Technology is changing the fundamentals of today's economic, political, and social interactions on a global scale, previously unimagined. Tomorrow's enterprise will operate in a truly revolutionized world, and for meeting the current market demands, companies will need to think, plan and work differently. Processes and requirements are no longer linear, and technology is enabling a new reality of what can be achieved. Value-driven business transformation is essential for companies to strive and thrive in today’s dynamic markets. It is vital for an enterprise to build strategies that are agile to regulate market dynamics, innovative to stay ahead of competition, transformative to take utmost advantage of the latest technology, and optimal to sustain profits.

Whether you want to optimize an entire business, enhance business processes with technology, or simply improve your organization’s operational performance, ACG offers a highly specialized business consulting service that’s right for you. We can help you connect with customers, improve your back-office operations, complete a merger successfully and align existing technology with strategic business goals.


The requirements, outlined by the Payment Card Industry (PCI) standards, impose technical challenges on your....


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted regulations to protect an....

Mass Data Privacy Law (201 CMR 17

Since the beginning of March 2010, every business that carries personal information about a Massachusetts resident....


Sarbanes-Oxley (SOX) is one of the most significant pieces of legislation in decades and applies primarily....

Technology Audit

ACG Information Technology (IT) Audit professionals help organizations gain insight into the threats....

Information Security

Information technology is fundamental to the functioning of our industries, government institutions and national....

IT Security Assessment

Organizations, no longer can afford to take a reactive stance to security threats. By appropriately securing IT....

Payment Card Industry

The requirements, outlined by the Payment Card Industry (PCI) standards, impose technical challenges on your business that often divert valuable resources from your corporate operations. Most businesses are not staffed to take on the projects necessitated by the PCI standards – especially in a tight economy, not only are the resources scarce, but also the existing resources do not have the expertise necessary to typically interpret the evolving PCI standards and implement the required technologies.

ACG has a proven program, specifically designed to help your business, address the challenges that PCI compliance poses. Our experienced consultants will work with your team to take you through the PCI Compliance process intelligently.

ACG’s will:

  • Identify the scope of your technical environment relevant to PCI and identify strategies for minimizing the challenges.
  • Clearly identify the gaps in your policies, procedures, and technical implementations that require correction.
  • Define a specific action plan for the achievement of a PCI-compliant state including budgets, timelines, and resource plans.
  • Defining key metrics, KPIs and data analysis
  • Establishing performance management processes for resource allocation and prioritization
  • Execute the required remediation tasks and complete the appropriate documentation, including policies and compensating controls.
  • Walk you through the assessment and certification process, assisting with response to QSAs, Acquirers, and partner organizations.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted regulations to protect an individual’s medical records while allowing the information to be shared for treatment and billing of the patient. Every entity that has access to patient medical information must comply with HIPAA.

ACG's HIPAA compliance services can help to develop a plan to close any gaps of confidentiality that may be found in an existing system. Our consulting and compliance services often offer training to ensure that everyone working with confidential information knows how to maintain HIPAA compliance.

The basic principles underlying HIPAA are:

  • Consumers have the rights and control over the release of their medical information
  • The use of protected health information ought to be limited for health purposes only, with few very clear exceptions
  • Accountability in the system include the regulations regarding specific federal oversight and penalties for violating an individual’s privacy right

ACG's offers flexible and customized HIPAA services to suit your organization's needs. Services range from providing introductory or targeted HIPAA consulting, to developing a full-fledged HIPAA Compliance Strategy including:

  • Risk Analysis & Assessment
  • Remediation Planning
  • Education & Management Assessment
  • Awareness & Training
  • IT Infrastructure Audit
  • Integration of Standards, Code-Sets & Identifiers
  • Gap Analysis
  • Self Assessment Tools
  • Privacy Strategy Development
  • Medical Record Compliance Review
  • HIPAA Compliance Planning
  • Health Information Disclosure Assessment

Mass Data Privacy Law (201 CMR 17.00)

Since the beginning of March 2010, every business that carries personal information about a Massachusetts resident is required to adhere to the requirements listed in 201 CMR 17. For many organizations, navigating these new standards and ensuring compliance is quite challenging. Beyond regulatory compliance, organizations that identify the strengths and weaknesses of their information security management systems, protect their business from an increasing number of threats while protecting their reputation and brand.

