Ensure Compliance with Laws & Standards

Ensure Compliance with Data Laws
Ensure Compliance with Data Standards
Ensure Compliance with Data Laws

A host of local, state, federal and international laws regulate how organizations handle sensitive data. Our professionals perform a wide range of risk assessments and audit readiness assessments to help clients identify compliance gaps and close them.  Among the laws that we cover are:

 

  • FACTA - The Fair and Accurate Credit Transactions Act (FACTA) red flags rule requires financial institutions to demonstrate they have taken sufficient steps to protect consumers against identity theft.
  • FERPA - The Family Educational Rights and Privacy Act (FERPA) aims to protect the privacy of student education records and prevent unauthorized access to them. FERPA applies mainly to educational institutions.
  • FISMA - The Federal Information Security Management Act (FISMA) requires federal agencies to have a robust information protection plan in place. FISMA aims to help protect information held on federal information systems.
  • GDPR - The General Data Protection Regulation (GDPR) applies to all organizations that collect and process data that belongs to European Union (EU) citizens. The regulation has specific requirements related to privacy, security, data control, and governance.
  • GLBA - The Gramm-Leach Bliley Act (GLBA) is a U.S. federal regulation that requires financial institutions to ensure the confidentiality and integrity of the non-public personal information of their customers.
  • HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) requires organizations dealing with Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) to protect that data, and to require its business associates such as vendors to also comply.
  • Sarbanes Oxley - The Sarbanes Oxley Act of 2002 (SOX) has very specific stipulations and requirements related to information security and data governance that apply to all publicly held U.S. companies, international companies with SEC registered securities and to third-party firms that provide financial services to these companies such as CPAs.
  • SEC Cybersecurity - The Office of Compliance Inspections and Examinations (OCIE) and the U.S. Securities and Exchange Commission (SEC) conduct cybersecurity examinations that apply to financial institutions including investment advisors, investments companies, broker-dealers, transfer agents, and private fund advisors. We evaluate preparedness levels for the actual examinations and help organizations reach compliance-ready levels.
  • State Cybersecurity Regulations - All 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws pertaining to data breaches and cybersecurity. Certain entities that operate in the state of New York must comply with that state's latest cybersecurity regulation.
Ensure Compliance with Data Standards

Our professionals have the expertise and certifications to help organizations align themselves with the most current standards for information security. We perform gap analyzes and execute testing that identifies vulnerabilities so they may be remediated.  Among the security standards that we cover are:

 

  • FFIEC - Our experts perform an assessment and assist with remediation measures so organizations meet cybersecurity standards set by The Federal Financial Institutions Examination Council.  
  • ISO27001 Gap Analysis - We identify gaps in compliance with ISO27001, a framework for organizations to implement a standardized approach to information security.
  • ISO27001 Certification -  We certify organizations that meet ISO27001 requirements, as demonstrated by detailed testing. 
  • NIST Gap Analysis - We identify gaps in compliance with the National Institute of Standards and Technology (NIST). 
  • NIST Tests - We perform highly specific NIST tests and assessments, followed by remediation.
  • PCI Digital Forensics - Following a cyberattack, PCI DSS (the Payment Card Industry Data Security Standard) requires an investigation by a PCI certified Forensic Investigator. Our experts perform these complex, challenging and highly specialized digital forensic investigations.
  • PCI Network Scanning - We can provide required quarterly network vulnerability scans to help organizations maintain compliance with PCI DSS requirements.
  • PCI Penetration Test - PCI DSS requirements mandate that organizations perform comprehensive infrastructure penetration tests of several types. We perform these highly technical and detailed tests.
  • PCI QSA Gap Analysis -  We identify gaps in compliance with the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI QSA Security Audit - As a certified Quality Security Assessor (QSA), ERMProtect audits for compliance with requirements set by the PCI Council, and awards those who qualify with a Report of Compliance (ROC). 
  • PCI Remediation - We guide organizations that need to implement a fully-compliant cardholder data environment and infrastructure. 
  • PCI SAQ - Many merchants and service providers are required by PCI DSS to complete a Self-Assessment Questionnaire (SAQ). We identify the type of SAQ that applies to organizations and helps them complete it accurately in order to maintain PCI DSS compliance.

Intelligence and Insights

The Building Blocks to Securing the Human Element - Security Awareness Training

The Building Blocks to Securing the Human Element

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead …
When Do You Need a QSA?

When Do You Need a QSA?

The definition of who must have a formal assessment performed is determined by card brand entities such as Visa, MasterCard and American Express, and by the acquiring banks and processors who service merchants. You might …
How businesses can calculate the cost of PCI DSS compliance

How businesses can calculate the cost of PCI DSS compliance

PCI compliance is a significant endeavor. It requires a substantial amount of time, money, and expertise to complete. To start with, companies must define the cardholder data environment (CDE) – those areas that touch or …