Turner and Associates, Inc., is a premier management consulting firm based in Columbus, Ohio specializing in IT advisory and governance for enterprise risk management.  We provide expert guidance to many financial institutions, healthcare organizations, and government agencies.

IT consulting services for financial institutions in enterprise risk management include IT risk assessments, network security and vulnerability assessments, penetration testing, FFIEC compliance audits, IT controls reviews, GLBA compliance audit, Internet Banking reviews, Red Flags, audit plan assistance, policy writing and information security plan development, and NACHA Audit for ACH Wire Transfer Environment.  Much of our experience in auditing financial institution links various regulatory agency requirements and the tendencies of examiners from the FDIC, OCC, FRB and NCUA organizations.

Our healthcare IT consulting services in enterprise risk management include IT risk assessments, network security and vulnerability assessments, penetration testing, IT controls reviews, HIPAA and HITECH audits, policy writing and information security plan development, and Meaningful Use risk assessments (Measure 14 Risk Analysis of 'The Core Measures').

We also perform IT consulting services for Government agencies which include IT risk assessments, network security and vulnerability assessments, penetration testing, IT controls reviews, policy writing and information security plan development, and NACHA Audit for ACH Wire Transfer Environment in the enterprise risk management realm.

While some of our enterprise risk management IT consulting services and IT audits overlap in the financial institutions, healthcare, and government industries, we also provide several other niche IT consulting services, which are industry independent.  Turner and Associates, Inc., has a fully mature digital forensics investigation practice where we can perform incident response for an organization seeking immediate assistance with data breaches, hacked / compromised information systems in the form of entire networks, servers, or workstations.  Our digital forensics investigations also include FDIC regulatory investigations for troubled assets and Bank failures.  Our digital forensics IT consulting service can confidently guide your company through a complex and sensitive investigation.

Other niche services that Turner and Associates, Inc., provide are end-user security awareness training, secure lockdown (when a key IT staff member departs a company or in response to an incident), cloud security audits, ISO / IEC 27001 compliance and certification assistance.

Turner and Associates, Inc., specialize in enterprise risk management IT consulting areas by ensuring organizations meet their compliance with all applicable laws and regulations. Our technology consulting staff members can work with existing internal audit staff members or as a complete outsourced solution for internal audits to any organization in every industry. Using our enterprise risk management experience, we recommend practical cost-effective solutions to identified risks which impact an organization’s data security and privacy.

Enterprise Risk Management in Banking


Data breaches come in many forms and everyone is getting worse at stopping them.  One of the contributing factors in the rise of data breaches is the lack of understanding of the security fundamentals at the board level.  This causes a big gap between the people performing information security at Banks and the highest level executives. When this gap becomes too large, there is never going to be adequate funding for security initiatives at Banks.


Cyber Security & Data Breaches: What Financial Institutions Need to Know


Data breaches and security issues plague financial institutions constantly. They are important to safeguard against for the protection of confidential information housed at institutions and for the regulatory exams that expect detailed security plans in place. Turner & Associates, will provide insight into the topic of data breaches and penetration testing. He will review these security topics, discuss how to implement a plan in the case of a security breach, and how to limit data breach risk exposures to your organization.


This webinar will be brought to you through our strategic partnership with Sageworks, Inc.



Safe and Secure MobileEveryone knows that risk is an unavoidable part of doing business.  However, the ability to successfully manage that risk increases the overall value of an organization to its stakeholders. Managing risks in a timely, reliable and accurate approach is also a key factor in the overall success for many organizations.

Information technology infrastructures are rapidly changing.  When new technologies are placed in production environments, organizations require staff members with special skill sets to manage the hardware and software in these new technologies. 

As a result, risk associated with supporting these new information systems is often ignored unless complications arise.  Turner and Associates Inc. can help mitigate this risk.  Our team of IT consulting and advisory professionals serve clients in the financial, healthcare, and government.  We have assisted many organizations by helping them build and adapt risk management capabilities for newer technologies, significant expansion, and increased regulatory changes.  Our experts have both industry and public accounting experience.  We believe this experience is key to understanding compliance driven regulations, as this landscape continually changes.  We also provide guidance to organizations on the impact of new business processes within the organization and cutting edge technologies being released in the organization’s industry.