According to the Commonwealth, personally identifiable information is defined as:

A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

  • Social Security number;
  • Driver’s license number or state-issued identification card number;
  • Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

The new regulations require companies to:

  • Identify who can access information
  • Complete training for individuals responsible for the ongoing management
  • Establish a comprehensive security program with a set of written policies
  • Determine if a gap exists through interview, observation and policy review as well as establish remediation recourse.

ACG’s has in-depth expertise with 201CMR17 and can assist you with compliance, audit and risk mitigation.


Sarbanes-Oxley (SOX) is one of the most significant pieces of legislation in decades and applies primarily to publicly traded institutions. The act imposes strict financial reporting requirements on publicly traded companies, holding them to a new level of accountability. However, leaders of privately held companies, not-for-profit organizations, and institutions of higher education also have found that these requirements offer valuable insights into operations and translate into better management and cost savings. Those companies must implement, if not already in place, policies and controls that demonstrate to investors the use of best practices in managing financial systems as well as in protecting corporate data and access to that data. This is especially a challenge for small companies that do not have the IT staff, budget and knowledge to meet these requirements. To meet these organizational gaps, the ACG's team offers expertise in this area to fill in the gaps. Whether you need support staff for your daily operations, implementation of Key Controls, Internal Auditing and remediation, we are here to offer the support you need to remain compliant.

In general, Section 404 of SOX is the tallest mountain to climb, with key areas regarding the following IT controls:

  • Change Management: Companies must provide visibility over changes in the IT environment and enable the ability to initiate, authorize, manage and implement all IT changes through a systematic change process
  • Analyze improvements and continuously fine-tune them based on real-time, actual experiences
  • Backup: A process must be deployed to identify critical data and to duplicate, store and recover data as needed
  • Security: A process must be deployed to ensure the integrity of information and secure applications, databases, operating systems, internal network access and perimeter network
  • Documentation: Companies must deliver thorough documentation to cover change management, back up and security policies and processes
  • Remediation: Companies must have solutions to fill the gaps in change management, backup and security

ACG’s approach includes the following:

  • Section 404 Initiatives: Walk-through each IT process, identify business and/or financial reporting risks, assess risk levels, assign control objectives and identify corresponding controls
  • Evaluate Internal Controls: Independently evaluate each of the identified IT process & control areas
  • Develop Test Plans & Strategy: Collect the appropriate evidence supporting the testing activities and subsequent control evaluation. Assess the operating effectiveness of each key control activity based on the test results and the supporting documentation
  • Report-Out: Document, communicate and share the findings of the SOX compliance audit
  • Remediation: For all control or process failures, assist the client with determining the required remediation activities to address the outstanding deficiencies and prioritize the identified remediation plans

Technology Audit

ACG Information Technology (IT) Audit professionals help organizations gain insight into the threats inherent in today’s highly complex technologies. Within the subject area of Audit Process Knowledge, Auditing IT Program Development is rated as consistently having the lowest average competency of all the internal audit process skills listed in the questionnaire. The other areas of IT auditing pose similar challenges and are all perceived as having much lower competency than any other types of skills. These findings are consistent with the strongly expressed need for improvement in all aspects of IT audit.

A successful IT audit appropriately assesses technology risks and the control environment as they relate to critical business processes. ACG’s deep expertise in IT audit can help ensure the integrity, reliability and performance of these processes. Through our methodologies, our clients realize more effective and efficient technology controls that better align the internal audit function with their business and IT strategies.

Your challenges

  • Managing and mitigating known and unknown, internal and external risks
  • Fiduciary responsibilities that have personal liability
  • Realizing and measuring the return on your technology investment
  • Outgrowing your technology infrastructure
  • Using resources efficiently and effectively
  • A complex regulatory environment
  • Disruption to your IT systems
  • Protecting client and employee data

Our IT audit services

  • IT governance assessments
  • Development of IT policies and procedures
  • IT and enterprise risk assessments
  • Outsourced IT internal audit
  • Co-sourced IT internal audit
  • Review of general controls
  • Application controls assessments
  • Network, application, and wireless penetration services (i.e., white hat hacking)
  • Internal network penetration and vulnerability assessments
  • Disaster recovery planning
  • Information system fraud and forensic investigations
  • HIPAA security assessments
  • SOX 404 IT controls assessments
  • SAS 70 and SSAE 16

