Public Consulting Group, Inc. (PCG) recognizes that having a robust security program is critical in minimizing the impact of threats inherent in today’s workplace and computing environments. As a service provider often responsible for handling sensitive data, PCG is committed to safeguarding the privacy and confidentiality of customer and company information.


Policies and standards issued by the PCG Information Security Office have been written to assist in establishing and implementing PCG's information security posture, and they are subject to regular internal reviews and external audits to ensure that they have been properly designed and are operating effectively. These documents establish security at PCG as more than just a compliance activity; they aim to elevate and incorporate security into PCG’s culture and practice.


The following policies, organized by control family in the below list, were developed by PCG based on careful examination and inclusion of National Institute of Standards and Technology (NIST) 800-53, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act of 1974 (FERPA), American Institute of Certified Public Accountants (AICPA) Attestation Standards, and Section 101 Service Organization Control 2 (SOC2) controls. In addition, these policies and standards reflect international and federal laws, executive orders, directives, regulations, standards, and guidance.

Access Control

    • Access Control  
    • Account Management  
    • Access Enforcement  
    • Remote Access
    • Wireless Access
    • Access Control for Mobile Devices

Audit and Accountability

    • Documentation
    • Audit and Accountability

Security Awareness and Training

    • Security Awareness and Training

Configuration Management

    • Configuration Management
    • Change Management
    • Asset Management

Contingency Planning

    • Pandemic Response
    • Business Continuity
    • Disaster Recovery
    • Backup and Recovery

Identification and Authentication

    • Identification and Authentication

Incident Response and Management

    • Incident Response and Management

System Maintenance

    • System Maintenance

Media Protection

    • Media Protection
    • Media Sanitization and Disposal

Personnel Security

    • Personnel Security
    • Acceptable Use

Physical and Environmental Protection

    • Physical and Environmental Protection
    • Physical Access

Security Planning

    • Security Planning

Program Management

    • Enterprise Architecture

Risk Assessment

    • Data Classification
    • Risk Assessment
    • Risk Management
    • Security and Confidentiality
    • Vulnerability Management

Security Assessment and Authorization

    • Continuous Monitoring
    • System and Communications Protection
    • Encryption
    • Privacy

System and Information Integrity

    • Capacity Management
    • Data Retention
    • Malicious Code Protection
    • Patch Management
    • System and Information Integrity
    • System Monitoring

System and Services Acquisition

    • System and Services Acquisition



Privacy Policy/Terms of Use