Defining and Implementing Your Security Program
Many organizations are just now starting the development of an information security program. Assero Security has helped many companies quickly define and implement an effective and economical security program designed specifically to meet their needs. Using our experience in the industry and streamlined implementation, Assero Security can quickly address your needs to get an information security program up and running.
Requirements Analysis: Assero Security consultants work with the customer to determine the requirements of their information security program. Security and privacy requirements come from
- Mandated information security and privacy regulations such as HIPAA/HITECH, PCI DSS, GLBA, FISMA, and state privacy acts,
- Contractual obligations from key customers, and
- Business mission requirements.
Basic Security Controls: If your organization is new to implementing an information security program there may be relatively few controls in place. Assero Security has created an economical approach to implementing basic security controls to kickstart the information security program development.
- Policy. Basic security policy set tailored to organization
- Training. Security awareness training provided to staff
- Scans. Vulnerability scans on the external network
Gap Assessments. Many organizations begin their development of an information security program with the driver of becoming compliant with a specific regulation. This regulation specific approach requires the establishment of a baseline of the current controls, commonly called a “gap assessment”. Assero Security provides individual regulation or multiple regulation gap assessments for the following regulations and security standards:
- Payment Card Industry Data Security Standard (PCI DSS) Gap Assessment. Required of any organization that stores, processes, or transmits “Cardholder Data (CHD)”. more… “PCI DSS services"
- HIPAA/HITECH Gap Assessment. Required of any organization that stores, processes, or transmits “Protected Health Information (PHI)”
- NIST 800-53 / Federal Information Security Management Act (FISMA) Gap Assessment. Required of federal government agencies and organizations that store, process, or transmit government provided sensitive data.
- Gramm-Leach-Bliley Act (GLBA) Gap Assessment. Required of any organization that stores, processes, or transmits consumer-banking or financial information.
- State Privacy Laws Gap Assessment. Required of any organization that stores, processes, or transmits non-public information on individuals. The specifics vary greatly from state to state.
- ISO 27001/2 Gap Assessment. Not a regulation or a requirement but a well-accepted international security controls framework standard.
Security Questionnaires and Contracts: Customers and suppliers entrust your organization with sensitive information. As part of their vendor management program they must ensure that trust is well placed and they typically ask you to document your security program through the use of a security survey or questionnaire. These documents are legally binding and should not be taken lightly. Assero Security can work with your organization to interpret the survey, advise on proper responses, and assist you with putting controls in place if needed.
PCI DSS Services (landing page specifically for PCI)
The Payment Card Industry (PCI) has stepped up its enforcement of the PCI Data Security Standard (PCI DSS) arguably as a reaction to increased security breaches of cardholder data (CHD) and perceived lack of compliance of these basic security controls by those who store, process, and transmit CHD. Regardless of the reason, it is clear that merchants and service providers at all levels (Levels 1-4) must ensure that they adequately address their compliance with these industry standards for face increased scrutiny, continued risk, and even fines.
Assero Security works with merchants and service providers to help them to effectively and economically address the PCI DSS requirements. Our experience with merchants and service providers of all sizes has allowed us to create an efficient process of planning, implementing, and maintaining your PCI DSS compliance strategy.
- PCI DSS FAQ
Q: What is PCI DSS?
A: PCI DSS is the Payment Card Industry Data Security Standard. This is a set of security standards for the protection of cardholder data (CHD) that applies to all organizations that process, store, or transmit credit card information.
Q: We don’t take many credit cards, does PCI really apply to me?
A: Neither the size of the organization nor the amount of transactions impact the application of the PCI DSS standards. If you take credit cards (e.g., if you have a Merchant ID) then PCI DSS applies to you.
Q: I don’t process CCs, I have a service that does that for me. Aren’t I exempt?
A: No. Third party services providing a point of sale device or providing the backend processing for your website may reduce your risk exposure but PCI DSS still applied to you, the merchant.
Q: My website is secured with an SSL certificate, that covers me right?
A: Good start but no. SSL certificates only address a small portion of the PCI DSS standards.
Q: Do I have to use a QSA?
A: Only if you are a level 1 merchant (defined as processing over 6M transactions per year), all other merchants can complete a Self Assessment Questionnaire (SAQ). Assero Security can assist you with interpretation of these questions and their application on your environment.
Q: What are the minimum requirements for a small or medium business (SMB)?
A: An SMB merchant must meet all the same requirements as any other merchant. These requirements can be found here (link to: https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0). The following steps should be followed to satisfy these requirements:
- Define your validation type:
Type 1: Card-not-present (e-commerce / mail order / phone order)
Type 2: Imprint only merchants – no electronic CHD storage
Type 3: Stand alone dial up terminal merchants, no electronic CHD
Type 4: Merchants with payment application systems connected to the internet – no electronic storage of CHD
Type 5: All other merchants and all service providers.
- PCI DSS Gap Assessment
- PCI DSS Remediation
- SAQ Assistance
- PCI DSS Security Risk Assessment
HIPAA/HITECH/MU Services (landing page specifically for HIPAA)
Since the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) has transitioned to the Office of Civil Rights (OCR) for enforcement “covered entities” (hospitals, clinics, doctor’s groups, etc.) have seen an increased enforcement of compliance and leveeing of fines for those who are not. Enhancements to the HIPAA (security and privacy regulations) through the Health Information Technology for Economic and Clinical Health Act (HITECH) and Meaningful Use (MU) have complicated the application of these security and privacy requirements.
Assero Security consultants have been assessing and implementing HIPAA-compliant information security programs since the inception of HIPAA security and privacy requirements in 1998. Our experience with covered entities of all sizes has allowed us to create an efficient process of planning, implementing, and maintaining your HIPAA compliance strategy.
HIPAA/HITECH Gap Assessment
HIPAA/HITECH Security Risk Assessment