We offer expert IT Advisory and Consulting for the following services:

  Digital Forensics Investigation / Incident Response

  Network Security – Penetration Testing and Vulnerability Assessments

  Security Awareness Training

  Secure Lockdown

  IT Infrastructure and Application Controls Reviews

  Compliance Assessments for Privacy Regulations:



 IT and Operational Risk Assessments

  SSAE 16 (Formerly SAS 70)

  Business Continuity Planning


  Cloud Security Audit

  ISO / IEC 27001 Compliance and Certification Assistance

  Sarbanes-Oxley Compliance (Section 404  Documentation and Testing)

  Policy Writing / Information Security Plan Development

  Audit Plan Assistance

 Staff Loan and Resource Assistance

  Data analytics

  Red Flag

 NACHA Audit for ACH Wire Transfer Environment

At Turner and Associates, our commitment to you is excellence; we deliver quality without compromise and exceed our client expectations.

Digital Forensics Custom

At Turner and Associates Inc., we have, through our experienced staff members assisted clients with the acquisition, handling, treatment, and storage of evidence in computer forensic cases.  Our experience includes establishing forensically sound, evidentiary methods and procedures for investigating criminal activity involving computers and computer-based systems for the acquisition, analysis and reporting of digital evidence. 

We have a strong working knowledge of legal concepts and evidentiary procedures for investigating criminal activity involving computers and computer-based systems.  Our staff members utilize proper scene management techniques to recover all necessary physical and logical evidence and document the entire process whether it relates to digital evidence in Windows, DOS, Macintosh, Linux, Boot Processes, or File Systems.  We use the most current computer forensic tools available for digital evidence collection and analysis where the related findings are published and presented to our clients.

Members of our staff have performed forensic investigations for clients in the Financial, Healthcare, and Government industries.  Our security specialists have analyzed numerous types of computer crime cases to ascertain and evaluate the criminal investigation and prosecution when implementing digital evidence and testimonial evidence is utilized in a computer crime.  We have conducted email investigations involving URL spoofing and publishing through Emails on an Exchange Server. Our staff members have had exposure to advanced investigative techniques to track criminals over local and wide area networks, including international computer crimes.

If your company needs digital forensics assistance in response to an incident, an investigation into users and their actions (including network administrators), or even a FDIC regulatory investigation, let the experts at Turner and Associates Inc. confidently guide you through these complex and sensitive investigations.

CCE LOGO_RGB-1737x1743 Mobile

Network Security MobileAt Turner and Associates Inc., we take a different approach than most of our competitors to Information Technology Security. While other companies will only review a sample of size of your LAN (internal) and WAN (external) devices, we review all the devices attached to an entire network. This holistic approach allows us to confidently assure our clients that we have located all the vulnerabilities on their networks during one of our point-in-time network security assessments. We use this approach because we are serious about Information Technology security. Our competitor's sample sized approach could leave unknown vulnerabilities on your network just waiting to be exploited. These vulnerabilities could ultimately lead to an incident ranging from a data breach to a denial-of service; any of which, are unacceptable for our client's business continuity. This holistic approach also significantly increases our client's security posture post remediation.

At Turner and Associates Inc., we have extensive network penetration experience for many clients in the Financial, Healthcare, and Government industries. Using a seven phased approach, we locate all internal and external based threats to our client's Information Technology infrastructure via true hacker-style techniques. Therefore, we do not run a vulnerability scan to locate network vulnerabilities; rather, we use it as a 'catch-all' after we have located many of findings using manual techniques.

Our security engagements can be divided into any combination of the following areas to be tested:

External Network Security Assessment – The scope of this assessment includes a full penetration test on all the devices within the external WAN. Devices in our testing may include Firewalls / Internet Accessible Servers / Remote Access (i.e. VPN's) / Routers.

Internal Network Security Assessment – The scope of this assessment includes a full penetration test on all the devices within the internal LAN. We will attempt to elevate our privileges all the way up to domain administrator access. Devices or areas in our in our testing may include data encryption, password strength, patch management, servers, SAN, e.g., storage systems wireless access points, and workstations.

