Public Consulting Group LLC (PCG) is committed to safeguarding the privacy and confidentiality of customer and company information. Policies and standards issued by the PCG Information Security Office were written to assist in establishing and implementing PCG's information security program. These policies and standards were developed from careful examination and inclusion of National Institute of Standards and Technology (NIST) 800-53 (rev. 4), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act of 1974 (FERPA), and American Institute of Certified Public Accountants (AICPA) Attestation Standards, Section 101 Service Organization Control 2 (SOC2) controls. In addition, the policies and standards reflect international and federal laws, executive orders, directives, regulations, standards, and guidance.
PCG’s information security policies have been approved by the PCG Board of Directors and standards are approved by the Corporate IT Committee. All policies and standards are reviewed and updated on an annual basis or as major changes occur to the business. All PCG staff are required annually to read and attest to ongoing compliance with the policies. Non-compliance with PCG policies and standards can result in disciplinary action, up to and including termination.
PCG's policies and standards are classified as 'Sensitive' and cannot be shared with external parties without a Non-Disclosure Agreement (NDA) in place. PCG operates in several different industries and the policies do not provide a full picture of the security posture of our company. They additionally contain information that could compromise the security of our solutions that protect our data and data entrusted to us by our clients. Instead of providing policies as requested, this document contains a list of all effective PCG security policies and standards.
Access Control
- ISP-AC01 Access Control Policy
- ISP-AC02 Account Management Policy
- ISP-AC17 Remote Access Policy
- ISP-AC18 Wireless Access Policy
- ISP-AC19 Access Control for Mobile Devices Policy
- CS-AC01 Access Control Standard
- CS-AC02 Account Management Standard
- CS-AC17 Remote Access Standard
- CS-AC18 Wireless Access Standard
- CS-AC19 Mobile Device Management Standard
Audit and Accountability
- ISP-AU01 Audit and Accountability Policy
- CS-AU03 Documentation Standard
Awareness and Training
- ISP-AT01 Security and Privacy Awareness Training Policy
- CS-AT01 Security and Privacy Awareness Training Standard
Configuration Management
- ISP-CM01 Configuration Management Policy
- ISP-CM03 Change Management Policy
- ISP-CM08 Asset Management Policy
- CS-CM01 Configuration Management Standard
- CS-CM03 Change Management Standard
- CS-CM06 Hardened Systems Standard
- CS-CM08 Asset Management Standard
Contingency Planning
- ISP-CP01 Business Continuity Policy
- ISP-CP02 Disaster Recovery Policy
- ISP-CP09 Backup and Recovery Policy
- CS-CP01 Business Continuity Standard
- CS-CP09 Data Backup Standard
Identification and Authentication
- ISP-IA01 Identification and Authentication Policy
- CS-IA01 Authentication Standard
Incident Response
- ISP-IR01 Incident Management Policy
- CS-IR01 Incident Management Standard
- CS-IR09 Data Breach Notification Standard
Maintenance
- ISP-MA01 System Maintenance Policy
Media Protection
- ISP-MP01 Media Protection Policy
- CS-MP06 Media Sanitization and Disposal Standard
Personnel Security
- ISP-PS01 Personnel Security Policy
- ISP-PS06 Security and Confidentiality Policy
- ISP-PS09 Acceptable Use Policy
- CS-PS01 Personnel Management Standard
- CS-PS06 Acceptable Use Standard
Physical and Environmental Protection
- ISP-PE01 Physical and Environmental Protection Policy
- ISP-PE03 Physical Access Policy
- CS-PE01 Physical Security Standard
Planning
- ISP-PL01 Security and Privacy Planning Policy
PII Processing and Transparency
- CP-001 Privacy Policy
- CP-PT02 PII Processing and Transparency Standard
- CS-001 Privacy Standard
Program Management
- ISP-PM07 Enterprise Architecture Policy
- CS-PM07 Segmentation Standard
Risk Assessment
- ISP-RA00 Risk Management Policy
- ISP-RA02 Data Classification Policy
- ISP-RA05 Vulnerability Management Policy
- CS-RA02 Data Classification Standard
- CS-RA02 Risk Assessment and Management Standard
- CS-RA05 Vulnerability Management Standard
Security Assessment and Authorization
- ISP-CA07 Continuous Monitoring Policy
- CS-CA07 Infrastructure Logging Standard
System and Communications Protection
- ISP-SC01 System Communication Protection Policy
- ISP-SC08 Encryption Policy
- CS-SC07 Internet Security and Communication Standard
- CS-SC08 Encryption Standard
- CS-SC17 Key Management Standard
System and Information Integrity
- ISP-SI00 Capacity Management Policy
- ISP-SI01 System and Information Integrity Policy
- ISP-SI02 Patch Management Policy
- ISP-SI03 Malicious Code Policy
- ISP-SI04 System Monitoring Policy
- CS-SI02 Patch Management Standard
- CS-SI03 Malicious Code Standard
- CS-SI04 Data Loss Prevention Standard
- CS-SI04 Intrusion Detection Standard
- CS-SI19 Data De-Identification Standard
System and Services Acquisition
- ISP-SA01 System and Services Acquisition Policy
- ISP-SA08 Application Security Policy
- CS-SA01 Vendor Management Standard
- CS-SA08 Application Security Standard