Compliance

Go Beyond the Checkbox

Compliance is an essential component of security when working with sensitive data, or under one of the many national, industry, or global compliance schemes.

We make sure you have fast, functional compliance that doesn’t just check boxes, but truly enhances to your security.

Security First

All of our services prioritize good security practices and leadership over simply checking boxes or reselling tech.

Hands On

Our team is filled wtih veteran technologists who have a deep understanding of running security operations and IT.

Pragmatic

We respect the realities of your business. Our recommendations balance maximum security with minimum disruption.

Creative

We use tools and techniques that significantly accelerate security processes, especially for environments in the cloud.

Compliance Services

COMPLIANCE IN THE CLOUD: OVERVIEW
The cloud is great for business. It is flexible, scalable, and reliable. In many ways, the cloud is more secure than on-prem equipment. However, on-prem security does not translate to the cloud. Anitian’s cloud security team helps bridge the gap and built secure, compliant cloud environments.
CLOUD MIGRATION ASSESSMENT
Moving to the cloud? Anitian can ensure that compliance and security moves with you. Our Cloud Migration Assessment defines a roadmap for cloud security. Specifically, we can address compliance issues and help you leverage cloud services, like AWS IAM.   This service includes:
  • Establishment of business needs and requirements
  • Identification of security needs
  • Determination of virtual private cloud (VPC) and availability zone needs
  • Assessment of access controls in place and determine new controls for cloud architecture
  • Assessment of data storage needs (S3, glacier, etc.)
  • Assessment of encryption and key management needs
  • Analysis of AWS service usage needs (CloudWatch, RDS, CloudTail, etc.)
  • Review of policies, procedures and standards applicable to AWS administration and security
  • Assessment of Internet and remote access needs
  • Assessment of compliance implications (PCI, HIPAA, FedRAMP, etc.)
  • Assessment of third party technologies (firewalls, IPS, anti-malware, etc.) in use, determining their suitability for migration to AWS
  • Development of recommended architecture and service usage to improve security and reliability
PCI COMPLIANCE FOR AWS

Anitian wrote the book on PCI for AWS.  We can ensure that your AWS environment is not only PCI compliant, but also ideally optimized for future growth.  Services include:

CLOUD RAPID RISK ASSESSMENT

Most compliance standards require an annual risk assessment. Anitian’s Cloud Risk Assessment not only fulfills compliance requirements, but it also helps to ensure that your cloud environment is tuned to effectively mitigate your most severe threats.   Your Cloud Risk Assessment includes:

  • Formalized planning, research and preparation
  • A clear scope and context for risk
  • Asset inventory using the latest automation technique
  • Interactive and collaborative discussions with technical custodians and business practice owners
  • Integrated technical testing, such as penetration testing, configuration assessment, and code review
  • Holistic framework that fuses empirical data and qualitative analysis
  • A Business Risk Intelligence Report that communicates complex concepts in simple business language
  • The Business Risk Intelligence Report includes a detailed action plan that defines practical remediation steps in alignment with the technical, operational, and financial realities of your business
  • Executive briefings and implementation assistance
CLOUD SECURITY ARCHITECTURE ASSESSMENT

The key to a secure cloud is a well-designed cloud. Cloud providers like AWS and Azure offer a massive assortment of capabilities. Properly used, these services can provide a strong, sustainable, and secure platform for your business. A Cloud Security Architecture Assessment analyzes how your AWS, Azure, or other cloud provider environment is designed. We work with your development teams to understand your business, and align architectural components with your long-term business, compliance, and security needs. This service includes:  

  • Review of current or proposed cloud architecture
  • Discussion of performance and security needs
  • Review of current VPCs and availability zone usage
  • Assessment of access controls in place
  • Assessment of data storage practices (S3, glacier, etc.)
  • Review of key management practices
  • Review of AWS service usage (CloudWatch, RDS, CloudTail, etc.)
  • Review of policies, procedures and standards applicable to AWS administration and security
  • Assessment of Internet and remote access
  • Assessment of third party technologies (firewalls, IPS, anti-malware, etc.) in use
  • Identification of compliance requirements
  • Development of recommended architecture and service usage to improve security and reliability
PCI COMPLIANCE IN AWS

Anitian wrote the book on PCI compliance for AWS. Find out how to build and maintain compliance clouds here.

SECURE THE CLOUD

Anitian is the authority on building secure, compliant, cloud infrastructures. We have a massive library of templates, tools, and talent that can dramatically accelerate your cloud compliance efforts.

PAYMENT PCI DSS: OVERVIEW

PCI compliance is a must-have for any organization that stores, processes, or transmit payment card data. As a PCI Qualified Security Assessor Company (QSAC) Anitian can assess and formally certify your efforts to comply with the Payment Card Industry Data Security Standard (PCI DSS). We offer a comprehensive suite of PCI services, with an emphasis on companies moving their workloads to the cloud.

GAP ASSESSMENT

PCI Gap Assessments are the ideal way to launch your compliance efforts. Gap assessments quickly identify areas of non-compliance and highlight ways to correct these gaps.  

