • Compliance assessments (FISMA, NIST, COBIT, ITIL, and ISO) • Network security design • HIPAA security assessments • Cloud Security Alliance audits • Web application penetration testing • Technology audits • Intrusion detection reviews • Security policy and procedure development and review • Data classification IT Co m p l i a n c e • PCI DSS QSA and ASV services • HITRUST and HIPAA compliance • SOC 1, 2, and 3 examinations • IT internal audit • Sarbanes-Oxley (SOX) services • SysTrust® and WebTrust® • FedRAMP • FISMA and NIST SP 800-series security assessments • ISO 27001 compliance and certification • Cybersecurity Maturity Model Certification (CMMC) • Microsoft vendor DPR attestations IT C o n s u l t i n g • Cost-benefit analysis • Technology assessments • IT risk assessments • IT governance • IT strategic planning • Performance audits • Organizational development • Profit leakage solutions • SDLC and change management analysis • E-commerce and mobile computing reviews Our approach for conducting cybersecurity audits and assessments uses multiple best practice frameworks including National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST Special Publication (SP) 800-53, NIST SP 800-115, NIST SP 800-171, Department of Homeland Security, CIS Security Controls, ISO/IEC 27001 services (provided by Moss Adams Certifications LLC), FedRAMP, PCI DSS, ITIL, HIPAA, and COBIT. Our offensive security assessments follow best practices, such as the Penetration Testing Execution Standard (PTES), Open Source Security Testing Methodology Manual, and the Open Web Application Security Project (OWASP). The results of our assessments will empower you to make strategic decisions to help keep your IT systems and data safe and operational. We’ve helped hundreds of clients over the past 20 years in the ever-evolving cybersecurity field. The table below quantifies our experience by projects completed between 2021 and 2023. Cybersecurity Experience by the Numbers Total Project Count Cybersecurity, IT Organization, and Risk Assessments and IT Security Audits 150 FedRAMP Assessments 134 HIPAA and HITRUST Assessments 52 ISGC, FDICIA, and Other Reviews 138 ISO Audits and Assessments (offered through Moss Adams Certifications LLC) 251 Moss Adams | Statement of Qualifications for County of Hawai’i 5 Cybersecurity Experience by the Numbers Total Project Count PCI DSS Compliance Services 338 Penetration Testing, Vulnerability Assessment, and Social Engineering 579 Policy and Procedures Development, Control Reviews, Disaster Recovery Planning, and Strategic Planning 50 KEY PROFESSIONALS EXPERIENCE We think one of our key differentiators is the staff we assign to our projects. Clients regularly praise our staff on their industry knowledge, professionalism, and practical approach. We assign an engagement team based on their skillsets, experience, education, and certifications that align to your project requirements. All are full-time Moss Adams employees, are used to working as a team, and hit the ground running for every engagement. To support our efforts, we have more than 50 cybersecurity professionals on the team. Our professionals have earned recognition and an outstanding reputation for our services based on a solid track record and discriminating analysis. They are highly credentialed and qualified specialists who have earned and maintain certifications including: Governance, Risk and Compliance Certification (CGRC) Certified Public Accountant (CPA) Certified Chief Information Security Officer (CCISO) CompTIA Certified (A+, SECURITY+, NETWORK+ CYSA+) Certified Data Privacy Solutions Engineer (CDPSE) GIAC Critical Infrastructure Protection (GCIP) Certified Ethical Hacker (CEH) HITRUST Certified Common Security Framework Practitioner (HITRUST CCSFP) Certified HITRUST Quality Professional (CHQP) Microsoft Certified Systems Engineer (MCSE) Certified in Risk and Information Systems Control (CRISC) Offensive Security Certified Professional (OSCP) Certified Information Security Manager (CISM) Payment Card Industry Approved Scanning Vendor (PCI ASV) Certified Information Systems Auditor (CISA) Payment Card Industry Qualified Security Assessor (PCI QSA) Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Certified in the Governance of Enterprise IT (CGEIT) Cisco Meraki Network Associate (CMNA) GIAC Web Application Penetration Tester (GWAPT) GIAC Security Essentials Certification (GSEC) Moss Adams | Statement of Qualifications for County of Hawai’i 6 Continuing Professional Education Our Cybersecurity Consulting practice is continually adding highly qualified staff skilled in multiple IT- and cybersecurity-related disciplines. Additionally, Moss Adams invests in the team by providing a multitude of continuing professional education opportunities to attend classroom training, conferences, and virtual training to build upon and enhance their cybersecurity skills to serve the changing needs of our clients. Notably, Moss Adams requires its professional staff to attend at least 120 hours of continuing professional education (CPE) every three years. Averaging more than 40 hours of industry-specific CPE every year, our professionals regularly exceed those requirements—as well as those of the various industry certifying organizations. Of course, our focus on education isn’t just about quantity. It’s also about the quality of training our people receive. They participate in external training to keep them in touch with industry standards and trends. Additionally, we have a dedicated learning and development department responsible for providing year-round internal CPE to support the ongoing education process. We invest in our staff by providing a multitude of continuing professional education opportunities to attend classroom training, conferences, and virtual training to build upon and enhance their skills to serve the changing needs of our clients. Employee Background Checks One of the highest priorities of our firm is to attract, select, and hire qualified people. Our firm runs a thorough background check on final candidates for all positions. This includes but is not limited to partners, full-time employees, part-time employees, temporary employees (on the Moss Adams payroll), rehires, and interns. Background checks on all individuals may include a social security number trace as well as verification of education, criminal records, and a consumer credit check. We also confirm records related to any PCAOB and SEC violations or