IT Security & Compliance Risk Assessment Capabilities

Transcription

1 ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government, Retail and Telecom industries. Information risk management is a growing concern for most business executives, regardless of industry. Compliance mandates such as SOx, HIPAA, GLBA, SEC and PCI impact many organizations and compliance standards are becoming more onerous and non-compliance penalties are becoming increasingly more expensive. In order to stay viable, businesses of all sizes must mitigate their risk exposure by protecting personal and private customer information. Whether you are an organization that must adhere to regulatory compliance or are a small to medium size business interested in mitigating your business risk, putting in place the appropriate strategies and controls to safeguard information makes good business sense. ATIBA's GRC professionals have the expertise to help clients plan, develop and implement processes, procedures and controls to secure data, protect personal information and achieve compliance goals. In many cases we can help you automate the business processes that control access to information systems and not only help you secure data, but also help you streamline processing and achieve process efficiencies. ATIBA will help develop security policies and implement security frameworks that are sustainable and manageable. We act as an independent assessor to review the existing controls you have in place, identify gaps, remediate deficiencies and produce the documentation and reports required for regulatory compliance. Risk and Compliance Assessment Suite IT Security Assessments Physical & Corporate Security Assessments Information Systems Physical & Homeland Security HIPAA Compliance Physical C-TPAT Financial Institutions Hospital Security Credit Unions NEI04-04 Federal Systems NERC PCI (Payment Card Industry) FERC Campus Security Page 1

2 Risk Assessments for Information Systems IT Security & Compliance Risk ATIBA conducts comprehensive risk assessments for information systems that support governance and compliance based on international standards including ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX). ATIBA consultants provide a simple web-based questionnaire application that can be ed or used on an internal server to facilitate the gathering of responses from management and IT system users. Our consultants use tools that provide a full threat assessment with control analysis. We provide management reports detailing compliance vs. non-compliance and back up findings with a complete set of working papers. Return on Investment is calculated for each safeguard and a Case Summary Report is provided to show Compliance vs. Non-Compliance, Protection Levels, Annual Loss Expectancy Data by Asset Category, Threat or Loss Impact Category. The report provided demonstrates which security measures are most effective for your organization, and which ones give you the most bang for your buck. Risk Assessments for Financial Institutions ATIBA Compliance Risk Assessments for Financial Institutions are conducted for banks, insurance companies, trusts and savings banks and other technical services providers such as payment processors. The risk assessments match the FFIEC guidelines: IT, FFIEC, Information Technology (IT) Examination Handbook, RED FLAG, GLBA and more. Sarbanes Oxley (SOX) GLBA (Gramm Leach Bliley) Red Flag Identity Theft Standard Bank Secrecy Act (BSA) Risk Assessments for Information Systems PCI Compliance ATIBA Risk Assessments for PCI Compliance address the security of e-commerce and online transactions security. The PCI-DSS standard is a security standard developed by a consortium of the major credit card companies help organizations safeguard card payment processing to stop the widespread problems with credit card fraud, theft of credit card numbers, and many other vulnerabilities. All organizations that either process, store or transmit payment card data must be PCI-DSS compliant, or they may lose their right to process credit card payments. ATIBA Risk Assessments for PCI Compliance provide an audit-approved security compliance assessment so organizations can PROVE that they are PCI compliant. The assessment includes a full audit trail so the organization can demonstrate how they measured their compliance exactly against the PCI-DSS standards. Page 2

3 Our GRC consultants will provide a full report detailing the threats and vulnerabilities that were identified in the assessment. We will also make recommendations for what is needed to be in full compliance. Risk Assessments for PCI Compliance are of benefit to banks, credit unions, payment processing companies, healthcare organizations, hospitals, insurance companies, and consulting companies to meet the PCI-DSS standard. Risk Assessments for Credit Unions ATIBA Risk Assessments for Credit Unions meet the NCUA, Part 748 Standard; we provide management reports with working papers, graphics, and complete audit trails. We assess against a complete standards library that includes all security risk assessment elements for Credit Unions, including GLBA (Gramm Leach Bliley Act) Standards, as well as the Red Flags Identity Theft Requirement. Our reports and supporting documents assist management and credit union boards to demonstrate compliance with existing requirements and provides the risk assessment required annually by NCUA. Risk Assessments for Federal Systems Federal agencies are required to perform risk assessments on a variety of systems. ATIBA Risk Assessments for Federal Systems are based on the NIST levels; they elevate the security risk assessment to a management level. ATIBA GRC consultants customize the risk assessments to support federal risk analysis and risk assessment requirement levels. We provide a variety of reports including management reports, and we provide work documents that support all findings. Risk Assessments for Physical & Homeland Security ATIBA GRC consultants conduct Risk Assessments for Physical and Homeland Security that provide risk analysis, physical security reviews, audits and vulnerability assessments of facilities and personnel. Security threats addressed include: crimes against property, crimes against people, equipment of systems failure, terrorism, natural disasters, fire and bomb threats and many more. Question sets include entry control, perimeters, fire, facilities management, guards, including a specialized set of questions for the maritime/shipping industry. Risk Assessments for HIPAA Compliance ATIBA GRC consultants work with regulators and auditors to make sure your HIPAA Compliance assessment will stand up to the strictest audit. Risk Assessments for HIPAA Compliance are conducted using the entire HIPAA standard and NIST Questions are separated by role including Medical Records, Clinical Staff, Database Administrator, etc. - also Included is a Pandemic Flu Assessment. Page 3