Web Application Security – The scope of this assessment includes a full web application security assessment from both an unauthenticated and authenticated prospective. Through our penetration testing, we fully test and document the security on all Internet facing web applications. Our approach will not only test for OWASPs "Top-Ten" web application vulnerabilities, but other vulnerabilities, which may have not been discovered and remediated during an application's development lifecycle. Vulnerabilities discovered in our testing would include Injection cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), improper security configuration, insecure encryption, failures to restrict URL access, insufficient transport layer protection, and auto-redirection / forwarding vulnerabilities.

Wireless Network Assessment – The scope of this assessment includes a full wireless penetration in an attempt to gain access to the wired network within the internal LAN. Areas in our in our testing may include network management and monitoring capabilities, wireless signal patterns, wireless access point (WAP) configurations , WAP physical locations, network design, and vulnerability discovery.

Social Engineering Assessment – The scope of this assessment includes using social engineering techniques to gain access to user credentials, unauthorized physical access to a building or highly sensitive area, or confidential customer data. The tests performed in this area, is a direct test against a company's end-user awareness training program. Areas in our testing may include a fake phishing website, phishing emails, spoofed phone calls, and piggy backing (unauthorized physical access). We can also couple this area of testing with the internal network security assessment to offer a true "blind" penetration of a company's IT infrastructure. In our experience, very few clients request an unannounced "blind" security penetration test. These organizations are typically larger in asset size, have dedicated IT Security staff, and budgets large enough to support the cost of implementing solutions to not only detect but prevent attacks in real-time.

End-user Awareness Training – We can come onsite to a company's corporate office and train staff members in a group setting that provides guidance in IT security and attacks that are facing many organizations today. Our training presentations help elevate the overall knowledge of a company's end-users; thus, making your staff members a better first-line-of-defense in thwarting potential attacks. The areas presented may include social engineering, data breach incidents, incidence response, social media and their 'best' practices, or even regulatory and compliance areas.

Hompage Logo MobileWith the economy the way it is, we have noticed there are some key staff members transitioning from one job to another job via either a job promotion or potentially, a termination. Whenever these key staff members hold job titles within a company's IT group, there is an inherit secure risk that needs to be effectively remediated as these staff members transition out of a company. The risk level associated with an event is critical if the key staff member had domain administrative access to a company's network. Companies need to understand they have obligation or potentially, a fiduciary duty to protect their company's assets from the risk posed to their organization when key staff members depart. At Turner and Associates, we specialize in guiding companies through the risk posed by any key staff member's departure. We have a proven approach that methodically and securely lockdowns any network in any industry, e.g., Financial Institutions, Healthcare, and Government. We also believe that is a 'Best' practice to perform this type of audit at least every two years. When coupled with our network security assessment, companies can be fully assured that all IT security risks posed to an organization have been identified our "Point-in-time" assessment. This engagement is typically divided several phases:

Network Discovery – In this phase, a Turner security expert will systematically locate, gather, identify, and document information on each every device within both the WAN and LAN networks. Information gathered in this phase includes items such as, domain names, IP network ranges/internal and external subnets, information about operating systems and applications, etc.

Device Enumeration – In this phase, a Turner security expert will gather more comprehensive information about all the devices throughout the WAN and LAN, such as open shares, user account information, default configurations, and available services such as FTP, HTTP, Telnet, SSH, HTTPS, etc. This phase identifies all active devices, map any open ports, and identifies software and applications currently running on each device.

Develop Secure Lockdown Checklist – Our audit checklist has three fully developed areas of concern that should be completed in an orderly fashion.

i.  Physical Access – Revoke physical access to protect against theft, tampering, or damage.

 ii.  Remote Access – Secure remote access to protect against Internet based threats.

 iii.  Infrastructure Access – Secure internal IT infrastructure to protect against internal based threats.

Secure Lockdown Observation – We provide our Secure Lockdown Checklist to the company's current IT staff members. Thereafter, we independently observe and document our secure lockdown being implemented by a company's IT staff members (post event). This allows us to provide independent confirmation for a company that all of the documented devices and key security configurations were change and securely locked down.