An Anitian PCI Gap Assessment includes

  • Formalized planning, research, and preparation
  • Interactive and collaborative discussions
  • Validation of compliance scope
  • Review of segmentation efforts
  • Technical controls review
  • Policy and procedure review
  • Reporting and issue cataloging
  • Development of an Action Plan, providing you with a roadmap to PCI compliance
  • Post-assessment discussions, planning, and guidance
PCI ASSESSMENT WITH REPORT ON COMPLIANCE

A formal PCI Compliance Assessment provides an official stamp of compliance. As a Qualified Security Assessor Company (QSAC), Anitian is certified to validate PCI compliance for all merchants, service providers, and acquirers.  

  • Formalized planning, research, and preparation
  • Validation of the scope of compliance
  • Validation of network diagrams and data flows
  • Assessment of applications, databases, and systems for required controls
  • Assessment of policies and procedures for alignment with requirements
  • Analysis of storage, transmission, and usage of cardholder data
  • Facilitated discussions with project stakeholders
  • Review of efforts to segment and isolate in-scope systems
  • Review of required penetration tests and scans
  • Completion of Report on Compliance documentation in accordance to PCI Security Standards Council’s guidelines
  • “Real-time” quality assurance of assessment
  • Issuance of a Report on Compliance (ROC)
  • Issuance of an Attestation of Compliance (AOC)
  • Issuance of a Compliance Certificate and an Attestation Letter
  • Assistance with required reporting to acquirer or payment brands
SELF-ASSESSMENT QUESTIONNAIRE VALIDATION

For organizations who can self-certify, Anitian offers the additional reassurance of validating your Self-Assessment Questionnaire (SAQ) with a QSA. This is an ideal, lowcost alternative for level 3 and 4 merchants.  

This service includes

  • Formalized planning, research, and preparation
  • Validation of the scope of compliance, data flows, and network diagrams
  • Review of questionnaire answers
  • Definition of and assistance with remediation efforts
  • Validation of compliance requirements
  • Signing the completed Self-Assessment Questionnaire
READINESS ASSESSMENT

A PCI Readiness Assessment is essentially a full PCI assessment, without a formal Report on Compliance. It is intended to be a prelude to a full assessment. Readiness assessments are ideal when you want to tighten up any potential compliance issues. Furthermore, a Readiness Assessment can be converted into a formal assessment if desired.   A PCI Readiness Assessment includes the following activities:

  • Facilitated interviews with appropriate project stakeholders
  • Review of relevant documentation
  • Identification of gaps and determination of remediation efforts
  • Development of a Readiness Assessment report, which includes an Action Plan providing you with a roadmap to compliance

This service includes a detailed review of the following:

  • Scope of the assessment and cardholder data environment (CDE)
  • Data flow and network architecture
  • Segmentation and scope reduction strategies
  • In-scope applications, databases, and devices which handle cardholder data
  • Policies, procedures, guidelines, and standards relevant to the latest version of the PCI DSS
  • Storage, processing and transmission of cardholder data
  • Technical controls (IDS, firewall, etc.)
  • Physical security controls
  • Penetration tests and vulnerability scans
  • Employee awareness and background checks
  • Authentication, authorization, and access controls
  • Software development and change management practices
  • Security and IT operations
REMEDIATION SERVICES

One of the benefits of working with Anitian is that we can go beyond assessments, to help you implement compliance remediation needs. We have hands-on technology integrators on staff who can design, implement, and document security controls. We have special expertise in building compliant cloud infrastructures in AWS and Azure.   Our remediation services include implementation, optimization, and testing of the following:

  • Cloud infrastructure
  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • System hardening
  • Configuration management (especially automated configuration management)
  • Incident response
  • IDS / IPS
  • Security awareness
  • Code review
  • Software development life-cycle (SDLC)
  • System auditing & access control
PENETRATION TESTING

Anitian’s Ring.Zero Security Testing Labs offer comprehensive internal and external penetration testing services specifically designed to meet PCI DSS requirements (currently Requirement 11.3 of the PCI DSS version 3.2).

COMPLIANCE SERVICES FOR LEVELS 3 and 4 MERCHANTS

For smaller merchants, achieving PCI compliance can be especially daunting. Anitian offers a collection of services designed to suit the needs of smaller, level 3 and 4 merchants.

Our services include:

  • QSA consultation and preparation
  • SAQ validation
  • Penetration testing
  • ASV scanning
  • Remediation assistance
  • Policy development
  • Assistance with limiting scope
HEALTHCARE - HIPAA / HITRUST: OVERVIEW

Anitian’s healthcare practice delivers practical, pragmatic, business-friendly security that maximizes technology and process investments to close regulatory gaps, reduce risk and protect patients. Anitian offers a number of services that can be customized to meet the needs of healthcare providers and covered entities.

GAP ASSESSMENT

Begin your HIPAA or HITRUST compliance efforts with a gap assessment. This project identifies areas of non-compliance and establishes an action plan for compliance.   Your Gap Assessment will include:

  • Facilitated interviews with appropriate project stakeholders
  • Review of relevant documentation
  • Identification of gaps and determination of remediation efforts
  • Development of a gap assessment report, including a description of our findings and an Action Plan that provides you with a roadmap to compliance

  • Relevant policies and procedures
  • Risk assessment and meaningful use documentation
  • Operational procedures and practices
  • Employee security awareness
  • Physical security
  • Technical controls
  • Data handling policies and practice
  • Privacy controls
  • Compliance reporting and tracking practices
  • Disaster recovery and business continuity
  • Business associate agreements (BAAs)
HIPAA RISK ASSESSMENT

HIPAA requires an annual risk assessment for all covered entities. Anitian’s Rapid Risk Assessment is an ideal way to not only perform your required assessment, but also improve information security. As part of the assessment, Anitian determines the baseline threats relevant to the in-scope environment, and catalogs, qualifies, and analyzes the risk those threats pose to your information security, IT operations, and reputation. This assessment also fulfills the HIPAA Meaningful Use risk assessment requirements, and is based upon the NIST 800-66 control framework.

