Churchill and Harriman

1997

Selected by highly regulated Fortune 100 organizations to develop risk assessment methodologies and criteria for the assessment of their critical global vendors; execute and deliver onsite and remote assessments in alignment with that criterion. Subsequently worked with our client’s respective vendors to help them establish and/or mature their own enterprise risk management programs and vendor management programs.

1998

Selected to develop, test and implement Business Continuity Management and Disaster Recovery Plans for Fortune 100 organizations, today in formal alignment with ISO 22301. Facilitate and execute Tabletop Exercises serving individual contributors to CEOs—today focusing on critical business applications, technical applications, and business processes. Quoted in The Wall Street Journal in 2023 for our exercise bona fides.

2000

Selected by global Fortune 100 organizations to build out and implement original global information security policies based on BS 7799—today in formal alignment with ISO 27001, NIST, and additional pertinent criteria.

2001

Selected by a Fortune 100 organization to help implement Public Key Infrastructure (PKI). Develop PKI policy, process, and implementation documentation at both the global data center and end user levels. Establish and deliver PKI Level 3 helpdesk service and credentialed 80,000 users over a three-year period. Earned a formal endorsement from the CIO and the CISO.

2003

Selected by The British Standards Institution (BSI Americas) a leading Global Registrar and standards body as the first Associate Consultancy for BS 7799 Information Security pre-certification services (now ISO 27001) and for BS 25999 Business Continuity pre-certification services (now ISO 22301).

2005

Selected by the SAFE-BioPharma Association to be an original Member of the organization’s Presidential Leadership Team. SAFE (funded by PhRMA) developed a secure and scalable mechanism to submit digitized reports to the U.S. Food and Drug Administration (FDA). Developed the formal SAFE implementation guide and implemented the SAFE system for SAFE Members. Establish and delivered the SAFE helpdesk function. In response to a growing need for high assurance digital signatures, several large pharma companies established SAFE as a legal framework to facilitate trust and interoperability of digital identities with government bodies, including the FDA, DEA, and the European Medicines Agency. Earned a formal endorsement from both the Chairman and the President of SAFE-BioPharma for our contributions.

2005

Selected by the Federal Reserve Bank of New York (FRBNY) to perform all pre-certification services beginning with scope development, helping the bank ultimately earn certification to ISO 27001. The FRBNY was the first North America-based organization of any kind to earn certification to ISO 27001, establishing a new heightened standard for information security on Wall Street.

2006

Selected by a Fortune 100 organization to develop and deliver Emergency Relocation Plans for their Top 40 Officers. Earned a formal endorsement from the client’s executive project sponsor.

2007

Selected by a Fortune 50 Global Systemically Important Bank (G-SIB) to perform all pre-certification services and help the bank ultimately earn two (2) ISO 27001 certifications. Consolidated the six (6) pre-existing formal global information security processes into five (5).

2007

Selected by a Systemically Important Financial Market Utility (SIFMU) to develop, implement and execute their third-party risk assessment program employing the Shared Assessments Program AUP and SIG artifacts. Co-developed a public facing case study with the client to promote global third-party risk governance best practice throughout the global financial services industry.

2007-2021

Member of Shared Assessments (SA) Program Leadership Team; Selected to serve on the Program Advisory Board and Steering Committee. Selected by the Program Founder to be liaison between these two bodies and discharged these duties for nine (9) years. Directly matured AUP and SCA assessment test criteria and the SIG Questionnaire criteria at the Committee level for fifteen (15) consecutive years, contributing to the development, implementation, and maturation of third-party risk governance and assessment strategy, tests, and criteria adopted across global industries. Directly contributed to the original planning through the launch of the VRMMM program and the CTPRP certification program. Developed the original VRMMM criteria and the CTPRP certification program questions at the Committee level year over year. Earned a formal testimonial from the Program Founder.

