IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct independent testing of Information Security Programs to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information, including Non-Public Personal Information (NPPI). An Information Security Program must include safeguards designed to protect against both technical and human vulnerabilities. Because the security program incorporates more than just the network, best practice guidelines based on international standards, such ISO 27001, COBIT 4, etc., suggest testing should include more than a simple network vulnerability scan. The recommended Best Practices methodology is a Security Assessment that incorporates testing of both technical and human vulnerabilities (people) related to the information security program.

The TraceSecurity Comprehensive Security Assessment was designed specifically to meet the regulatory requirements and address the needs of organizations of all sizes. The Comprehensive Security assessment includes a baseline assessment (onsite or remote) with customer driven recurring reassessments managed through TraceCompliance Manager software. Unlike traditional customer executed manual scans that often include false-positive results and lack any 3rd party expert validation, with TSCM 5.0, your organization can produce 3rd party expert verified and false-positive tested security assessments at any time. Additionally, you now have complete control over security assessment scheduling, including the ability to test the network daily, eliminating the resource intensive task of planning and coordinating spot check assessments with a vendor. Each Comprehensive Security Assessment includes the following:

People and Processes

• In-depth Regulatory and/or Best Practice Review
• Review of existing Security Policies
• Policy Awareness Review
• Dumpster Diving (onsite)
• Document/Media/Data Protection Review

Technology

• Internal and External Network Vulnerability Assessment
• False-Positive Reduction Assistance
• Third-Party/Vendor Security Analysis
• Network Topology Review
• VPN and Remote User Connections
• Security Countermeasure Review
• System OS and Service Fingerprinting and Classification
• Phone Line Review (War Dialing)
• Administrator Privileges Compliance Testing

Reports:

• Executive/Board Level Summary
• Technical Staff Reports
• Regulatory Compliance Report
• Core Engineering Team Review of results
• Offsite Consultation and Remediation Strategy

Security Assessments performed by an independent third-party are required by the various regulations. However, these assessments only measure the security of the organization at one point in time. Because of the organization’s constantly changing environment (new vulnerabilities, new employees, new/modified regulations, etc.), it is necessary for the organization to continuously assess their Information Security program. TraceCompliance Manager is a centralized, on-demand, web-based modular solution that facilitates a continuous information security program. TraceSecurity Compliance Manager is a software-as-a-service (SaaS) solution that eliminates the need to install or maintain the software on the organization’s systems. Compliance Manager provides a seamless transition from the TraceSecurity Security Assessment to an in-house Self Assessment program. The Comprehensive Security Assessment includes use of all of the TraceSecurity Compliance Manager (TSCM) software modules outlined below.

To learn more about TraceSecurity Compliance Manager, click here.