Trust Center

Security, compliance,
and how we protect
what you share with us.

This page describes the frameworks that govern Parapet Advisory Group's methodology, the regulatory environments we navigate on behalf of clients, our internal data handling practices, and our credentials and certification roadmap.

Transparency notice: PAG is a privately held advisory firm. We align our methodology with industry frameworks and help clients achieve compliance — but we distinguish clearly between frameworks we are aligned with and certifications we are formally certified to. Where a certification is in progress or planned, we say so explicitly. We believe this distinction matters, and that a cybersecurity firm that overstates its credentials is not one worth hiring.

Core methodology

NIST Cybersecurity Framework

PAG's assessment and advisory methodology is built on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF 2.0) — the most widely adopted cybersecurity risk management framework in the United States, and the standard against which most enterprise and institutional security programs are measured.

The NIST CSF organizes cybersecurity activity across six functions. PAG's services map directly to these functions. When a client engages PAG for an estate security assessment or family office audit, the deliverable is structured to evaluate posture and identify gaps across all applicable functions.

Methodology aligned NIST CSF v2.0  ·  Published February 2024
GV · Govern
Governance
Organizational risk strategy
Roles & responsibilities
Policy alignment
Vendor & supply chain oversight
ID · Identify
Asset & Risk Awareness
Device & asset inventory
Digital exposure assessment
Third-party access mapping
Risk & threat profiling
PR · Protect
Hardening & Controls
Device hardening & encryption
Access control & MFA
Staff security training
Wire transfer protocols
DE · Detect
Monitoring & Detection
Dark web credential monitoring
Account activity review
OSINT exposure scanning
Ongoing retainer surveillance
RS · Respond
Incident Response
Incident response retainer
BEC & wire fraud response
Device compromise triage
Communication containment

PAG assessment reports are structured to map findings to NIST CSF function categories, enabling clients to present findings to legal counsel, family office boards, or institutional partners in a standardized format. The addition of the Govern (GV) function in CSF 2.0 reflects the increased emphasis on board-level accountability for cybersecurity risk — an area PAG specifically addresses in family office engagements.

Additional frameworks

Standards our methodology is informed by

Beyond NIST CSF, PAG's advisory methodology draws on additional frameworks depending on the client's sector, risk profile, and specific engagement scope. These are not certifications — they are the technical and procedural standards against which PAG benchmarks its recommendations.

NIST SP 800-53
Rev. 5  ·  Security and Privacy Controls
Informed by
The comprehensive catalog of security and privacy controls for federal information systems. PAG references SP 800-53 control families when advising clients on specific technical hardening measures, particularly in access control, configuration management, and incident response planning.
Estate AssessmentsFamily Office AuditsIncident Response
CIS Controls v8
Center for Internet Security  ·  18 controls
Informed by
A prioritized set of actions proven to reduce the attack surface against the most common threats. CIS Controls inform PAG's implementation guidance — particularly IG1 (basic cyber hygiene) recommendations delivered to household staff and family office administrators who are not technical professionals.
Staff TrainingDevice HardeningEstate Security
ISO/IEC 27001
2022 edition  ·  Information Security Management
Informed by
The international standard for information security management systems (ISMS). PAG's client engagement methodology is structured to align with ISO 27001's risk treatment approach. Clients who are pursuing or maintaining ISO 27001 certification will find PAG's deliverables compatible with their ISMS documentation requirements.
Family Office AuditsRisk Assessment
OWASP Top 10
2021 edition  ·  Web Application Security
Informed by
The standard awareness document for web application security risks. PAG references OWASP Top 10 when evaluating web-facing systems, client portals, and online banking interfaces used by family office clients — particularly in the context of phishing and credential harvesting exposures.
Digital PrivacyPhishing Defense
Regulatory environments

Compliance frameworks PAG navigates for clients

PAG is not a compliance auditor and does not issue certification opinions. However, many of the clients PAG serves operate in regulated environments — healthcare, financial services, real estate — or handle information that is subject to state and federal privacy law. PAG's advisory work is conducted with awareness of these regulatory requirements, and our deliverables are designed to be compatible with clients' existing compliance obligations.