 

  • Project Planning: Validate the scope of the project. Define the assessment context or “lens” for how assets will be analyzed. Establish schedules and rules of engagement. Document these issues in a project plan. Determine appropriate business and IT stakeholders.
  • Asset Validation: Catalog and validate the relevance of the in-scope assets and sampling strategies.
  • Stakeholder Interviews: Conduct a series of facilitated discussions with relevant project stakeholders. Capture key concerns and issues to assist with threat definition.
  • Ring.Zero Security Testing: Anitian will conduct a series of network, system, and application
  • layer security tests on in-scope assets. Anitian uses the technical results from these tests to corroborate the threats and vulnerabilities. Anitian will determine the relevant sample of systems to test. Testing services may include:
    • Vulnerability scanning
    • Network and system penetration testing
    • Web application security testing
    • Configuration analysis
    • Log review (firewalls, SIEM, endpoint security, etc.)
  • Documentation Review: Anitian will conduct a high-level review of Client’s documented policies, procedures, practices, guidelines, data flows, network diagrams, architectural designs or any other relevant documentation. Specific issues Anitian will consider as part of this Risk Assessment include:
    • Clarity and relevance of content
    • Impact of documentation on identified threats and vulnerabilities
    • Alignment with operational and technical realities in the organization
  • Physical Security Review: Anitian will conduct a review of physical security controls of Client’s data center and offices.
  • Threat Identification: Using data from interviews and security testing, Anitian will define the potential threats that are applicable to the in-scope assets.
  • Control Maturity Assessment: Anitian will determine what security controls (people, processes, and technologies) are in place and how effective they are at mitigating the identified threats.
  • Risk Assessment: Anitian will establish risk rankings for each threat, based on vulnerabilities present, probability of exploitation, impact on the organization, and the maturity of existing controls. Determine what, if any, residual risk exists if control maturity is improved.
  • Recommendations: Anitian will define enhancements or improvements to controls that can mitigate or eliminate risk.
  • Action Plan: Analyze risk exposure and recommendations to develop a step-bystep Action Plan for reducing risk.
  • Reporting: Complete the Business Risk Intelligence Report and supporting Threat Matrix.
HIPAA PROGRAM REVIEW

A holistic review of your HIPAA, HITECH, or HITRUST compliance efforts in the context of your overall information security program. This assessment focuses on ways to optimize or mature your program.   Our Program Review service includes:

  • Facilitated interviews with business process owners, system administrators, and compliance officers
  • Review of relevant documentation
  • Observation of business processes and practices
  • Assessment of the effectiveness of security controls and policies
  • Identification of any areas of concern
  • Development of a report that includes a description of our findings and an Action Plan that provides you with a roadmap to compliance

  • Relevant policies and procedures
  • Risk assessment and meaningful use documentation
  • Operational procedures and practices
  • Employee security awareness
  • Physical security
  • Technical controls
  • Data handling policies and practices
  • Privacy controls
  • Compliance reporting and tracking practices
  • Disaster recovery and business continuity
  • Business associate agreements (BAAs)
READINESS ASSESSMENT

A comprehensive assessment of your HIPAA, HITRUST and/or HITECH compliance efforts to prepare you for any formal external audit. This assessment digs into the details of your program, identifying any areas of non-compliance.   Your Readiness Assessment includes:

  • Facilitated interviews with appropriate project stakeholders
  • Review of relevant documentation
  • Identification of gaps and determination of remediation efforts
  • Development a readiness assessment report, including a description of outstanding areas of noncompliance and an Action Plan that provides you with a roadmap to remediating these gaps

  • Relevant policies and procedures relevant
  • Risk assessment and meaningful use documentation
  • Operational procedures and practices
  • Employee security awareness
  • Physical security
  • Technical controls
  • Data handling policies and practices
  • Privacy controls
  • Compliance reporting and tracking practices
  • Disaster recovery and business continuity
  • Business associate agreements (BAAs)
SERVICE OPTION: HIPAA ADVISORY SERVICES

For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into HIPAA, HITRUST, and HITECH compliance processes. Anitian’s consultants deliver pragmatic, practical advice tailored to the unique needs of your business.   While consultation services can cover any topic, some of the assistance Anitian commonly provides includes:

  • Guidance on requirements
  • Assistance with limiting the scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, and configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance implementing required controls
  • Clarification of the expectation or intent of requirement
SERVICE OPTION: REMEDIATION SERVICES

One of the benefits of working with Anitian is that, in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of HIPAA, HITRUST, and HITECH compliance. We know exactly how to implement necessary controls, technologies, and practices to meet their requirements.   Our remediation services include implementation, optimization, and testing of the following:

  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing and access control
ELECTIONS SECURITY: OVERVIEW

PROTECT THE VOTE

SCALABLE AND SECURE CLOUD FOR ELECTIONS AND CAMPAIGNS
World-class security to defend democracy from evolving threats

DEMOCRACY IN THE CLOUD

Elections systems and campaigns are under attack. The AWS cloud offers elections departments and campaigns the ability to scale quickly in response to demand. Anitian and AWS have joined forces to provide the tools you need to defend these environments from attack, both foreign and domestic. Anitian and AWS have teamed up to offer a comprehensive suite of cybersecurity services specifically for election and campaign management systems.