Plan of Action and Milestones (POA&M) – In the event a recommended security configuration or password change affects a company's business continuity, we will pull the uncompleted task from our Secure Lockdown Checklist into a POA&M. This will allow management to have oversight of its IT staff members during the remediation phase. Management will have the ability to ensure that are identified that were not remediated during our observation risks are put into the POA&M to remediate post haste. This will allow management to hold the IT staff members accountable for remediating sometimes highly technical findings which management may not fully understand or impact of the security risk posed to their organization.


Cloud Computing MobileCloud computing allows computational power, IT infrastructure, applications, and business processes to be delivered to customers via on-demand. Cloud computing is also offered via public Clouds, private Clouds, and hybrid Clouds (a combination of both public and private Clouds). The Cloud itself refers to the hardware, networks, storage, services, and interfaces that provide a Cloud computing as a service. Cloud services range from hosted software, IT infrastructure, and data storage. Cloud users range from the end user that is unaware of the underlying technology; to the organization’s management team which is responsible for the IT governance of data in the Cloud; and the Cloud service providers, which provides and guarantee the service levels and security to their customers.

If your company is using the Cloud to store or process its core data, then there is a whole realm of security and controls issue that need to be thoroughly audited by experienced individuals to ensure all institutional risks are identified.

At Turner and Associates, we have experience with performing Cloud-based audits. We ensure your company understands all security aspects, which are implemented via the controls environment that protects your data in the Cloud. During our Cloud audit, we specifically test all of the compliance driven areas compared against industry ‘Best’ practice to ensure risks are identified so they can be remediated. This increases your company’s security posture and meets compliance driven regulations that examiners will want to see, as ‘Proof’ during an examination audit. If your company has specific requirements that need to be met based on regulation(s), Turner and Associates can help. These are just a few of the areas we test during a Cloud-based audit:

  Data protection

  Vulnerability management

  Identity management

  Physical and personnel security


  Application security

  Incident response


  Business continuity and disaster recovery

  Logs and audit trails

  Specific compliance requirements


  Intellectual property

  End-of-service support


In Cloud computing, data is separated from infrastructure and there are many operational factors and controls that exist which need to be thoroughly examined. These operational differences in the Cloud give rise to a unique set of security and privacy issues that directly impacts your organization’s risk management practices. There are also many new legal issues in the areas of compliance, auditing, and eDiscovery, as they relate to the Cloud. If you are unsure how to test the security of your Cloud, let Turner and Associates experienced staff members assist with auditing your organization’s Cloud. We have extensive experience in performing Cloud-based audits.

CIA of Infromation Security MobileISO/IEC 27001 certification means that you are a quality company and spent the necessary time developing your Information Security Management System (ISMS). The ISMS ensures there are adequate security controls in place and will also continually improve over time. This requires the management team to have full control of their information security. To become certified, your company must pass an external audit on your organization's ISMS. For this certification to have any real meaning, you should choose to have an accredited certification body (CB) perform the external audit. This audit is typically conducted in several phases:

Document Request List Initiated – an accredited CB will request copies your organization's ISMS documentation. Thereafter, they will review all necessary documentation and schedule an onsite visit.

Onsite Audit – staff members from an accredited CB certification body will methodically perform their audit work and checklist to provide the necessary evidence that the ISMS is operating correctly. The ISMS policies, standards and procedures will be compared against the ISO/IEC 27001 requirements. All key areas must have supporting evidence / artifacts that are fully documented and tested to ensure the validity of ISO/IEC 27001 requirement is being met by your organizations ISMS

Audit Wrap-up – the formal results of the ISO/IEC 27001 audit will be documented and discussed with your organization's management team. These documented results typically fall into one of three categories of risk which could impede the issuance your organization's ISO/IEC 27001 certification. See Below:

i.  Observation – general 'Best' practices recommendations

 ii.  Minimal Non-Compliant – issues that need to be addressed in the near future for certificate to be granted. These would be confirmed by follow-up visit.

 iii.  Major Non-Compliant – issues discovered that would prevent the ISO/IEC 27001 certificate from being awarded. Typically an audit would be suspended once a 'Major' issue was identified. This would allow your organization time to fix the issue before continuing the ISO/IEC 27001 certification process.