HIPAA / HITECH
Client advisory
The Health Insurance Portability and Accountability Act governs the security of protected health information (PHI). PAG's principal has over 15 years of IT leadership experience in healthcare settings including electronic health records, patient data systems, and HIPAA-regulated infrastructure. Clients in healthcare-adjacent industries benefit from this direct operational experience.
Healthcare clients
Florida FDBR & FIPA
Client advisory
The Florida Digital Bill of Rights (SB 262, effective 2024) and the Florida Information Protection Act establish requirements for businesses that collect and handle Florida residents' personal data. PAG advises Palm Beach County clients on the data minimization and security practices that mitigate FDBR and FIPA exposure, particularly for family offices with employee and household staff data.
FL-based clients
SEC Cybersecurity Rules
Client advisory
SEC rules adopted in 2023 require registered investment advisers and public companies to disclose material cybersecurity incidents and describe their cybersecurity risk management programs. Family offices with SEC registration or institutional investment relationships may face these disclosure and documentation requirements. PAG's engagement deliverables support the documentation component of these obligations.
RIA clients
GDPR
Situational
The General Data Protection Regulation applies to organizations that process data of EU residents, regardless of where the organization is based. Palm Beach family offices and private estates with EU-connected investments, staff, or property may have GDPR obligations. PAG's data minimization and access control recommendations are compatible with GDPR's security-by-design principles.
EU exposure
PCI DSS v4.0
Situational
Payment Card Industry Data Security Standards apply to any organization that processes, stores, or transmits cardholder data. While most private estates and family offices are not directly subject to PCI DSS, those operating small businesses, private foundations, or staff payment systems may have relevant obligations. PAG can identify and advise on these exposure areas.
Where applicable
How we handle your information

PAG's internal data practices

The information clients share with Parapet Advisory Group during an engagement is among the most sensitive data we will ever handle. Our internal practices are designed to ensure that the trust clients place in PAG extends to the operational level of every engagement.

NDA before engagement
Every PAG engagement is preceded by a mutual non-disclosure agreement. No client information is solicited, stored, or analyzed prior to the execution of a signed NDA. The NDA is not a formality — it is the baseline condition for any engagement.
Encrypted communications only
Sensitive engagement communications are conducted via encrypted channels. For highly sensitive discussions — wire fraud protocols, active threat situations, or legal matters — PAG uses Signal-encrypted communications. Email is not used for transmission of sensitive findings or credentials.
Minimal data retention
PAG retains only the data necessary to support the active engagement and any ongoing retainer obligation. Upon engagement close, client-specific technical data (device inventories, network configurations, credential lists) is purged. Final deliverable reports are retained in encrypted storage for the duration of the engagement relationship only.
No shared cloud environments
Client data is not stored in shared cloud platforms with other clients. PAG does not use multi-tenant SaaS tools for client engagement documentation. Each engagement operates in an isolated information environment.
No third-party disclosure
PAG does not share client information with any third party for any purpose, including marketing, research, or referral, without explicit written consent from the client. The existence of the engagement relationship is treated as confidential unless the client chooses otherwise.
Sub-contractor vetting
In the rare cases where PAG engages specialized technical sub-contractors for a specific engagement scope, those contractors are subject to the same NDA terms as PAG and are selected only after vetting of their own security and confidentiality practices.
Credentials

Current certifications and qualifications

The following certifications and qualifications are held by PAG's principal, Dan Mirsky. They reflect a career that spans law enforcement, enterprise IT leadership, and technical systems administration.

Credential Issuing body Category Status
Certified Law Enforcement Officer State of Florida  ·  FDLE Law Enforcement Held · 20 years service
Citrix XenApp 6.5 Administration Citrix Systems Infrastructure Certified
Microsoft Certified Technology Specialist — Dynamics GP Microsoft Corporation Enterprise Systems Certified
Advanced Certified Engineer (ACE) Xinuos, Inc. Systems Engineering Certified
Certified UNIX Systems Administrator (CUSA) Xinuos, Inc. Systems Administration Certified
DUI Standardized Field Sobriety Testing IPTM  ·  University of North Florida Law Enforcement Certified
CPR / AED American Heart Association Emergency Response Certified
Certification roadmap

What we are pursuing

The following credentials and affiliations are actively planned or in progress. We list them here because we believe transparency about our roadmap is more valuable to serious clients than silence or vague aspiration.

In progress
CISA — Certified Information Systems Auditor  ·  ISACA
The global standard in IT audit, assurance, and cybersecurity. CISA certification will formalize the audit methodology PAG already applies across estate and family office engagements and provide internationally recognized credentialing for the principal.
Planned
InfraGard Membership  ·  FBI South Florida Chapter
InfraGard is an FBI-affiliated public-private partnership for critical infrastructure protection. Membership provides direct access to threat intelligence, classified briefings, and a vetted professional network — directly relevant to PAG's threat intelligence function for high-profile clients.
Planned
SOC 2 Type II  ·  Service Organization Controls
A SOC 2 Type II audit provides independent third-party verification of PAG's internal security controls over a 12-month observation period. As PAG scales its retainer client base, a SOC 2 report will provide institutional clients and family office administrators with audited assurance over PAG's own security posture — not just our clients'.
Planned
ISACA Membership  ·  South Florida Chapter
ISACA is the leading international professional association for IT governance, audit, and cybersecurity. Membership provides access to continuing education, updated framework guidance, and a professional network aligned with PAG's client-facing practice.

Questions about our compliance approach?

We welcome inquiries from legal counsel, family office administrators, and compliance officers conducting due diligence on PAG.

Contact PAG →