Services include:

  • Rapid Risk Assessment
  • Secure Architecture Development
  • Security Testing
  • On Demand Security Operations
  • Threat Intelligence
  • Data Integrity Monitoring
  • Digital Forensics and Incident Response
THREAT INTELLIGENCE

Today’s hackers have an arsenal of weapons. They can attack every layer of your systems. Anitian can provide threat intelligence data on the types of attackers your environment is seeing. 

A typical threat intelligence engagement includes:  

  • Assess system, application, and data components
  • Review log, event, and security data from the past 90 days
  • Normalization, analysis, and contextualization of your data with the latest threat intelligence
  • Hunt through data to find indicators of compromise, evidence of malware, and areas of extreme risk
  • Identify threat actors and attack vectors
  • Perform research on attackers
  • Provide threat intelligence report to key stakeholders in your department or campaign
  • Collaboration with your team to fix any issues and correct vulnerabilities

The end result is you have actionable insights into the attackers and vulnerabilities that threaten your election or campaign systems.

SECURITY TESTING

Know before the breach. Anitian’s Ring.Zero team can conduct a comprehensive security test of election and campaign systems to identify potential vectors of attack or compromise.  

  • Network and system penetration testing
  • Web application penetration testing
  • Code assessment
  • Infrastructure testing
  • Social engineering
  • Elections tampering testing
  • Red-team testing (this is where we act just like a hacking group and try everything!)

All security tests replicate the types of attacks hackers, especially state-sponsored attackers, will attempt. Detailed reports and Action Plans ensure your team fixes the issues before election day.

RAPID RISK ASSESSMENT

Get a clear idea of the threats your elections or campaign systems face. 

Your RiskNow® Rapid Risk Assessment includes:  

  • Formal project management using Anitian’s exclusive Vision Engagement Portal
  • Define the assets in scope (such as systems, data, or locations)
  • Interactive and collaborative discussions with system administrators, developers, and elections or campaign officials
  • For campaigns, a strategic discussion of threats with the candidate
  • Aggressive technical testing, such as penetration testing, configuration assessment, and code review to pinpoint weaknesses hackers might exploit
  • Gather threat intelligence on likely attackers
  • Assess risk based on both qualitative and quantitative factors
  • Develop an Executive Risk Intelligence Report that communicates risk in a clear, decisive manner
  • Develop an Action Plan to fix vulnerabilities and reduce risk
  • Executive or candidate briefings to spur intelligent, rational response to threat
DATA INTEGRITY MONITORING

Keep a close watch on critical data with Sherlock Cloud Security – Data Integrity Monitoring. This specialized security operations service deploys advanced database and file monitoring technologies to identify all changes and access to data. Our security operations team will monitor access for any suspicious access and report potential attacks or abuse. Sherlock Cloud Security NEVER co-mingles election or campaign data. That means your data remains in your environment. 

Your Data Integrity Monitoring service includes:

  • Aggressive data and file integrity monitoring using Anitian’s Sherlock SIEM platform
  • Real-time intrusion detection and response
  • Database usage monitoring
  • Access monitoring
  • Rapid incident response and digital forensics
  • Real-time autoblocking of attackers

Sherlock Data Integrity Monitoring is fully deployed in the AWS cloud. When the election cycle is over, monitoring can be scaled back.

CLOUD ARCHITECTURE ASSESSMENT

Moving systems to the cloud can be worry free. An Anitian Cloud Architecture Assessment ensures your applications, databases, and systems are deployed, managed, and monitoring in the best possible ways. Anitian works side-by-side with AWS to help architect, deploy, and secure all your systems.

Some of the reviews we can perform include:

  • Assess business, security, operational, performance, availability, and future growth needs with key stakeholders
  • Review of current VPCs and availability zone usage
  • Assessment of in-place access security and access controls
  • Assessment of data storage practices (S3, glacier, etc.)
  • Review of key management practices
  • Review of AWS service usage (CloudWatch, RDS, CloudTail, etc.
  • Review of policies, procedures and standards applicable to AWS administration and security.
  • Assessment of Internet and remote access
  • Review of DevOps practices with your development team
  • Assessment of software development life-cycle practices
  • Assessment of third party technologies (firewalls, SIEM, AMIs, etc.) in use
  • Scanning relevant systems or environments using Anitian’s Ring.Zero testing platform
  • Development of recommended architecture based on stated requirements and expected future growth
  • Assessment of risk using Anitian’s RiskNow® approach
  • Documentation of findings and recommendations in a peer-reviewed report
  • Presentation of results and discussion of recommendations with you and your team
  • Collaboration with your staff on remediation efforts

The end result is a cloud architecture that is resilient to attack, tampering, and abuse. Moreover, Anitian can certify your platform as compliant with NIST security standards.

DIGITAL FORENSICS AND INCIDENT RESPONSE (DFIR)

If you suspect a breach, Sherlock Cloud Security is on the job. We can provide complete IR and forensic support to preserve evidence, establish root cause, and prevent further attacks.

