Compliance & Your Business :: IT Security, Information Security Consulting Services

Security

Contact Us
Please contact sales at:
1 (860) 859-3564 (U.S.)
1 (617) 273-0102
services @ alawy [dot] com

Contact our office serving Egypt and the Middle East at:
services @ alawy [dot] com

Submit an inquiry online

Compliance & Your Business


Gramm-Leach-Bliley Act	Requires financial institutions to protect the confidentiality and integrity of customer records.
HIPAA	Requires healthcare organizations to improve the security of online data.
FDA 21 CFR Pt 11	Reinforces FDA regulations on electronic record keeping and the use of electronic signatures.
NERC CyberSecurity	Safeguards the reliability of utilities delivering bulk electricity to the electrical grid.
California SB 1386	Requires notification of anyone whose information is in a database that suffered a security breach.
Sarbanes-Oxley Section 404	Details IT safeguards that must be built into financial reporting.
CALEA	Defines the obligations of telecom carriers in lawful electronic surveillance. Governs the behavior of carriers and telephone solicitors.
ISO 17799	International standards providing a foundation for a solid security policy.
COBIT	A generally applicable standard for IT security and control.
NIST	A source of best-practice IT security information and guidelines.
FFIEC	Authorized to mandate uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions.
Credit Card Security	PCI: Visa CISP, MasterCard SDP program, and American Express standards to to safeguard customer accounts.
Next Steps	To talk with us about security and your business, call (860) 859-3564 (U.S.) or visit the Middle East. You can also submit your inquiry online. Or, see: Enterprise Compliance Assessments ; Payment Card Industry (PCI), Electronic Banking Compliance Assessments , and; Security Certification Program for how we can help you.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization act, requires financial institutions such as banks, insurance companies, and brokerage firms, to establish administrative, technological, and physical safeguards to protect the confidentiality and integrity of customer records.

To comply with GLBA, you must identify and assess risks, plan and implement solutions to protect sensitive information, and establish measures to continuously monitor security.

We help financial institutions to assess the existing security architecture and to develop and implement an information security program that is consistent with section 3.14.

Learn about:

HIPAA

The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 2002 in reaction to the growing trend in the healthcare industry to move information online. Improving business processes and communications has great potential to improve patient care and lower costs. It may also put electronic data at risk. HIPAA is designed to address that risk.

Certain portions of HIPAA require all healthcare organizations to make a thorough IT risk assessment. The development and implementation of a plan for improving security and maintaining that security are also required.

We can lead both the risk assessment and its implementation. Learn about:

FDA 21 CFR Pt 11

FDA 21 CFR Pt 11 was passed in reaction to the trend among pharmaceutical companies and medical device manufacturers to use the Internet to speed up communications and share data such as trial results. The business benefits are clear, but so are the risks. FDA 21 CFR Pt 11 reinforces FDA regulations on electronic record keeping and the use of electronic signatures.

To comply, you’re required to conduct a risk analysis and implement improved methods of handling electronic records and signatures.

We can conduct the risk analysis. We can also implement procedures relating to the handling of electronic records and signatures to help you meet the requirements.

Learn about:

NERC CyberSecurity Standard

The CyberSecurity standard doesn’t have the force of law in the sense that, say, HIPAA does. Compliance is essential, however, because a utility that doesn’t meet the standard won’t be able to do business. The CyberSecurity standard was initiated by the North American Electricity Reliability Council (NERC). The goal is to safeguard the reliability of utilities delivering bulk electricity to the electrical grid.

Starting in the first quarter of 2004 and into the foreseeable future, all utilities delivering bulk electricity are required to identify and protect critical cyber assets.

We help Energy Trading and Utility companies assess their Security Risk. The identification and protection of critical cyber assets means that your IT system requires a risk assessment and the implementation of higher standards of security. The required goals are defined in Section 1201 of the standard. We can design an information protection system that meets these goals.