4 HIPAA Compliance requirements related to data security and privacy have increased with the passing of the HITECH Act in Compliance requirements are now extended to business associates, and data breach notification requirements are more stringent. As more and more physicians and medical practices adopt electronic health records, data security will become increasingly more challenging. Developing and implementing a formalized security management program to protect data and keep patient information private is a critical compliance requirement that must be in place. ATIBA professionals will develop your security policies and procedures. If you already have policies and procedures in place, we can measure your compliance to determine gaps, remediate deficiencies and recommend mitigation measures. The HIPAA Compliance assessment includes charts, graphs and detailed information. The Case Summary Report includes Compliance vs. Non-Compliance graphs, where the non-compliance came from, how compliance matches requirements, and answers mapped by individual name or job category. The report can be customized to include photos, network diagrams, etc. ATIBA GRC consultants will provide management level reports with complete audit trails and easy to understand recommended mitigation solutions that are ranked by Return-On-Investment. Data provided can also be ported directly in your Business Continuity and Disaster Recovery plans. ATIBA Risk Assessments for HIPAA Compliance support hospitals, health plans, insurance companies, academic medical centers and consulting organizations that need to meet HIPAA requirements. Risk Assessments for Hospital Security Ensure that your staff, patient, visitors and business assets are safe and secure within the premises of your medical facility. We will assess access to buildings and sensitive areas on your premises and the controls that are in place; we will review your current security policies and procedures and determine if they adequately protect your people, property and assets against vandalism, unlawful entry and personal danger. As we assess the premises we will photograph security controls and potential deficiencies to support the report we deliver and recommendations we make. In addition to the physical walk-through, ATIBA consultants conduct risk assessments for hospital security by using a simple web-based questionnaire application that can be used to survey wide groups of administrative staff, security officers and clinical staff electronically. The tool contains a comprehensive checklist based on the Joint Commission standards and helps organizations assess their security and measure compliance. The Joint Commission is the nation's predominant standard-setting and accrediting body in health care, and recently released standards related to the security of hospitals and healthcare organizations. Page 4

5 Risk Assessments for NEI Compliance ATIBA Risk Assessments for Nuclear Power assist organizations in meeting compliance and managing risk based on the new Nuclear Energy Institute guidelines contained in the NEI Revision 1; "Cyber Security Program for Nuclear Power Reactors". The risk assessment tools we use were developed with the support of both the Nuclear Regulatory Commission and the Nuclear Energy Institute and were funded by the U.S. Department of Defense through the Technical Support Working Group. Jack Roe, Spokesman for the NEI said, "This risk assessment tool for the nuclear power industry can evaluate their security posture in specific systems and applications. The NEI has a major role in developing the content and worked with many NEI member organizations in the development and the subsequent pilots." Risk Assessments for NERC Compliance Risk Assessments for the Electrical Sector are customized for an organization's IT security issues based on the new Critical Infrastructure Protection (CIP) elements of the North American Electric Reliability Council (NERC). ATIBA consultants use tools that provide a full threat assessment with control analysis. We provide management reports detailing compliance vs. non-compliance and back up findings with a complete set of working papers. Return on Investment is calculated for each safeguard and a Case Summary Report is provided to show Compliance vs. Non-Compliance, Protection Levels, Annual Loss Expectancy Data by Asset Category, Threat or Loss Impact Category. The report provided demonstrates which security measures will be most effective for your organization Risk Assessments for Campus Security ATIBA GRC consultants are competent in conducting a comprehensive physical security risk assessment for universities, colleges and schools of all kinds. The tragedy at Virginia Tech showed how basic elements typically included in a full risk assessment were ignored-including both the bomb threats, and the assurance of a school-wide emergency communication system. The program used by ATIBA consultants was developed in conjunction with the National Institute of Justice and Eastern Kentucky University, College of Justice and Safety as part of a nationwide assessment program for public schools. The Campus Security risk assessment includes assessing lock and key controls, roof access, doors and windows, CPTED (Crime Prevention through Environmental Design), security controls, security police and guard services, security policies and procedures and much more. As we assess the premises we will photograph security controls and potential deficiencies to support the report we deliver and Page 5

6 recommendations we make. We provide detailed management reports backed up with a complete set of working papers, as well as solid recommendations on what controls are still needed, how much they cost and how much protection they provide for a given campus environment. Page 6