Typical incidents we can investigate include:

  • Data breach from hacking, malware, or ransomware
  • Employee, volunteer, or contractor theft, misuse, and blackmail
  • Nation-state espionage
  • Elections data theft or tampering
  • Mobile device theft, breach, or misuse
  • Insider threats
  • Suspicious access, usage, or leaks

Your IR engagement can include:

  • Acquisition of forensically sound images of affected systems
  • Acquisition of supporting log, event, and informational data
  • Interviews of relevant staff
  • Investigation of the incident, establishing the root cause
  • Attribution of the attack if possible, with subsequent investigation of involved threat actors
  • Establishment of a legal chain of custody
  • Storage of forensic images for up to 12 months
  • Collaboration with law enforcement and legal counsel
  • Assessment of the business risks and qualification of those risks
  • Development of an incident response report
  • Post incident analysis and recommendations to avoid similar incidents in the future
  • Testimony to legislative bodies or courts

The end result is you empirical data and evidence preservation from a trusted, independent third party.

SOC ON DEMAND

During elections cycles, you need more than secure systems, you need a whole team of incident responders. Anitian’s Sherlock Cloud Security delivers on-demand Security Operations for elections and campaign systems. We can scale up to monitor systems during peak time periods, and then scale back when the election is over.

Anitian’ Sherlock Cloud Security NEVER co-mingles election or campaign data. That means your data remains in your environment. 

Your Sherlock Cloud Security SOC includes:

  • Aggressive threat hunting, using Anitian’s Sherlock SIEM platform
  • Realtime intrusion detection and response at the network and endpoint
  • File and data integrity monitoring
  • Database usage monitoring
  • Access monitoring
  • Rapid incident response and digital forensics
  • Real-time autoblocking of attackers
  • Denial of Service protections
  • Real-time threat intelligence on hacking activities

Your On-Demand SOC is fully deployed in the AWS cloud. When the election cycle is over, monitoring can be scaled back.

ISO 27001: OVERVIEW

The ISO 27001 standard is an internationally recognized security and risk management framework. It includes structures for the design, implementation, and administration of an Information Security Management System (ISMS). Aligning your security program with ISO 27001 is an excellent way to demonstrate due diligence to partners and customers worldwide. Anitian has built our ISO 27001 practice around a practical, pragmatic approach. Our 21+ years of security expertise ensures that your ISO 27001 compliance process is smooth and efficient.

GAP ASSESSMENT

An ISO 27001 Gap Assessment is the ideal place to begin your compliance efforts. Our team quickly identifies areas of strength and gaps in your current security program.  

Your Gap Assessment project includes:

  • Formalized planning, scheduling, and monitoring
  • Interactive and collaborative discussions with stakeholders
  • Detailed review of current policies, practices, and controls
  • Evaluation of current state and maturity of ISMS
  • Development of an an Action Plan, which defines a clear roadmap to meeting ISO 27001 objectives
STAGE ONE – ISMS ASSESSMENT

Anitian begins with a comprehensive documentation review to ensure that your Information Security Management System (ISMS) aligns with ISO 27001. This phase is an ideal milestone between the Gap Assessment and a formal audit.  

Your ISMS Assessment includes:

  •  Formalized planning, scheduling, and monitoring
  • Detailed review of security policy documents
  • Evaluation of current state and maturity of ISMS
  • Recommended policy improvements or additions
  • Development of an Action Plan, which defines a clear roadmap to closing any gaps and moving on to the next stage
STAGE TWO – ISO 27001 ASSESSMENT

Once Anitian has validated that your program aligns with ISO 27001 requirements, we formally audit your organization and issue a certification report.

The ISO 27001 Assessment includes:

  •  Formalized planning, scheduling, and monitoring
  • Validation of the scope of your ISMS
  • Detailed review of security policy documents
  • Observation of practices and procedures
  • Collaborative discussions with project stakeholders
  • Documentation of audit results, mapped to the ISO 27001 requirements
  • Development of a final assessment report, including an attestation of compliance and certification documentation
STAGE THREE – COMPLIANCE MONITORING

Once you have completed your ISO 27001 Assessment, Anitian conducts regular compliance monitoring assessments to ensure that you remain compliant. These assessments are designed to review any changes to your program and verify that existing practices are still being followed.

The Compliance Monitoring service includes

  • Formalized planning, scheduling, and monitoring
  • Review of updated security policy documents
  • Revalidation of new practices or procedures
  • Collaborative discussions with relevant staff members
  • Development updated certification materials
SERVICE OPTION: CONSULTATION SERVICES

For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into the ISO 27001 compliance process. Anitian’s consultants all deliver pragmatic, practical advice tailored to the unique needs of your business.   While consultation services can cover any topic, some of the assistance Anitian commonly provides includes:

  •  Guidance on requirements
  • Assistance with limiting scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, and configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance with required control implementation
  • Clarification of the expectation or intent of requirements
SERVICE OPTION: REMEDIATION SERVICES

One of the benefits of working with Anitian is that, in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of ISO 27001 compliance. We know exactly how to implement necessary controls, technologies, and practices to meet ISO 27001 requirements.   Our remediation services include implementation, optimization, and testing of the following

  • Risk management program
  • Risk treatment criteria and methodology
  • Information security policy development
  • Development of an internal audit program
  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing and access control
ADDITIONAL SERVICE OPTIONS

• PENETRATION TESTING

• WEBSITE APPLICATION PENETRATION TESTING

SERVICE ORGANIZATIONS: OVERVIEW

Service Organization Controls 2 (SOC 2) has become a must-have certification for SaaS and cloud providers. Anitian provides hands-on technical advisory services to guide you through the certification process. Our approach is pragmatic and collaborative, focusing on maximizing your existing technology investments. The key to SOC 2 certification is the Trust Service Principles. Anitian objectively, and independently analyzes your business to determine which of the five areas are relevant.

