Churchill and Harriman

1997

Selected by highly regulated Fortune 100 organizations to develop risk assessment criteria for the assessment of their critical global vendors; execute and deliver onsite and remote assessments in alignment with that criterion.

1998

Selected to develop, test and implement Business Continuity Management and Disaster Recovery Plans for Fortune 100 organizations, today in formal alignment with ISO 22301. Facilitate and execute Table Top Exercises serving individual contributors to CEOs—today focusing on ransomware prevention.

2000

Selected by global Fortune 100 organizations to build out original global information security policies based on BS 7799, today in formal alignment with ISO 27001, NIST and additional pertinent criteria.

2001

Selected by a Fortune 100 organization to help implement Public Key Infrastructure (PKI). Develop PKI policy, process, and implementation documentation. Establish and deliver PKI Level 3 helpdesk service and credentialed 80,000 users over a three-year period. Earned a formal endorsement from the CIO and the CISO.

2005

Selected by the SAFE-BioPharma Association to be an original Member of the organization’s Presidential Leadership Team. SAFE (funded by PhRMA) developed a secure and scalable mechanism to submit digitized reports to the U.S. Food and Drug Administration (FDA). Developed the formal SAFE implementation guide and implemented the SAFE system for SAFE Members. In response to a growing need for high assurance digital signatures, several large pharma companies established SAFE as a legal framework to facilitate trust and interoperability of digital identities with government bodies, including the FDA, DEA, and the European Medicines Agency. C&H earned a formal endorsement from The Chairman and The President of SAFE-BioPharma for our contributions.

2005

Selected by the Federal Reserve Bank of New York (FRBNY) to perform all pre-certification services and help the bank ultimately earn certification to ISO 27001. The FRBNY was the first organization based in North America to earn certification to ISO 27001.

2006

Selected by a Fortune 100 organization to develop and deliver Emergency Relocation Plans for their Top 40 Officers.

2007

Selected by a Global Systemically Important Bank (G-SIB) to perform all pre-certification services and help the bank ultimately earn two (2) ISO 27001 certifications. Consolidated six (6) pre-existing formal global information security processes to five (5).

2007-2021

Member of Shared Assessments (SA) Program Leadership Team; Selected to serve on the Program Advisory Board and Steering Committee. Selected as liaison between these two bodies accountable to the SA Program Founder for nine (9) years. Directly matured AUP and SCA assessment test criteria and the SIG Questionnaire criteria at the Committee level for fifteen (15) consecutive years. Directly contributed to the original planning through launch of the VRMMM and the CTPRP certification program. Developed the original VRMMM criteria and the CTPRP certification program questions at the Committee level year over year. Earned a formal testimonial from the Program Founder.

2008

Developed original third-party risk assessment criteria (security, privacy, and compliance) based on ISO 27001 for a Business Process Outsourcer (BPO). Conducted global onsite third- party risk assessments, enabling our client to formally satisfy security and privacy requirements contained in a U.S. $1.2B contract awarded by an FDA-regulated customer.

2009

Scope development and execution of a combination NIST 800-53/AUP Assessment on the internal operations of a Big 4 Advisory Firm.

2010

Selected by a G-SIB with special U.S. federal government fiduciary accountability to build and execute their global onsite critical supplier vendor assessment program for six (6) years. Earned a formal endorsement from the Managing Director.

2011

Harmonized ISO 27001, ISO 9001, and the ITIL framework requirement for a Fortune 500 market data services provider. Provided extensive pre-certification consulting services ultimately resulting in our client achieving multiple ISO 27001 certifications.

2012

Selected by G-SIBs to settle third-party vendor-specific regulatory findings. Develop and implement end-to-end vendor risk management programs in alignment with FFIEC requirements.

2013

Selected by a U.S. nationwide mobile commerce enterprise and successfully developed and implemented an information security management system (ISMS) under ISO 27001 including enterprise information security controls, policies, and standard operating procedures; performed all pre-certification consulting ultimately leading to ISO 27001 certification; development and delivery of an information security training and awareness program; executed an enterprise ISO 22307 privacy impact assessment (PIA); development and implementation and testing of enterprise business continuity management/disaster recovery plans under ISO 22301; implemented an enterprise vendor-management system, performed vendor/service provider contract reviews and risk ranking; and assessed high-risk vendors. Earned a formal endorsement from the CEO.

2015

Executed combination NIST 800-53/NIST Cybersecurity Framework (CSF) Assessments for Fortune 100 organizations. Provided earned outward facing attestations to satisfy regulatory and audit requirements, and customer inquiries.

2015

Earned a testimonial from a former Special Assistant to the President of the United States for Global Affairs, Special Advisor to the President for Cyberspace, and National Coordinator for Security and Counterterrorism.

2016

Selected by an Information Sharing and Analysis Center (ISAC) to contribute to the development of their first global third-party vendor security artifact including assessment criteria based on NIST and ISO 27001. Helped stand up this ground breaking Utility service and executed third-party vendor risk assessments on behalf of the ISAC’s Members. Assessment outputs are formally recognized by the Department of Homeland Security (DHS) and Health & Human Services (HHS).

2018

Selected by an additional Systemically Important Financial Market Utility to perform an SCA Assessment of the client’s internal operations.

2019

Recipient of the Lifetime Achievement Award from the Shared Assessments Program.

2019

Executed and reported on the new Cyber Risk Institute (CRI) Profile Assessment for a Systemically Important Financial Market Utility (SIFMU), a Tier One global financial institution whose infrastructure is designated by DHS as “Critical.” Successfully developed each of the formal tests required to satisfy the 277 diagnostic statements that make up The Profile. Delivered independent third-party Attestation. Selected by the CRI to jointly deliver a webinar to the global financial services community on best practice implementation of The Profile.

2019

Delivered a mapping of 360+ IT Standards and 3,000+ IT Controls against specific risks identified by a Fortune 100 financial services client. Provided work-in-progress analysis of the links between those mapping outputs and the NIST Cybersecurity Framework (CSF) supporting the goal of implementing a program that will result in a set of robust, risk-driven cybersecurity Standards and Controls.

2020

Selected by a Fortune 50 heavily regulated client as Strategic Partner, consulting on cyber resilience, business continuity management and disaster recovery planning in alignment with ISO 22301, the NIST CSF and additional best practices.

2020

Selected by U.S. Department of Defense contractors to consult to them and ensure they are fully prepared for all levels of CMMC certification.

2021

Selected by an additional Systemically Important Financial Market Utility (SIFMU) to execute the Cyber Risk Institute (CRI) Profile Assessment. C&H has how been privileged to serve five (5) of the eight (8) SIFMUs.

2021

Selected by a Fortune 50 client to help mitigate ransomware attacks through the end-to-end planning and execution of a series of Tabletop Exercises.

2021

Selected by a Systemically Important Financial Market Utility (SIFMU) to produce a critical security due diligence artifact that entailed 120+ tests and 1,700+ attributes to support a strategic global product launch.

2022

Selected by a Fortune 200 client as a formal Partner, developing and implementing go-to-market security solutions and the planning and execution of customer security and compliance requirements. Developed and delivered a customer facing go-to-market Enterprise Resilience self-assessment.

2023

Selected to perform CMMC pre-certification remediation for members of a large nation-wide consortium.