Information Security

Information technology is fundamental to the functioning of our industries, government institutions and national defense, yet is fraught with risk. Managing that risk presents a constant challenge. We must build and maintain our information technology infrastructure so as to maintain:

Confidentiality - sensitive or private information must not be available to unauthorized individuals

Integrity - information must not be inappropriately altered or erased

Availability - information and services must be available when needed

ACG’s leading information security services protect your business from data breaches, negative publicity, damaged credibility and disruption of services. We deliver world-class offerings, security knowledge and experience to provide our clients with comprehensive information security. Our offerings combine unmatched technology, services, support and training from our highly qualified and certified security experts. That means no more managing multiple vendors, no more juggling disparate services and no more worrying about the security of your data and your business. With our track record of success, it means more time for your organization to focus on other operational areas, while we focus on information security excellence for you and your organization.

IT Security Assessment

Organizations, no longer can afford to take a reactive stance to security threats. By appropriately securing IT infrastructure and assets, organizations can: (a) reduce the likelihood of a business interruption from a security-related event, (b) limit the impact of unanticipated events, (c) demonstrate compliance with regulatory, procedural and business requirements. ACG’s professionals have in-depth experience helping organizations reduce risk exposure, protect information assets and limit the impact of security-related events on business activity. To increase the effectiveness of an organization's threat and vulnerability management, we deliver integrated end to end services that address prevention, detection and correction.

Our IT audit services

  • An integrated threat and vulnerability assessment service to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.
  • Complete peace of mind over the need to protect your own information assets and those, you are custodian of, such as sensitive customer data.
  • Pro-active risk and threat management solutions and incident management
  • A real-time, integrated snapshot of the security posture
  • An independent security view of new systems and infrastructure prior to going live

360 Security Assessment: From the source code of your applications and runtime environments, to your cluster nodes, databases, and network architecture, we have the prowess you need, to get a realistic analysis and report of the vulnerabilities, present in your technology.

Network Assessment: An enterprise's network is the heart of its infrastructure; if it is compromised or brought down, not only are attached nodes in jeopardy, but also the network's presence on the Internet can be diminished or routing advertisements for that network can cease completely. Our engineers have the skills and the technology necessary to analyze your network architecture, DMZ design, and filtering methods. From your switch fabric to your network border, ACG provides you with the expertise required to secure your network at all pertinent layers of the OSI model.

Internal & External Vulnerability: An External audit will simulate an attacker coming from the Internet. This penetration testing will include three main ways into a given system: (1) open services on servers. (2) Network devices such as routers, and Firewalls. (3) Find weakness within Web Application retrieving sensitive information by using SQL-injections and other methods. Within each method we search for human-errors in the design and/or implementation, and/or user miss-configurations that can pose potential weaknesses. These weaknesses can be exploited to deface website, upload files, obtaining access to user’s mailbox and obtaining administrative rights. An Internal audit will simulate an attacker that has a foot hold in the internal perimeter. This penetration testing will include three main ways into a given system: (1) open services on servers and workstations. (2) Find and locate system defaults, security updates …etc. (3) Find databases, that may have sensitive information, due to vulnerabilities, updates, miss-configuration and more.

Penetration Testing: We provide pre-audit and post-audit penetration testing. This test evaluates the security posture of a system or network by mimicking a real attack. ACG’s penetration testing services are conducted by highly skilled experts who employ a variety of manual attack techniques, supported by homegrown and commercial tools, to identify exposures and analyze the consequences of a targeted attack - in a safe and controlled manner.

Secure Code Analysis: Insecure coding practices often lead to gaping holes in your applications; absence of protection against vulnerabilities, like buffer overflows, integer overflows, and poor string formatting, can lead to unauthorized access to your systems. While protecting your infrastructure is definitely a huge proactive step in securing your technology, it can not stop there, especially when you have custom code, globally accessible from the Internet. ACG’s team of software engineers are experts in software auditing, reverse engineering and fool-proof IT security.

Computer Forensics & Investigation: Not only does a compromised node or network pose an immediate threat to the rest of your infrastructure and organization, but it is also a sensitive piece of evidence that must be carefully analyzed and documented so that the origin, exploit, and potential risk associated with the attack, can be identified.

