IT Compliance Services
ISO, NIST, PCI, HIPAA and More
No organization in today’s world can succeed without ensuring that the entirety of their IT architecture and data are adequately protected – this means bulletproof confidentiality, integrity, and security for all IT resources. However, the increasing complexity and proliferation of cyber-threats inevitably results in increasingly complex solutions to counteract them. For organizations trying to keep up with the rapid pace of technological development in cyberspace, putting together an effective program that protects the organization while remaining responsive and flexible in accordance with the organization’s needs becomes an ever more daunting task.
Concurrently, as cyber threats become more ubiquitous, IT compliance standards to prevent and counteract them are also increasing in scope and necessity in order to keep up with the changing landscape. Your company may be subject to multiple compliance standards that could be commonly required by your customers or by your industry such as ISO/IEC 27001, DFARS/ITAR/EAR, NIST 800-171, PCI DSS, HIPAA or any number of other security compliance models depending on your kind of business activities your organization participates in.
The profound sophistication and sheer breadth of knowledge required to fully understand and successfully implement compliance with the various IT security standards in 2019 can be overwhelming for even the largest and most technically adept organizations. Having Auxiom and its dedicated team of cybersecurity and IT compliance experts at the helm can make the entire process be simple and painless – leaving your organization free to focus on its core competencies.
Auxiom can assist your organization in its quest to maintain and achieve full compliance by doing comprehensive risk assessments, performing gap analyses, uncovering security holes, creating formalized policies/procedures, and training your team to help your company achieve and maintain compliance with whatever standards are vital for your business to remain competitive in the marketplace.
Below are a few of the most common (and essential) IT security standards that Auxiom’s consultants have experience with:
The International Organization for Standardization/ International Electrotechnical Commission (herein abbreviated as ISO/IEC 27001) is an internationally recognized standard for the establishment, implementation, maintenance, and continual improvement of an information security management system (ISMS) within an organization. It is designed to be broad enough to work for any size or type of organization while still being comprehensive enough to adequately address relevant information security risks. Compliance with ISO/IEC 27001 can provide a solid foundation for protecting assets such as financial information, intellectual property, confidential employee/client information, or information entrusted to you by third parties in the course of regular business. Formal certification of compliance with ISO/IEC 27001 can also serve as an additional reassurance to prospective clients and business partners that any sensitive information that passes through your organization’s hands is secure.
DFARS stands for the Defense Acquisition Regulation Supplement and is the broad regulatory framework for government procurement and contracts. As it relates to IT security, DFARS mandates in government procurement contracts that all contractors/subtractors implement and/or maintain a certain level of cybersecurity to protect information the government deems important.
ITAR stands for the International Traffic in Arms Regulations and relates to the import/export of specifically national defense related information, materials, and products/tech with the goal of keeping these items out of the hands of foreign nationals. For the purposes of IT, this means segregating systems and properly restricting access to certain data to only authorized individuals within an organization.
EAR stands for Export Administration Regulations and functions much in the same way as ITAR, but mostly for dual-use (commercial and government) items.
ITAR covered items are specified by the U.S. Munitions List. EAR covered items are specified by the Commercial Control List. Any data concerning both lists are considered to be Controlled Unclassified Information (CUI) and thus fall under the purview of DFARS.
DFARS requires NIST 800-171 compliance. Thus, if your organization engages in any ITAR/EAR activity or handles data that can be considered Controlled Unclassified Information (CUI), then your organization all the more likely to require full compliance with NIST 800-171.
NIST SP 800-171
The National Institute of Standards and Technology Special Publication 800-171 (herein abbreviated as NIST SP 800-171) is standard that is mandated under the Department of Defense Federal Acquisition Regulations Supplement (DFARS). It is designed to ensure the security of controlled unclassified information (CUI). CUI can be best described as information that is not of enough national security interest to be formally categorized as ‘classified,’ but is nonetheless privileged enough to warrant protective measures so that it is not stolen or otherwise compromised by nefarious actors. Compliance with NIST SP 800-171 is required for organizations that either do business with United States Government Agencies or do business with other private entities and/or contractors that do business with United States Government Agencies. If your organization hopes to be award eligible for any kind of government contracting, then you will be required to be fully compliant with security protocols outlined in NIST SP 800-171.
PCI DSS stands for Payment Card Industry Data Security Standard and it is the information security standard required for vendors that process credit card transactions in order to protect cardholder data and reduce fraud. PCI DSS is not mandated by law but instead is administered and enforced by the major credit card companies and banks that issue credit cards. There are four levels of PCI compliance and they are primarily determined by the number of credit card transactions your organization processes annually. The PCI DSS compliance framework contains several hundred security requirements and validation points. PCI DSS relies on eight different ‘Self-Assessment Questionnaires” (SAQs) for helping merchants & service providers determine whether they meet compliance requirements. The organizational or business environment dictates which SAQ applies for the purposes of establishing compliance.
HIPAA stands for the Healthcare Information Portability and Accountability Act. It is a law passed by Congress in 1996 requiring the United States Department of Health and Human Services to develop regulations for protecting patient health information (known as the Privacy Rule) and to also establish a national set of security standards for health information that is stored/transferred in electronic form (Security Rule). HIPAA overall has 150+ requirements with close to 600 validation points as part of its requirements.