If all necessary requirements are met, your organization's certificate will be issued. Thereafter, there will be periodic follow-ups for as long as your organization chooses to maintain its certification. A formal recertification is required every three years, as the ISO/IEC 27001 certificates are only valid for a three year timespan.

Knowing where to begin the ISO/IEC 27001 certification and having an idea of where your organization stands compared to the ISO/IEC 27001 certification can be daunting. At Turner and Associates, we can help guide your organization through the entire ISO/IEC 27001 certification process. Our auditors have extensive experience in performing an ISO/IEC 27001 certification gap analysis on your organization's ISMS implementation. We will examine all of the current controls currently implemented at your organization and compare them against the recommended ISO/IEC 27001 requirements. Upon locating gaps, we will provide a very detailed recommendation to each of the gaps, which will assist your organization in closing non-compliance issues identified. We believe our guidance in this area could play a crucial part of assisting your organization in becoming ISO/IEC 27001 certified. We can assist your organization throughout the entire process.

Safe and Secure MobileAn IT risk assessment is the first step in developing, maintaining, and managing an effective information security program. Risk assessment helps ensure that your organization has properly identified significant risks and determined what actions are appropriate to mitigate the identified risks. An organization operating with a poor IT security program management is a major problem. This could ultimately affect the confidentiality, integrity, and continuity of your organization’s core data.

At Turner and Associates, we have performed numerous IT risk assessment for organizations in the Financial, Healthcare, and Government industries. Our experts will specifically identify your organization’s assets in the following key areas:

  Digital Assets

  Business Databases

  Source Code

  Key Software

  Non Digital Assets

  People Assets


  Network Devices




  Support Utilities

Once we have identified all of your key assets, Turner and Associates will develop a risk-based threat matrix, which will identify all threats to your organization’s asset inventory. Thereafter, we will identify any controls currently implemented at your organization, which could reduce or mitigate the threats to your asset inventory. This will allow us to determine if there are any gaps in your organization’s security control environment. Where gaps are located in your security controls environment, Turner and Associates will recommend practical, cost-effective solutions, which can be implemented to lower any non-mitigated risks to an acceptable level.

CIA of Infromation Security MobileAn IT control is a procedure or policy that your organization uses to provide a reasonable assurance that IT infrastructure operates as intended. These controls help ensure that your organization meets compliance with applicable laws and regulations. IT Controls can be categorized as either general controls (ITGC) or application controls (ITAC).

An IT general control should demonstrate a procedure or policy that affects the management of organizational processes e.g. risk management, change management, disaster recovery and IT security. IT application controls, are actions that a software application automatically performs to ensure that data is properly maintained. For example, your organization's payroll application should ensure that only the proper staff members have authorization to this system and their actions are monitored by creating audit trails.

Based on the industry of your organization, Turner and Associates will combine the COBIT and COSO frameworks to provide detailed testing of your organizations IT controls environment.

COBIT is a control model that assists organizations meet their need in IT governance. This framework also ensures the integrity key data and your organizational IT systems.

COSO is a framework which assist organizations meet their need in enterprise risk management (ERM), internal controls, and fraud deterrence.

At Turner and Associates, we will perform detailed testing of your organization's implemented IT controls. Thereafter, our experts will recommend practical cost-effective solutions to ensure your organization meets compliance with applicable laws and regulations.

Safe and Secure MobileRisks to information security have continued to stay relatively high to organizations, as individual identity theft dramatically increases.

The Gramm Leach Bliley Act (GLBA) is a comprehensive law which affects organizations or business units that deal with financial information. This financial information may include nonpublic personal information e.g. address or phone numbers, bank account numbers, credit card account numbers, social security numbers, personal income, or credit history.

GLBA was introduced to ensure the security and confidentiality of customer information. GLBA mandates procedures and guidelines be implemented which protects confidential customer information against any anticipated threats or exposures to the security and integrity of confidential customer information. To protect against personal data theft, GLBA also requires that guidelines be implemented at these organizations which protect confidential customer information against unauthorized access or misuses of this data which could result in significant damage or inconvenience to customers.

At Turner and Associates, we have performed many GLBA audits which provide detailed testing of all the key requirements. Certain procedures may not apply to smaller less complex institutions. Our experts take these factors into consideration during our testing procedures.

