Industry Compliance
Be meticulous. Limit exposure.
Providing full life-cycle industry compliance.
At Carson & SAINT, we help ensure your organization’s continuous compliance with laws relating to PCI, HIPAA, SOX, FERPA, FFIEC, FISMA, GLBA, NERC, and GDPR.
As a PCI Security Standards Council approved scanning vendor, Carson & SAINT is your trusted partner for vulnerability management and risk assessment.
Providing full-life-cycle industry compliance.
At Carson & SAINT, we help ensure your organization’s continuous compliance with laws relating to PCI, HIPAA, SOX, FERPA, FFIEC, FISMA, GLBA, NERC, and GDPR. As a PCI Security Standards Council approved scanning vendor, Carson & SAINT is your trusted partner for vulnerability management and risk assessment.
PAYMENT CARD INDUSTRY COMPLIANCE
Carson & SAINT is an approved scanning vendor of the PCI Security Standards Council. PCI compliance requires both vulnerability assessment and penetration testing. SAINT Security Suite provides integrated vulnerability assessment and penetration testing, making it the ideal solution for PCI compliance.
Our vulnerability assessment reports let you see whether your network is compliant with PCI Security Standards Council requirements at a glance. We also provide PCI services, including internal and external network vulnerability scans, penetration testing, and attestation reports. SAINT vulnerability assessments provide proactive security for medical data.
PAYMENT CARD INDUSTRY COMPLIANCE
Carson & SAINT is an approved scanning vendor of the PCI Security Standards Council. PCI compliance requires both vulnerability assessment and penetration testing. SAINT Security Suite provides integrated vulnerability assessment and penetration testing, making it the ideal solution for PCI compliance.
Our vulnerability assessment reports let you see whether your network is compliant with PCI Security Standards Council requirements at a glance. We also provide PCI services, including internal and external network vulnerability scans, penetration testing, and attestation reports. SAINT vulnerability assessments provide proactive security for medical data.
HIPAA Compliance
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) mandates that companies protect the medical information they collect from patients. The law affects insurers, hospitals, laboratories, doctor’s offices, and the pharmaceutical industry. It also applies to employers who keep employee health data for insurance purposes.
HIPAA also mandates that organizations conduct an assessment of potential risks and vulnerabilities to systems that maintain electronic protected health information (ePHI) data and that they implement security measures sufficient to reduce risks and vulnerabilities to that data. The security rule in HIPAA focuses on administrative, technical, and physical safeguards specifically as they relate to ePHI.
Two key principals in the security management process are risk analysis and risk management:
Risk Analysis
164.308(a)(1)(ii)(A) R
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.
Risk Management
164.308(a)(1)(ii)(B) R
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) (above). Also, as stated in the DRAFT HIPAA Security Standards: Guidance on Risk Analysis, dated May 7, 2010:
Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
Sarbanes-Oxley Compliance
Congress passed the Sarbanes-Oxley Act (SOX) in 2002 largely to protect investors by improving the accuracy and reliability of corporate disclosures. It requires management to certify and demonstrate that they have established security controls to safeguard financial information. While beneficial to the investing public, SOX requires thousands of companies to ensure their operations are compliant or face penalties.
Carson & SAINT’s SOX scanning policy and SOX report template support financial organizations’ internal risk-management strategies by facilitating provisions in Section 404 of the Sarbanes-Oxley Act, which require an annual management report on internal controls effectiveness for financial reporting and that external auditors confirm management’s assessment.
Our reports provide customers with excellent records for documenting SOX compliance and provide a historical perspective of a network’s security picture.
DOWNLOAD:
Example SOX Vulnerability Assessment Report
Sarbanes-Oxley Compliance
Congress passed the Sarbanes-Oxley Act (SOX) in 2002 largely to protect investors by improving the accuracy and reliability of corporate disclosures. It requires management to certify and demonstrate that they have established security controls to safeguard financial information. While beneficial to the investing public, SOX requires thousands of companies to ensure their operations are compliant or face penalties.
Carson & SAINT’s SOX scanning policy and SOX report template support financial organizations’ internal risk-management strategies by facilitating provisions in Section 404 of the Sarbanes-Oxley Act, which require an annual management report on internal controls effectiveness for financial reporting and that external auditors confirm management’s assessment.
Our reports provide customers with excellent records for documenting SOX compliance and provide a historical perspective of a network’s security picture.