GAP ASSESSMENT

The SOC 2 Gap Assessment is the ideal starting point. Our experts will review your current state and chart a path for rapid, pragmatic certification.   Your SOC 2 Gap Assessment project includes

  • Formalized planning, scheduling, and tracking of milestones
  • Definition of the system to be reviewed and its boundaries
  • Determination of which Trust Principles are relevant
  • Collaborative discussions with stakeholders to understand how your business works
  • Detailed review of current policies, practices, and controls
  • Mapping of current state to SOC 2 requirements and expectations
  • Cross-mapping to other relevant standards, such as PCI, ISO 27001, HIPAA, and Cloud Security Alliance (CSA) Cloud Control Matrix
  • Development of an action plan to map out how to achieve SOC 2 certification and the controls necessary
READINESS ASSESSMENT

When you are ready to start the audit process, Anitian performs a final check of all your controls and documents. Our team then renders an objective opinion on your readiness for the SOC 2 audit.   Your SOC 2 Readiness Assessment includes:

  •  Formalized planning, scheduling, and tracking of milestones
  • Validation of system description and boundaries
  • Validation of the Trust Principles being reported
  • Collaborative discussions with stakeholders to understand how your business works
  • Detailed review of current policies, practices, and controls
  • Review of development (DevOps) practices (if appropriate)
  • Mapping of current state to SOC 2 requirements and expectations
  • Development of an Action Plan to map out how to achieve SOC 2 certification
  • Determination of the technical and procedural controls needed to achieve SOC 2 certification
SOC2 MANAGED COMPLIANCE IMPLEMENTATION PROGRAM

Anitian will provide a Senior Level subject matter expert (SME) with compliance engineering experience to lead your SOC 2 compliance efforts. This SME will work onsite to collaborate with your staff on the implementation of all necessary SOC 2 controls. The ultimate goal of this project is the successful implementation of security controls, policies, and practices to achieve SOC 2 compliance.   Anitian will execute this project according to the following phases:

    • Validate the gaps from the previously performed assessment, inclusive of controls that are in progress for implementation or already implemented.
    • Develop a project plan for the entire effort
    • Determine technical controls necessary and produce a detailed “Bill of Materials”
    • Develop a comprehensive set of network and system diagrams as well as data flows
    • Develop a security framework based on NIST and CSA where appropriate for satisfying SOC 2 criteria.
    • Evaluate the use of external tools for evidence gathering
    • Build a map of all policies necessary and assemble templates
    • Develop Implementation Plan with remediation tasks and timelines
    • Implementation of required technical controls
    • Implementation of administrative controls
    • Review, configure and optimize the existing controls
    • Develop operational practices for controls
    • Write policies to support the technical and administrative controls
    • Collaboration with internal staff on change and configuration management
    • Knowledge transfer and training for Client for monitoring and administration of controls
    • Alignment of security framework with intent to prepare for audit
    • Review with ISO the Audit process and procedures
    • Administer client through audit. Client will choose their own audit firm. Anitian can provide audit firms if interested.
    • Respond to remediation efforts
    • Managed Security Services for ongoing support of the SOC 2
SOC2 REMEDIATION

Anitian’s 20+ years of security expertise guides the design and implementation your SOC 2 controls.   Your SOC 2 remediation project can include:

  • Conducting penetration tests or source code reviews
  • Design controls to maximize your technical investments
  • Writing procedures, policies, and other supporting documentation
  • Implementing, documenting, and managing security controls
SERVICE OPTION: CONSULTATION SERVICES

For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into the SOC 2 compliance process. Anitian’s consultants deliver pragmatic, practical advice tailored to the unique needs of your business.

While consultation services can cover any topic, some of the assistance Anitian commonly provides includes:

  •  Guidance on requirements
  • Assistance with limiting scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, and configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance with implementing required controls
  • Clarification of the expectation or intent of requirement
SERVICE OPTION: REMEDIATION SERVICES

One of the benefits of working with Anitian is that, in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of SOC 2 compliance. We know exactly how to implement necessary controls, technologies, and practices to meet SOC 2 requirements.   Our remediation services include implementation, optimization, and testing of the following:

  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing & access control
ADDITIONAL SERVICE OPTIONS

• PENETRATION TESTING

• WEBSITE APPLICATION PENETRATION TESTING

FINANCIAL - GLBA / FFIEC: OVERVIEW
Financial services are under constant attack. The rise of cyber-criminal organizations worldwide has banks, credit unions, brokerages and investors on alert. Combine this dangerous landscape with a tough regulatory environment, and the value of effective, strong security that preserves confidentiality, integrity and availability becomes clear. Anitian has built a financial services practice that delivers reliable, practical, results oriented services and solutions for financial services of all types.
RISK ASSESSMENT

Anitian can complete a risk assessment to meet the Federal Financial Institutions Examination Council (FFIEC) requirements. This assessment will align with the FFIEC  guidance for risk assessment and use the official Cybersecurity Assessment Tool resources as listed on their website.