Turner and Associates combines the COBIT and COSO frameworks to provide detailed testing of your organizations IT controls environment. We also review your organizations standards for developing and implementing:

  Administrative Safeguards

  Technical Safeguards

 Physical Safeguards

This helps us determine if your organization properly protects the security, confidentiality, and integrity of confidential customer information.

We also examine in great detail:

  Board Involvement

  Information Security Program

  Risk Assessment Program

  Internal Controls and Polices

  Measures Taken to Oversee Service Providers

  Determine Effectiveness of Process which Updates Information Security Program

  Overall Implementation of the Standards

Where exceptions or gaps are located in organization's compliance to the GLBA standards, Turner and Associates our experts will recommend practical cost-effective solutions to ensure your organization meets compliance with the GLBA regulations.

HIPAA HITECH MobileThe Health Insurance Portability and Accountability Act (HIPAA) was created to make the healthcare delivery system more cost effective and efficient. The main component HIPAA revolves around the standardization of electronic patient information which includes the transmission electronic bills and claims information. The new electronic format allows for an increased potential for medical records abuse or fraud. Therefore, a key part of HIPAA was to increase and standardized the confidentiality and security of patient healthcare data.

The Health Information Technology for Economic and Clinical Health Act (HITECH), made important changes to HIPAA, particularly with regards to "Improved Privacy Provisions and Security Provisions."

Any entities that handles, maintains, stores, or exchanges private healthcare or patient-related information, regardless of size, must fully comply with these privacy regulations. Entities found to be HIPAA non-compliant will face:

Costly penalties from the government (State and Federal)

Hefty Fines

Sole Liability

Criminal Offense

Loss of Patient Confidence

Data Breach Notification

Increased Compliance Audits

If your organization is unsure whether or not it is compliant with all of these privacy regulations, let Turner and Associates provide our expert guidance with our HIPAA / HITECH audit.

Turner and Associates will combine the COBIT and COSO frameworks to provide detailed testing of your organizations controls environment.

Just a few mandatory key areas we specifically test during our HIPAA / HITECH audit:

Administrative Safeguards:

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness and Training

Security Incident Procedures

Contingency Plan


Business Associate Contracts and other Arrangements

Physical Safeguards

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

Technical Safeguards

Access Controls

Audit Controls


Person or Entity Authentication

Transmission Security

Thereafter, were gaps are identified, Turner and Associates' experts will recommend practical cost-effective solutions to ensure your organization meets compliance with all of the privacy regulations mandated by HIPAA / HITECH.

HIPAA HITECH MobileThe Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provide financial incentives for the "meaningful use" of certified EHR systems and technologies to achieve health and efficiency goals.

Nowadays, hospitals are scrambling to comply with the “meaningful use” requirements through the implementation of EHR systems and certified EHR technologies. These new EHR systems will reduce errors and increase the availability of records and data. They will also provide the functionality of reminders and alerts, clinical decision support, and e-prescribing/refill automation.

The American Recovery and Reinvestment Act of 2009 allows hospitals to qualify for incentive payments; if, the following requirements are met:

Medicare EHR Incentive Program – demonstrate “meaningful use” of certified electronic health record technology every year of participation.

Medicaid EHR Incentive Program – adopt, implement, upgrade or demonstrate “meaningful use” in both the first year and all subsequent years of participation.

At Turner and Associates, Inc., we see the biggest pitfall most hospitals are currently having is with Measure 14 of the “Meaningful Use Core Measures”. Measure 14 mandates that hospitals conduct a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates as necessary, and correct security deficiencies identified as part of its risk management process. Most hospitals’ IT staff members do not have the expertise or tools needed to accurately perform a Measure 14 Risk Analysis.

Completing a Risk Analysis is the first step in hospital’s ‘Security Rule’ compliance efforts. A Risk Analysis is also an ongoing process that should provide hospitals with a detailed understanding of the risks to the confidentiality, integrity, and availability of EHRs.

