From HIPAA to CJIS, EDTS has you covered. We understand how intimidating and complex compliance requirements and regulations can be. So our certified experts and auditors help you streamline the process, improve your preparedness, and reduce your risk. And we’ll help you understand and address the administrative, physical and technical functions to ensure your compliance.
Standardized policies and procedures designed to implement stronger access controls, contingency planning and employee awareness training.
An evaluation to establish restricted facility access to protect sensitive client data.
EDTS evaluates your current systems for compliance requirements.
The Federal Financial Institutions Examination Council (FFIEC) requires financial institutions and their service providers to maintain effective security compliance management programs which provide availability of systems, confidentiality of data or systems, accountability and assurance. FFIEC standards call for financial institutions to collect, retain and review logs and audit trails in such security and control areas as user access rights administration, firewall policy, and remote access.
In a general memo released soon after the Gramm-Leach-Bailey Act (GLBA) became law, the Federal Deposit Insurance Corporation (FDIC) described to their examiners that “the (GLBA) guidelines require each institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. While all parts of the institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.”
The National Institute of Standards and Technology Risk Management Framework is set forth in NIST Special Publication 800-37 and transforms the traditional Certification & Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The RMF provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
The Center for Internet Security (CIS) Top Twenty (20) Critical Security Controls for Cyber Defense advocate an “offense must inform defense approach.” Unlike many other benchmarks, standards and frameworks, many of which are directed at regulatory compliance provisions, the Twenty (20) Critical Security Controls represent essential safeguards and best practices for ensuring the confidentiality, integrity and availability of an organization’s critical systems resources.
The Centers for Medicare & Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR) contain a broad set of required security standards based on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3, Security and Privacy Controls for Federal Information Systems and Organizations, dated April 2013, as well as additional standards based on CMS policies, procedures, and guidance, other federal and nonfederal guidance resources and industry leading security practices. All CMS employees, contractors, subcontractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS shall observe the baseline policy statements described in the CMS Policy for the Information Security and Privacy Program and the complementary controls defined in the ARS as the minimum security requirements for all CMS information and information systems.
As part of the requirements, HIPAA states that a security management process must exist in order to protect against “attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations.” Further, an organization must be able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive patient information.
National Institute of Standards and Technology (NIST) 800-53 Revision 4 addresses new cyber security threats that have emerged over the years. It ensures the systems that are under continuous monitoring are trustworthy to begin with. New security controls and enhancements have been developed to address many areas like mobile and cloud computing, insider threats and supply chain security. The number of controls and enhancements increased from more than 600 to well over 800.
The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. The standard covers all types of organizations, all sizes and all industries and markets. The code of practice provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS).
According to the Payment Card Industry Data Security Standard (PCI-DSS), an organization must be able to monitor, report and alert on attempted or successful access to systems, maintain data security for those applications that contain sensitive cardholder data, and collect and monitor event logs.
The National Credit Union Administration (NCUA) is an independent federal agency that requires U.S. federally-insured credit unions to design and implement an information security program to control identified risks, commensurate with the sensitivity of the information. Among the considerations must be access controls on member information systems and encryption of electronic member information, including while in transit or in storage on networks or systems.