This service consists of the following general tasks:

  • Project Planning: Validate the scope of the project. Review FFIEC documents and requirements. Schedule on-site work and meetings. Assemble relevant resources.
  • Asset Validation: Catalog and validate the scope of this assessment and any sampling and categorization methods used.
  • Stakeholder Interviews: Conduct a series of facilitated discussions with relevant project stakeholders. Capture key concerns and issues to assist with threat definition.
  • Technical Controls Review: Anitian will review existing third party and internal technical scans and assessments to assess the effectiveness and maturity of security controls. Anitian does not conduct any testing as part of this service; however, if there are any areas that require focused testing, Anitian will collaborate with your staff on a reasonable approach, and perform this testing under Anitian’s hourly advisory service.
  • Documentation Review: Anitian will review of Client’s documented policies, procedures, practices, guidelines, data flows, network diagrams, architectural designs or any other relevant documentation. Specific issues Anitian will consider as part of this Risk Assessment include:
    • Clarity and relevance of content
    • Impact of documentation on identified threats and vulnerabilities
    • Alignment with operational and technical realities in the organization
  • Physical Security Review: Anitian will conduct a review of physical security controls of Client’s data center and offices.
  • Threat Identification: Using data from interviews and security testing, Anitian will define the potential threats that are applicable to the in-scope assets.
  • Control Maturity Assessment: Anitian will determine what security controls (people, processes, and technologies) are in place and how effective they are at mitigating the identified threats.
  • Risk Assessment: Anitian will establish risk rankings for each threat, based on vulnerabilities present, probability of exploitation, impact on the organization, and the maturity of existing controls. Determine what, if any, residual risk exists if control maturity is improved.
  • Complete Inherent Risk Profile: Anitian will complete the FFIEC’s Inherent Risk Profile assessment using the materials provided on their website.
  • Complete Cybersecurity Maturity Report:Anitian will use the FFIEC Cybersecurity Reporting Tool to assess Client’s risk on all domains.
  • Risk Briefing: After Anitian has completed and delivered the Inherent Risk Profile and Cybersecurity Maturity Report, Anitian will conduct a one to two hour risk briefing with relevant stakeholders to gauge the Client’s risk tolerances. The results of this will be documented in the Action Plan.
  • Complete Action Plan: Based on the discussions in the Risk Briefing, Anitian will complete an Action Plan to define areas where Client can improve security controls or effectiveness and reduce risk.
  • Post Project Support: Anitian will supply up to 20 hours of post-project support to edit materials or assist Client with submitting reports to relevant regulatory bodies.
CONSULTATION SERVICES

For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into the FFIEC/GLBA compliance process. Anitian’s consultants all deliver pragmatic, practical advice tailored to the unique needs of your business.

 

While consultation services can cover any topic, some of the common assistance Anitian provides includes:

  • Guidance on requirements
  • Assistance with limiting scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, or configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance implementing required controls
  • Clarification of the expectation or intent of requirements
OPTIONAL SERVICE: REMEDIATION SERVICES
One of the benefits of working with Anitian is that in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of FFIEC/GLBA compliance. We know exactly how to implement necessary controls, technologies, and practices to meet FFIEC/GLBA requirements. Our remediation services include implementation, optimization, and testing of the following:  
  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing & access control
ADDITIONAL SERVICE OPTIONS

• PENETRATION TESTING

• WEB APPLICATION PENETRATION TESTING

GOVERNMENT FISMA / DFARS: OVERVIEW

The US Federal Information Security Management Act (FISMA) is a requirement for any federal entity, as well as vendors and sub-contractors of the federal government. Anitian can ensure that your organization meets all the requirements of FIPS 199, FIPS 200 and NIST SP 800-53 Revision 4. Furthermore, Anitian offers comprehensive support for compliance with the DFARS, or NIST 800-171, requirements.

FISMA GAP ASSESSMENT

A FISMA gap assessment assesses your current state against the Standards and Technology Special Publication Series 800-53 revision 4 (NIST 800-53 standard) for compliance with the Federal Information Security Management Act of 2002. This highlevel review identifies gaps in your compliance and establishes a clear action plan to remedy those gaps. Your FISMA Gap Assessment includes:

  •  Establishment of the scope of compliance
  •  FIPS 199 categorization, FIPS 200 and agency control selection
  • Facilitated interviews with relevant project stakeholders
  • Review of relevant documentation
  • Identification of compliance gaps and determination of remediation efforts
  • Performance of appropriate technical testing (penetration testing, code reviews, etc.)
  • Development of a gap assessment report, including a description of our findings and an Action Plan that provides you with a roadmap to FISMA compliance

Anitian can also work alongside your team to implement required controls and complete a Security Assessment Plan (SAP) and other required documents.

DFARS GAP ASSESSMENT

While FISMA applies to vendors and subcontractors of the government, defense contractors and subcontractors must also contend with DFARS, or the Defense Federal Acquisition Regulation Supplement. DFARS mandates 109 different controls from the NIST SP 800-171 document. Compliance deadline for affected vendors and subs is December 31, 2017. Anitian’s DFARS Gap Assessment puts you on the path to meeting these requirements.   A DFARS Gap Assessment includes:

  •  Establishment of the scope of compliance
  • Facilitated interviews with relevant project stakeholders
  • Review of relevant documentation  Assessment of controls
  • Identification of gaps and determination of remediation efforts
  • Development of a gap assessment report, including a description of our findings and an Action Plan that provides you with a roadmap to DFARS compliance

Anitian can also work alongside your team to implement required controls to meet requirements.