2008

Developed original third-party risk assessment criteria (security, privacy, and compliance) based on ISO 27001 for a Business Process Outsourcer (BPO). Conducted global onsite third- party risk assessments, enabling our client to formally satisfy security and privacy requirements for a U.S. $1.2B contract awarded to our client by an FDA-regulated customer.

2009

Scope development and execution of a combination NIST 800-53/AUP Assessment on the internal operations of a Big 4 Advisory Firm. The outputs of this ground breaking assessment enabled our customer to newly perform services for a U.S. federal government agency.

2010

Selected by BNY Mellon to build and execute a new comprehensive global onsite critical supplier vendor assessment program—executing this program for six (6) consecutive calendar years. The outputs of this Program were required to satisfy formal special U.S. federal government fiduciary requirements BNY Mellon had as the formal Custodian of the Troubled Asset Relief Program (TARP). Subsequently developed and delivered global region-specific risk assessment criteria and executed onsite assessments against that criterion to satisfy legal and regulatory requirements. Earned a formal letter of endorsement from the Managing Director.

2011

Harmonized ISO 27001, ISO 9001, and the ITIL framework requirement for a Fortune 500 market data services provider. Provided extensive pre-certification consulting services ultimately resulting in our client achieving multiple, concurrent ISO 27001 certifications.

2012

Selected by the Federal Aviation Administration (FAA) to develop and deliver new, comprehensive security and privacy requirements for the FAA’s non-NAS software development life cycle process (SDLC). Additionally contributed to the development of a new enterprise information security architecture. Earned the highest possible Past Performance Citation and received a letter of thanks from the FAA’s Acting CIO.

2013

Engaged by Softcard, a U.S. nationwide mobile commerce enterprise owned by AT&T, T-Mobile, and Verizon, partnering with three major credit card issuing global banks. Successfully developed and implemented an information security management system (ISMS) under ISO 27001 including enterprise-wide information security controls, policies, and standard operating procedures; performed all pre-certification consulting ultimately leading to ISO 27001 certification; development and delivery of an information security training and awareness program; executed an enterprise ISO 22307 privacy impact assessment (PIA); development, implementation, and testing of enterprise business continuity management/disaster recovery plans in formal alignment with ISO 22301; implemented an enterprise vendor-management system, performed vendor/service provider contract reviews and risk ranking; and assessed high-risk vendors. Earned a formal endorsement from Softcard’s CEO.

2015

Executed combination NIST 800-53/NIST Cybersecurity Framework (CSF) Assessments for Fortune 100 organizations. Provided earned outward facing attestations to satisfy regulatory and audit requirements, and customer inquiries.

2015

Executed combined NIST 800-53/NIST Cybersecurity Framework (CSF) Assessments for Fortune 100 organizations. Provided earned outward facing attestations to satisfy regulatory and audit requirements, and customer/prospect inquiries. Provided the thought leadership and established a groundbreaking enterprise-level audit locker for a customer, resulting in an Award of Excellence from their CEO.

2015

Earned a testimonial from a former Special Assistant to the President of the United States for Global Affairs, Special Advisor to the President for Cyberspace, and National Coordinator for Security and Counterterrorism.

2016

Selected by the Health Information Sharing and Analysis Center (Health ISAC) to establish, build out, and execute the Health ISACs first global third-party vendor security service meant to serve the Health ISACs Member organizations. The establishment of this Utility service was the first of its kind within the entire ISAC community. C&H was required to conduct the analysis and selection of assessment criteria, ultimately based on NIST, ISO 27001, HITRUST, the Shared Assessments’ SIG, and continuous monitoring functionality. Stood up this groundbreaking Utility service and executed third-party vendor risk assessments on behalf of the Health ISACs Members. Assessment outputs are formally recognized by the Department of Homeland Security (DHS) and Health & Human Services (HHS).

2018

Selected by an additional Systemically Important Financial Market Utility (SIFMU) to perform an SCA Assessment of the client’s internal operations.

2019

Recipient of the Lifetime Achievement Award from the Shared Assessments Program.

