Our services

IT Audit Services Performed

The services our specialists perform include:

• IT audit outsourcing and co-sourcing, covering all IT operational and business risk
• Penetration testing and assessments
• Internal and external network scans
• Social Engineering
• Risk Assessments
• Privacy Impact Assessments (PIA)
• SSAE SOC Reports
• PCI Readiness Assessments
• Security Assessments, including disaster recovery and business continuity
  Integrated IT, financial, operational and compliance audits
• External auditor relationship management
• IT process reviews (access, SDLC, change management, operations)
• SOX 404 documentation and controls testing

Our Cloud Security Consulting Process

3CBrokerage provides leading cloud technology security solutions that are designed with your business in mind. We begin each engagement with a brief review of your existing cloud environment, including reviewing current security controls and data protection measures that you are using. We have extensive experience working in

• Amazon Web Services
• Microsoft Azure
• Other cloud service providers

Compliance

As information security regulations are evolving more rapidly than ever, leverage our experienced teams to design the solution specific to your business needs. 3CBrokerage help companies achieve IT Governance, Risk Management and Compliance (IT GRC), our experts can help to exceed expectations. We help organizations design, assess, and transform the processes, controls, and infrastructure essential to address the specific compliance and regulatory risks that they face.
In addition, we help you create enterprise compliance programs designed to preserve organizational value and gain a competitive advantage.
We are experienced with and adhere to the following industry or government mandates:

• Sarbanes-Oxley Act (SOX)
• Payment Card Industry (PCI)
• EU General Data Protection Regulation (GDPR)
• SSAE 18 SOC 1 Type II and SOC 2 Type II
• HIPAA / HITECH
• ISO/IEC 27001:2013 Certification

Gap Analysis

3CBrokerage’s Security Gap Analysis service uses the ISO27001 global security standard as the framework. It provides security measures for the organization with comprehensive and cross-sectional visualization of situations from a third-party standpoint. Not only security risk assessments, we can provide proposals on specific measures and support for creating medium/long-term roadmaps on plans for security measure implementations.
This service supports not only individual companies but also those that have many subsidiaries. It is possible to compare within group companies and overseas offices according to common standards.
ISO27001:2013 is a global security standard and is being utilized in multiple industries such as finance, manufacturing, energy, trading, real estate, and logistics.

Advisory Practice includes financial management and information assurance professionals that specialize in providing services to support a wide range of federal and commercial clients. Our advisory team is dedicated to providing solutions and services tailored to our customer’s unique requirements and needs.
Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Advisory Support​
3C Brokerage provides DoD contractors with expertise to navigate the new and evolving requirements to help protect and defend the U.S. Defense supply chain from cyber risks that include:
⦁ Educating contractor personnel about the CMMC, its requirements, timelines and how to interpret the cybersecurity controls catalog
⦁ Supporting the design, documentation and implementation of required cybersecurity controls within the applicable maturity levels
⦁ Performing pre-assessments to help identify corrective actions or implementation gaps for the required cybersecurity controls
⦁ Supporting the full lifecycle of the CMMC audit

CIO and CISO Support
3C Brokerage has helped numerous organizations establish and maintain programs that meet and exceed the internal control requirements specified in OMB Circular A-123, Management’s Responsibility for Internal Control. We have a track record of implementing and executing effective, risk-based management control programs. We provide services to assist with:
⦁ Audit support and remediation
⦁ Plan of Action and Milestone (POA&M) Management
⦁ Risk Management Framework Consulting
⦁ Client Information System Security Officer Support
⦁ Assessment & Authorization (A&A)
⦁ Privacy Programs

Assurance Practice focuses on information assurance professionals who specialize in providing audit and attestation services.
Our guiding mission is to serve the public’s interest by promoting transparency and accountability. We believe an audit’s value is maximized when its findings, conclusions, and recommendations position stakeholders—including congressional overseers, federal leaders, and the public–to make positive change for the public good.
To that end, we offer a wide range of assurance services to meet the specific needs of our stakeholders and constantly strive to provide value, regardless of whether the engagement is intended to fulfill a statutory requirement, meet a congressional or legislative mandate, or achieve objectives identified by the organization.

The business of government is to support the public. Performance audits are the platform from which we facilitate federal agencies’ provision of accountability and transparency in their execution of federal programs.
Generally Accepted Government Auditing Standards (GAGAS) states, “Performance audit provide objective analysis, findings and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action and contributing to public accountability.” 3C Brokerage has been providing performance audit services as described in GAGAS.
We have evaluated programs as diverse as:
⦁ Information security programs under the Federal Information Security Modernization Act (FISMA)
⦁ Data Act reliability audits
⦁ Review program control designs to provide reasonable assurance that program objectives were met
⦁ Review programmatic controls were operating effectively during the period under audit

3C Brokerage has performed FISMA audits and other custom IT and cybersecurity performance audits. Our testing includes:
⦁ Evaluations of access controls,
⦁ Configuration and change management,
⦁ Systems development life cycle including audits of Agile and Waterfall implementations, disaster recovery and contingency planning, and
⦁ Overall governance and security frameworks.
We have also performed in depth cyber security audits of firewall design and implementation including analysis of firewall rules sets and implementation, management and monitoring of security information event management tools used as part of security operations centers.

3C Brokerage offers services to perform attestations under American Institute of Certified Public Accountants (AICPA) Security and Organizational Controls (SOC). SOC offerings include:
⦁ SOC 1 – Report on controls as a service organization relevant to user entities internal control over financial reporting
⦁ SOC 2 – Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy
⦁ SOC 3 – Report on controls at a service organization using the trust services criteria for a general use report

We also have performed a variety of audits under AICPA SSAE 19 Agreed Upon procedures (AUP) engagements. An AUP engagement allows the auditor to perform specific agreed-upon procedures of a specific subject matter and issue a report based on the results of those procedures.
Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Readiness Assessment Services
3C Brokerage provides DoD contractors with expertise to navigate the new and evolving requirements to help protect and defend the U.S. Defense supply chain from cyber risks that include:
⦁ Conducting performance audits to address compliance with the National Institute of Standards and Technology Special Publication (NIST SP) 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, as well as performing cyber security and Federal Information Security Modernization Act (FISMA) audits.
⦁ Performing IT and cyber security audit testing that includes evaluating access controls; configuration and change management; systems development life cycles, including audits of Agile and Waterfall implementations, disaster recovery, and contingency planning; and overall governance and security frameworks.
Although the CMMC Accreditation Body has not yet approved any organizations as CMMC Third-Party Assessment Organizations (C3PAOs), 3C Brokerage is following the processes to become a C3PAO that can provide participating defense industrial base (DIB) partners and contractors with consistent and informative assessments against the defined set of controls/best practices within the CMMC program. In addition, our Advisory team currently stands ready and able to assist DIB partners and contractors with their CMMC readiness efforts.

3C Brokerage supports the mission of internal audit, which is to can enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. We provide organizations a variety of internal audit services in compliance with the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF).
Our systematic, risk-based approach leverages customized internal audit programs, tools, and templates that enable us to evaluate and improve the efficiency and effectiveness of governance, risk management, and control processes. Our internal audit assurance and consulting services include:
⦁ Engagement-level audit support via outsourcing, co-sourcing, and staff augmentation – including IT, non-IT and integrated audits.
⦁ Third-party / vendor risk management assessments.
⦁ Cybersecurity assessments.
⦁ Data analytics.
⦁ Privacy audits.