DOWNLOAD:
Example SOX Vulnerability Assessment Report
Family Educational Rights and Privacy Act
FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Our repeatable process combines FERPA requirements with the NIST Cybersecurity Framework to offer a robust cybersecurity assessment of your institution. Use the SAINT Security Suite to identify weaknesses and vulnerabilities in your systems and networks.
Federal Financial Institutions Examination Council
To comply with FFIEC, financial organizations must abide by a list of online banking technology standards. They must conduct regular comprehensive assessments of internal environments primarily to identify any potential security weaknesses or possible threats. Complying with the various FFIEC guidelines requires a comprehensive IT security policy, including encompassing policies and procedures.
The FFIEC released its Cybersecurity Assessment Tool (CAT) in June 2015. It provides a framework that helps you identify risks, providing a repeatable and measurable process for institutions to measure cybersecurity preparedness over time. The assessment results allow you to prioritize risks, develop an action plan to mitigate the highest and most probable risks. With cyber threats rapidly evolving, a continuous process of risk assessment, identification and mitigation is critical.
At Carson and SAINT, we will assist you with using the CAT tool, prioritizing risks, and developing an action plan based on the CAT findings. We offer FFIEC compliance assistance, including your annual security and compliance risk assessments, vulnerability assessment scanning, and penetration testing using the SAINT Security Suite. Our experts develop policies and procedures such as IT security policies, disaster recovery, business continuity, and vendor management policies and procedures.
Federal Information Security Management Act
FISMA was introduced to reduce the security risk to federal information and data while managing federal spending on information security. Originally designed to establish guidelines and security standards for federal agencies, it evolved to cover companies with contracts to work with federal agencies as well as state agencies that manage federal programs such as Medicare, Medicaid, unemployment insurance.
FISMA is designed to ensure that agencies consistently reassess risk and implement security measures based on risk level. This data security guidance is set by FISMA and the National Institute of Standards and Technology (NIST).
Carson & SAINT provides independent FISMA compliance evaluations. We bring years of experience performing FISMA independent evaluations/audits on behalf of the Office of the Inspectors General. Our SAINT Security Suite provides a FISMA vulnerability scan to support securing your systems and networks from threats and vulnerabilities.
Gramm Leach Bliley Act Compliance
The 2001 Gramm Leach Bliley Act (GLBA) requires financial institutions to take considerable precautions to keep consumer records private and secure. While many firms have been working to comply with GLBA, regular SAINT network scans are an important part of ensuring long-term compliance.
As a proactive and preventative tool, SAINT Security Suite should be used to scan and evaluate the systems in place at many financial firms. Among the benefits SAINT offers are:
- Customizable configuration options: SAINT Security Suite allows administrators to set the time and intervals of scans, ensuring networks are checked regularly.
- Fast fixes: When vulnerabilities are detected, SAINT Security Suite will lead network administrators to the fastest fixes for them.
- Demonstrate GLBA compliance: SAINT’s superior reporting capability can provide an audit trail for regulators and legal experts, making it easier to demonstrate compliance with regulatory requirements.
DOWNLOAD:
Example NERC CIP Vulnerability Assessment
North American Electric Reliability Corporation Compliance
The North American Electric Reliability Corporation (NERC) is a not-for-profit organization whose mission is “to ensure the reliability of the bulk power system in North America.” All bulk power systems must comply with approved NERC standards. NERC has approved numerous standards, including CIP-010-2 — Cyber Security — Configuration Change Management and Vulnerability Assessments.
North American Electric Reliability Corporation Compliance
The North American Electric Reliability Corporation (NERC) is a not-for-profit organization whose mission is “to ensure the reliability of the bulk power system in North America.” All bulk power systems must comply with approved NERC standards. NERC has approved numerous standards, including CIP-010-2 — Cyber Security — Configuration Change Management and Vulnerability Assessments.
DOWNLOAD:
Example NERC CIP Vulnerability Assessment
General Data Protection Regulation (EU)
The 2016/679 GDPR is a regulation in EU law on data protection and privacy for all individual citizens of the EU and the European Economic Area (EEA). It addresses the transfer of personal data outside the EU and EEA areas. The GDPR primarily aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Our team performs gap assessments, business impact analyses, risk management, strengths and weaknesses identification, and mitigation strategies. Saint Security Suite allows you to pinpoint vulnerabilities in your network and report on these to include in your mitigation strategy.