Web Application Security: The objective of this assessment is, to identify website and web-based software application vulnerabilities and provide mitigation strategies. We analyze web security from several vantage points: the unauthorized user, the authorized user, and to the extent possible, the administrative and developer users. ACG’s Web Security Assessment approach consists of testing and analysis, that, incorporates the Open Web Application Security Project (OWASP) Top 10 security vulnerabilities list.

Web E-Commerce Security: Web e-commerce applications, that handle payments (online banking, electronic transactions or using debit cards, credit cards, PayPal or other tokens) have more compliance issues, are at increased risk from being targeted than other websites and there are greater consequences, if there is data loss or alteration. Banking services are highly regulated, but even the smallest electronic retailer, is affected by the Payment Card Industry Data Security Standard (PCI-DSS). Recently, this has become more widely known due to increased publicity and enforcement, following last year's update, to clarify and add requirements. Protecting payment web application users and application systems, requires a combination of administrative, technological and physical controls. provides independent security analyst services for organizations, developing, operating or purchasing such systems. Common e-commerce threats include, Lack of Compliance, Credit Card Fraud, Data Privacy, Malware, SQL Injection, Cross-Site Scripting, Path Traversal, Session Hijacking, Worms, Remote Command Execution, Probes, Lack of Encryption, Denial of Service, Compromised Servers, Misconfiguration, Authentication ..etc.

Mobile Commerce Security: Mobile commerce or M-Commerce, just like E-Commerce, faces formidable security threats. As, identity theft, phishing, and other attacks on the Internet become more prevalent, consumer trust in Internet technologies seems to be falling. In order for M-Commerce, to be successful, the security weaknesses and concerns need to be addressed and solved. The key to widespread usage of M-Commerce is to gain the trust of users, so that, they are willing to perform transactions on their mobile devices. M-Commerce has the same security problems, that occur within e-commerce, plus it has its own set of unique challenges. M-Commerce has the problem of viruses and malware, data theft, Denial of Service attacks, phishing, insecure default settings, inexperienced users and sniffing, that seem to affect all Internet technologies. M-Commerce also has some unique problems such as limited computer power, loss or theft of the mobile device, varying standards, the broadcast nature of wireless transmissions, immature technologies, lack of authentication, and weak device operating systems. In order to reach its full potential, these challenges and weaknesses, must be addressed. ACG has in-depth experience in securing mobile platforms. Our team of engineers, works, side-by-side with our clients, to understand and address their unique business and technology challenges.

Wireless Security: This assessment, provides a comprehensive review of the wireless network architecture and identifies, rogue wireless devices that are attached to the network. During the course of the assessment, ACG consultants, will perform, a wireless discovery internally and externally, to determine the presence of networking devices broadcasting connectivity. We, will also, perform a review of management controls and processes implemented, to ensure, that effective protection and safeguards are in place. Most common types of wireless security threats include, Man in the Middle, Sniffing, WiPhishing, War Driving, Promiscuous Client, Bluesnarfing, Bluejacking, Cell Phone & Wi-Fi Viruses, Denial of Service, Misconfigurations, …etc.

Social Engineering: An organization's security is only as strong as its weakest link. The essence of social engineering is fairly simple — threat agents directly or indirectly, trick users, into voluntarily doing something that they shouldn’t. This isn’t a problem, companies can afford to overlook. Research has indicated that social engineering attacks happen frequently and can have significant loss ramifications. At the same time, studies reveal that most corporate employees are woefully unequipped to withstand the average social engineering attack. ACG, leverages a variety of techniques and tools, that help our clients understand their company’s susceptibility to misrepresentation or deception, assess the depth of the issue, and provide strategies and employee training to protect the company from social engineering attacks in the future.

Physical Security: In today’s environment, analysis of the physical security of facilities and properties is a critical aspect of an organization’s information security and business continuity planning. ACG’s physical security reviews are performed and analyzed in the context of your organization’s overall risk management strategy. The criticality of assets, within the environment and the perceived threat environment directly, affect the level of exposure classified as acceptable. By analyzing the combined factors of assets, threats, and exposure, our physical security review provides much more than a list of actionable security recommendations. We prioritize exposures and make recommendations that align physical security with your overall risk management strategy. This holistic view enables you to protect the right assets with the right level of security.