We offer assessments and advisory services to clients from all industries.View All
We strive to develop a true relationship with each customer.Learn More
Our managed detection and response (MDR) service built on a platform that helps quickly identify and eliminate security threats.Learn More
Detect vulnerabilities before they become threats.Learn More
Align your IT efforts with the goals of your business.Learn More
Detect and Defeat security threats in record time with our expert team.Learn More
Recruit our team to advise on information security planning.Learn more
Our team delivers exceptional service through honesty and accountability.Learn More
Our services meet requirements for many common regulations and standards.Learn More
Behavior-based detection with over 250 unique process behaviors to keep your business safe.Learn More
An intelligence feed to tag and funnel internet traffic into manageable patterns.Learn More
We integrate with over 100 of the most common and powerful tools to ensure threats are identified and eliminated.Learn More
The foundation for our services: a team dedicated to Research, Intelligence, and Offensive Tactics.Learn More
We’ve helped many organizations across all industries with achieving their compliance goals.
GLBA was enacted, in part, to allow financial services institutions to consolidate. Prior to GLBA, banks, securities firms, and insurance companies were required to remain separate as per the Glass-Steagall Act of 1933.
In addition to repealing the Glass-Steagall Act, GLBA includes requirements for financial services institutions to protect consumers' "nonpublic personal information.” This is provisioned through the "Financial Institutions Safeguards" section in GLBA that requires institutions to implement safeguards to achieve the following:
GLBA tasks a number of federal agencies with enforcement of GLBA. In addition to enforcement, GLBA requires that these agencies establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards. Some examples of governing bodies that have created a "Safeguards Rule" in accordance with section 501(b) of GLBA include:
FERPA (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Under FERPA, schools must generally provide:
Schools are required to redact and protect personally identifiable information about students not designated as directory information and prevent disclosure of information without appropriate consent or conditions.
FISMA was established in 2002 to protect the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Agencies must adhere to a framework provides for the following:
The standards to achieve FISMA compliance are dictated by the following:
HIPAA was established in 1996 to protect health insurance coverage for individuals who lose or change jobs, and to establish standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers (“Covered Entities“).
While there are numerous sections to HIPAA, there are two that stand out regarding information security requirements:
Covered entities must develop policies and procedures governing the protection of PHI, implement physical safeguards to PHI, and implement technical controls to computer systems to protect PHI.
The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It dictates additional privacy and security requirements over the transmission of electronic health information (EPHI) and extends requirements to business associates of covered entities.
The HITECH Act includes a number of new or enhanced requirements:
Meaningful Use standards for security and privacy are required in compliance with the incentive programs, including Electronic Health Records (EHR) modules for the following:
Learn more about test procedures for Meaningful Use from the NIST.
The North American Electric Reliability Corporation (NERC) publishes Reliability Standards for the Bulk Electric Systems of North America. One section of this standard addresses Critical Infrastructure Protection (CIP). CIP is broken into nine distinct standards as follows:
In order to achieve and remain compliant with CIP, entities must execute a number of regular tasks, including:
The SOX Act was established as a reaction to numerous financial scandals (e.g., Enron, WorldCom) and is designed to increase corporate accountability and implement measures to defend against corporate and accounting fraud.
While there are numerous sections to the SOX Act, there are two that stand out regarding information security requirements:
Section 302 requires that officers of the company (CEO and CFO) sign off on quarterly and annual reports to, amongst other items, attest that the report is complete and accurate and to report on the effectiveness of internal controls.
Section 404 requires that an assessment of internal control over financial reporting be conducted and included as part of the annual report. While the assessment of controls focus on those relevant to financial reporting, the requisite level of control is dependent on IT functionality. Due to this relationship, the assessment must include an evaluation of the design and operational effectiveness of general IT controls.
Addressing SOX Section 404 will require the organization to incorporate information technology controls in a manner consistent with a control framework such as ISO 27001 or Control Objectives for Information and related Technology (COBIT).
ISO/IEC 27001, established in 2005, is an Information Security Management System standard that formally specifies a management system for bringing information security under explicit management control.
ISO/IEC 27002, established in 2005, is a best practice standard for Information Security. It consists of the following 12 main sections:
Learn more at their official websites:
The PCI DSS was created by the Security Standards Council (SSC) to provide a set of standards designed to protect cardholder information. The PCI DSS is enforced by VISA, MasterCard, American Express, Discover, and JC Brands.
The PCI DSS contains twelve major requirements that are broken down into over 250 sub-requirements:
Annual validation of these requirements varies depending on credit card transaction volume, however, any organization that processes, stores, or transmits credit card information is expected to adhere to the PCI DSS in its entirety.