At Turner and Associates, Inc., we are experts in assisting hospitals with Measure 14. We use the following two phased approach to ensure hospitals are compliant with Measure 14 (Risk Analysis):


1)Electronic Personal Health Information ePHI Discovery – We identify all network devices where rogue ePHI is being stored. The discovery phase will be broken down into the following sub-phases:

     I. Network Diagram Review – We will review the hospital’s entire network diagram with IT staff members to determine where all ePHI should be located throughout the entire network. Devices where known ePHI is being stored securely and in accordance to the hospital’s formal polices will not be included in this phase of the engagement.

     II. Target Enumeration – We will sweep the entire network to locate, identify, and document each of the remaining network devices (workstations, servers, etc.) within the scope of our engagement.

   III. Remote Credentialed Scanning – We will perform a remote credentialed scan against every target identified in our ‘Target Enumeration’ phase. Our scan will be configured to locate multiple types of personally identifiable information (PII) and electronic personal health information (ePHI).

     IV. Reporting – We will provide a detailed report that identifies all network devices in scope along with file locations within each device where ePHI is being stored.


2)Security Risk Analysis – Examine the potential risks and vulnerabilities to the confidentiality, availability, and integrity of the hospital’s EHR systems that create, receive, maintain, or transmit ePHI. Our examination will be completed through a combination of interviews, review of policies, procedures, and other related documentation, and physical observations while onsite.

Thereafter, we will develop a Risk-based Matrix to show compliance with the “meaningful use” requirements identified in Measure 14 and recommend practical cost-effective solutions to any identified gaps.

CIA of Infromation Security MobileIn April 2010, the AICPA published a new Attestation Standard, SSAE No. 16, which supersedes the existing guidance e.g. SAS 70 for performing an examination of a service organization's controls and processes. SAS 70 has been replaced by the new standard, SSAE 16, effective for reporting periods dated on or after June 15, 2011. Companies subject to the SSAE 16 include financial transaction processors, software vendors, third-party administrators, HR and benefits processors, and application service providers. Companies which are subject to compliance with Sarbanes-Oxley (SOX) and the Graham-Leach-Bliley Act (GLBA) and those with strong vendor management programs rely on these audit standards to understand the effectiveness of their service providers' internal controls.

Third party servicers can benefit by SSAE 16, as it can be used by a customer's financial statement auditor to determine reliance on controls in place at the service provider. SSAE 16 also provides existing customers with the operating effectiveness of the internal control environment. A strong internal control environment indicates to all potential customers that a company has a strong commitment to internal controls and transaction processing integrity. SSAE 16 also eliminates the need for many separate onsite audits by individual customers, as this satisfies a requirement by customers that an audit of internal controls be in place at their service provider.

At Turner and Associates, we have a strategic business alliance with several large CPA firms which allow us to offer this service at a preferred billable rate; which, results in deep discounted prices to our clients.

continuity2Business continuity planning is a vital activity to all companies. This planning is extremely complex and requires expert guidance. It is crucial that organizations understand all of the underlying risks to a potential disaster. This allows organizations to be prepared when protecting the organization during a systems disaster.

Every organization should ask itself "How long can we go without our systems?" Resuming critical operations as quickly as possible minimizes business disruptions and provides prepared organizations with a competitive advantage.

In our experience, many organizations are not adequately prepared for systems disasters. Part of the reason is the lack funding and support at the highest level of management. The shift in management's mindset that IT initiatives that support business continuity get top priority can truly impact all organizations in times of disasters.

At Turner and Associates, we believe that being prepared prior to a disaster is most influential driving force that ensures an organization's success when disasters occur unexpectedly.

If your company needs assistance with business continuity planning, let Turner and Associates provide our expert knowledge and guidance during this complex planning process.

Assess Business Risk and Impacts of Disasters

Disaster Assessment

Business Risk Assessment

IT and Communications

Existing Procedures for Disasters

Physical Location Plan

o Plan for Repairs

o Backup Power

Preparing for a Disaster

Backup and Recovery

Key Personnel


Key Documents with Procedures

Disaster Recovery

Plan for Handling Disaster

Notification and Reporting During a Disaster

Business Recovery

Managing Business Recovery Phase

Activities Involved

Testing Business Recovery

Planning Tests

Conducting Test

Training Staff During Business Recovery

Managing the Training

Assess the Training

Keep the Plan Current

Audit and Update the Plan Throughout the Year