sanctions. Investigations for experienced staff- and senior-level professionals, as well as client service support professionals, include reference checks, verification of prior employment, and professional license/certification and membership verifications. Investigations for manager- and partner-level professionals include all previously described checks as well as county civil and federal civil searches. Our hiring policies help provide reasonable assurance that each employee has the requisite capabilities, competence, and commitment to ethical principles. Moss Adams | Statement of Qualifications for County of Hawai’i 7 Recent Projects and Clients Client Name Contact Services Rendered in Preceding Year? Kamehameha Schools Mia Okinaga, Vice President of Internal Audit 567 South King Street Honolulu HI 96813 (510) 367-3895 miokinag@ksbe.edu Yes 2023 Cybersecurity Risk Management Assessment City of Bakersfield Gregory Pronovost, Director Technology Service 1501 Truxtun Ave Bakersfield, CA 93301 (661) 326-3506 gpronovost@bakersfieldcity.us Yes 2023 IT Governance Policy Development 2022 IT Organizational Assessment and Strategic Plan City of South San Francisco Tony Barrera, Director of Information Technology 329 Miller Avenue South San Francisco, CA 94080 (650) 877-8500 tony.barrera@ssf.net Yes 2023 Disaster Recovery Plan Development 2022 NIST Cybersecurity Framework Assessment with Network and Web Application Penetration Testing Multnomah County Dennis Tomlin (CISO) 501 SE Hawthorne Blvd, Suite 531 Portland OR 97214 (503) 988-9387 dennis.tomlin@multco.us Yes 2023 HIPAA Security Assessment & Pen Test Snohomish County Public Utility District Jim Herrling, Sr. Manager, Treasury, Risk 2320 California St. Everett, WA 98201 (425) 783-8303 jlherrling@snopud.com Yes 2023 HIPAA Security Risk Assessment 2023 PCI SAQ B 2023 Quarterly PCI ASV Scanning & Annual External Penetration Test Moss Adams | Statement of Qualifications for County of Hawai’i 8 Appendix A: Resumes Working with the right team of professionals makes all the difference to your engagement. The team members we’ve thoughtfully selected to meet your specific needs have years of relevant experience. But more than that, you’ll find they bring an optimistic perspective focused on helping you explore and embrace emerging opportunity. Your Moss Adams team will personally engage with your team and bring a new level of energy and enterprise to your engagement. 0BBryan Schader, CISSP, CISA, CCSFP, CHQP, Cybersecurity Partner Professional Experience Bryan has worked in public accounting, supporting IT and security audit and consulting since 2008 and leads our Cybersecurity Consulting Services. His focus is driving integration across SOC and cybersecurity compliance engagements including ISO 27001, PCI, FedRAMP, and HITRUST. He works primarily in the technology industry, supporting SaaS companies of all sizes. Bryan’s primary client focus is with ISO certification, where he leads the firm’s certification body in delivering a variety of ISO certification standards. Bryan has extensive experience working with client IT and security control environments. Over his career, he led teams to help clients design and build control environments, perform testing in support of SOX attestations, and SOC 1 and SOC 2 engagements. Prior to joining Moss Adams, Bryan worked with the Risk Assurance Practice of a Big Four firm for seven years. Professional Certifications • Certified ISO 27001 Lead Auditor • Certified Information Systems Security Professional (CISSP) • Certified Information Systems Auditor (CISA) • HITRUST Certified Common Security Framework Practitioner (CCSFP) • HITRUST Quality Assessor (CHQP) • Training Provider & Examiner Certification Scheme (TPECS) Professional Affiliations • Member, International Society of Sustainability Professionals (ISSP) Education • MS, information systems management, Brigham Young University Moss Adams | Statement of Qualifications for County of Hawai’i 9 1BSpencer Roundy, CISA, CRISC, Managing Director Professional Experience Spencer has worked in IT compliance since 2004. He provides SOX compliance, IT compliance, and consulting through IT audits and assessments to clients in the highly regulated financial services industry, prioritizing cybersecurity and information security risks and controls. Spencer has led risk assessments of internal IT controls related to all aspects of IT security and domains, from governance and technology strategy to data management and third-party vendor management and business continuity planning. Spencer has strong knowledge in translating business processes into IT definitions; understanding business and IT risks; identifying, assessing, designing, and testing information technology and security controls; and defining and evaluating access security measures at operating system, database, and application layers. Prior to joining Moss Adams, Spencer worked at a Big Four firm and led external and internal IT audits across multiple industries. Education • BS, information systems, Brigham Young University Moss Adams | Statement of Qualifications for County of Hawai’i 10 2BChristian Hansen, CISA, CISSP, Partner Professional Experience Christian has worked in IT consulting since 2007. He manages our cybersecurity consulting practice and participates as a team member for most cybersecurity consulting audits and assessments. Prior to joining Moss Adams, Christian spent time with a Big Four firm as part of their IT Advisory Service practice, and at a financial institution as part of the Internal IT Audit group. Since joining Moss Adams, Christian has worked with clients to document and develop controls and procedures as part of their FedRAMP, FISMA, HIPAA, HITRUST, SOX compliance, and SOC reporting initiatives. Professional Certifications • Certified Information Systems Security Professional (CISSP) Education • MBA, University of Utah • BS, information systems, Brigham Young University Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Moss Adams Certifications LLC. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Moss Adams | Statement of Qualifications for County of Hawai’i 11 We’re All In At Moss Adams, we’re all in, personally engaging with clients to help them anticipate, prepare for, and embrace the future. We’re committed to doing everything in our power to meet and exceed your expectations. Our goal—to serve you for the long term so you can focus on your business. Let us show you what Moss Adams can do for you.