2019

Executed and reported on the new Cyber Risk Institute (CRI) Profile Assessment for a Systemically Important Financial Market Utility (SIFMU), a Tier One global financial institution whose infrastructure is designated by DHS as “Critical.” Successfully developed and executed each of the formal tests required to satisfy the 277 diagnostic statements that make up The Profile. Provided an independent earned third-party Attestation as a result of this assessment. Subsequently selected by the Cyber Risk Institute to provide best practice implementation advice to the global financial services community via webinar and videos on the CRI public website.

2019

Delivered a mapping of 360+ IT Standards and 3,000+ IT Controls against specific risks identified by a Fortune 100 financial services client. Provided analysis of the links between those mapping outputs and the NIST Cybersecurity Framework (CSF) supporting the goal of implementing a program that resulted in a new set of robust, risk-driven cybersecurity Standards and Controls.

2020

Selected by a Fortune 50 heavily regulated client as Strategic Partner, consulting on cyber resilience, business continuity management and disaster recovery planning in alignment with ISO 22301, the NIST CSF and additional best practices.

2020

Selected by a Fortune 50 heavily regulated client as Strategic Partner, consulting on cyber resilience, business continuity management, and disaster recovery planning in alignment with ISO 22301, the NIST Cybersecurity Framework, and additional best practices.

2020

Selected by U.S. Department of Defense contractors to consult to them and ensure they are fully prepared for formal assessments in alignment with all levels of CMMC compliance and certification.

2021

Selected by an additional Systemically Important Financial Market Utility (SIFMU) to execute the Cyber Risk Institute (CRI) Profile Assessment. C&H has how been privileged to serve five (5) of the eight (8) SIFMUs.

2021

Selected by a Fortune 50 client to help mitigate ransomware attacks through the end-to-end planning and execution of a series of Tabletop Exercises.

2021

Selected by an additional Systemically Important Financial Market Utility (SIFMU) to execute the Cyber Risk Institute (CRI) Profile Assessment. Note: C&H has been privileged to serve five (5) of the eight (8) Systemically Important Financial Market Utilities.

2021

Selected by a Fortune 50 healthcare client to help mitigate ransomware attacks through the end-to-end planning and execution of a series of Tabletop Exercises. Exercise targets included business risks, technical risks, and business applications risks, including the formal #1 critical application within the client’s critical application portfolio. Earned a formal endorsement from the client’s Project Manager.

2021

Selected by a Systemically Important Financial Market Utility (SIFMU) to produce a critical security due diligence artifact that required the execution of 120+ tests and 1,700+ attributes to satisfy requirements inherent to a strategic global product launch.

2022

Selected by a Fortune 200 corporation to develop and implement go-to-market security solutions including the analysis of global customer security and compliance requirements. Developed and delivered a customer facing go-to-market Enterprise Resilience self-assessment.

2023

Selected to perform CMMC pre-certification remediation for members of a large nation-wide consortium.

2023

Selected by Lenovo as a ThinkShield portfolio security Partner, developing and implementing enterprise cybersecurity risk management advisory through implementation solutions in partnership with Lenovo and serving Lenovo’s global customer community.

2023

Selected to execute enterprise-wide pre-certification tasks enabling customers to earn StateRAMP certification.

2023

Cited in The Wall Street Journal, providing Tabletop Exercise planning and execution advice.

2024

Earned a testimonial from a former Acting Secretary of The United States Department of Homeland Security and FEMA Administrator.

2024

Selected to execute enterprise-wide tasks enabling customers to comply with The Directive on Security of Network and Information Systems (NIS 2 Directive), a European Union regulation aimed at enhancing cybersecurity across member states.

2024

End-to-end planning, execution, and reporting of U.S. Department of Homeland Security sponsored Tabletop Exercises for county government clients. These exercises simulated response scenarios to evolving cyber incidents and additional incidents impacting county-level emergency response services.