ADVISORY SERVICES

For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into the NIST compliance process. Anitian’s consultants all deliver pragmatic, practical advice tailored to the unique needs of your business.   While consultation services can cover any topic, some of the common assistance Anitian provides include:

  •  Guidance on requirements
  •  Assistance with limiting scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, or configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance with implementing required controls
  • Clarification of the expectation or intent of requirements
SUPPORTING SERVICES

Anitian can provide a suite of supporting services to meet FISMA and/or DFARS requirements.  
These include:  

  • Penetration testing
  • Code review
  • Technology integration 
  • Security program development 
  • Configuration assessment 
  • Cloud Architecture Assessment
  • Managed security services 
REMEDIATION SERVICES

One of the benefits of working with Anitian is that, in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of FISMA and DFARS compliance. We know exactly how to implement necessary controls, technologies, and practices to meet FISMA/DFARS requirements.   Our remediation services include implementation, optimization, and testing of the following:

  • Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing & access control
READINESS ASSESSMENT

Once your FISMA or DFARS compliance program is in place, Anitian can provide a final readiness assessment. This assessment digs deeper than a gap assessment, to assess not only the existence of controls, but also their effectiveness.

A FISMA/DFARS Readiness Assessment includes:

  •  Verification of the scope of compliance
  • FIPS 199 categorization, FIPS 200 and agency control selection
  • Facilitated interviews with relevant project stakeholders
  • Review of relevant documentation  Identification of compliance gaps and determination of remediation efforts
  • Performance of appropriate technical testing (penetration testing, code reviews, etc.)
  • Development a readiness assessment report, including a description of outstanding areas of noncompliance and an Action Plan that provides you with a roadmap to remediating these gaps

Anitian can also work alongside your team to implement required controls and complete a Security Assessment Plan (SAP) and other required documents.

CREDIT DATA - EI3PA: OVERVIEW
An Experian Independent Third-Party Assessment (EI3PA) is a necessity for any organization that handles credit data for Experian. Rather than build a unique standard, Experian chose to leverage the Payment Card Industry’s Data Security Standard (PCI DSS) for protection of cardholder data, applying those same requirements to Experian credit data. Because Anitian is a Qualified Security Assessor Company (QSAC) for PCI compliance, Anitian is also authorized to perform formal EI3PAs. With decades of experience in compliance and information security, Anitian is the ideal choice to meet EI3PA compliance requirements.
GAP ASSESSMENT
EI3PA Gap Assessments are the ideal place to begin your compliance efforts. Gap Assessments quickly identify the areas of non-compliance and point out ways to correct those issues.   An Anitian EI3PA Gap Assessment includes:
  • Formalized planning, research, and preparation
  • Interactive and collaborative discussions
  • Review of the scope of compliance
  • Review of segmentation efforts  Technical controls review
  • Policy and procedure review  Reporting and issue cataloging
  • Formulation of an Action Plan, providing you with a roadmap to achieving compliance
  • Post-assessment discussions, planning, and guidance
EI3PA ASSESSMENT & REPORT ON COMPLIANCE (ROC)
A formal EI3PA provides an official stamp of compliance. As a Qualified Security Assessor Company (QSAC), Anitian is certified to validate EI3PA compliance for all organizations that handle credit data.   An Anitian EI3PA Assessment & Report on Compliance includes:
  • Formalized planning, research, and preparation
  • Establishment of the scope of compliance
  • Review of network diagrams and data flows
  • Analysis of applications, databases, and systems for required controls
  • Assessment of policies and procedures for alignment with requirements
  • Analysis of storage, transmission, and usage of payment card data
  • Performance of collaborative facilitated discussions
  • Review of efforts to segment and isolate in-scope systems
  • Review of required penetration tests and scans
  • Completion of Report on Compliance documentation in accordance with the PCI Security Standards Council’s guidelines
  • “Real-time” quality assurance of assessment
  • Issuance of Report on Compliance
  • Issuance of Attestation of Compliance
  • Issuance of a Compliance Certificate and Attestation Letter
  •  Assistance with required reporting agencies
QSA CONSULTANT SERVICES
For organizations looking for expert QSA consultation, Anitian offers flexible, openended arrangements to provide guidance, feedback, and insight into the EI3PA compliance process. Anitian’s QSAs all deliver pragmatic, practical advice tailored to the unique needs of your business. While QSA consultation services can cover any topic, some of the common assistance.   Anitian’s QSA Consulting Services include:
  • Guidance on requirements
  • Assistance with limiting the scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, or configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance with implementing required controls
  • Clarification of the expectation or intent of requirements
SERVICE OPTION: REMEDIATION SERVICES
One of the benefits of working with Anitian is that, in addition to being able to conduct QSA assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of EI3PA compliance. We know exactly how to implement necessary controls, technologies, and practices to meet EI3PA requirements.   Our Remediation Services include implementation, optimization, and testing of the following:
  •  Firewalls / UTM / NGFW
  • File integrity monitoring
  • SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing and access control
ADDITIONAL SERVICE OPTIONS

• PENETRATION TESTING

• WEBSITE APPLICATION PENETRATION TESTING

Learning Resources

Presentation

Security as
Code

b

Paper

Communicating Risk
to Leadership

eBook

The Case for Security
in the Cloud

Contact

Share This