Learn about:

California SB 1386

California SB 1386 requires that any person or organization operating an electronic database that stores the personal or confidential information of an individual residing in California immediately notify the individual in the event of a security breach of the database. The notification requirement applies even if there is no indication the information was stolen or misused. Most experts think this law will rapidly be duplicated in other states.

Because reporting the breach, whether online or by letter, is difficult, expensive, and could harm your reputation, it’s important to eliminate most breaches and effectively defend against the rest.

We can help by providing a detailed plan to upgrade your information security and by helping you carry out and maintain that plan.

Learn about:

Sarbanes-Oxley Section 404

Sarbanes-Oxley (SOX), passed in 2002, implements new requirements for companies that are publicly traded. Section 404 specifically concerns itself with information management, detailing IT safeguards that must be built into financial reporting.

Section 404 sets specific guidelines for core financial reporting. You need to develop a reporting methodology that meets those guidelines and that has a high level of IT security and integrity.

Our compliance assessments include reviews that are designed to address the requirements in Section 404. We assess core financial reporting systems and recommend improvements in IT security and overall IT operational efficiency. We also help you develop training programs that aid IT staffers in meeting their new requirements.

Learn about:

CALEA Compliance and Do-Not-Call Registry

The Communications Assistance for Law Enforcement Act (CALEA) defines the obligations of telecommunications carriers to assist law enforcement in lawful electronic surveillance. The Do-Not-Call Registry requires telephone solicitors to take customers off their call lists at the customer’s request and requires carriers to make sure the solicitors honor their commitment.

You should be ready to aid law enforcement agencies in a timely manner, and to make sure that Do-Not-Call requests are honored. You must also ensure network safety so that surveillance efforts do not backfire. We can analyze your existing network to see where risks are and also define and implement a network that helps reduce those risks.

Learn about:

ISO17799

ISO17799 is a complex and detailed international standard for information safety covering:

Business continuity planning
Information access control
Continuous improvement of IT security
Continuous improvement of physical and environmental security
Compliance with laws, regulations, and standards
Personnel security
Management of security organization
Computer and operations management
Appropriate protection of security assets
Continuous improvement of security policy

Compliance with ISO17799 can be the foundation of a solid security policy for your business. Compliance requires being able to show that you have met each of the ISO17799 objectives.

We’re ideally suited to help you meet the ISO17799 requirements. We can perform a complete security analysis of your network - including physical layout, information security, and personnel issues.
We can reassess your compliance regularly to help with continuous improvement. We can identify and help solve personnel issues and provide a tailor-made training plan to address those issues.

Learn about:

COBIT

COBIT, developed and maintained by the IT Governance Institute, aims to be a generally applicable standard for IT security and control. It has wide US and international acceptance, and is quick to develop methodologies for new challenges such as Sarbanes-Oxley.

You aren’t required to comply with COBIT. Rather, it’s a methodology that’s designed to help companies maintain IT security in a uniform way. By meeting COBIT standards, the goal is that you’ll approach IT security in a systematic way, in line with accepted industry standards.

We can help you decide if COBIT is the best compliance vehicle for you business. We’ll then use its standardized rules as the basis for our risk assessment of your infrastructure. We’ll also incorporate its guidelines for the implementation of IT safeguards in our recommendations.

Learn about:

NIST

The National Institute of Standards and Technology (NIST), founded by the government in 1901, is a non-regulatory agency that sets standards for product quality, building safety, and a wide range of other industrial and scientific activities. Despite its age, NIST has continued to grow with technology. The Computer Security Division was launched in 1987, primarily to provide guidelines to Federal IT departments, but also to work with industry.

Because NIST is non-regulatory, there are no specific compliance standards. However, NIST is an excellent source of best-practice IT security information and guidelines.

Although NIST is non-regulatory, bringing your IT department into line with NIST standards can prepare you for the requirements you may be subject to under certain regulations such as HIPAA and Sarbanes-Oxley. We can use the NIST guidelines to provide a risk assessment of your current network, and to design and implement a stronger IT system.

Learn about:

FFIEC

The Federal Financial Institutions Examinations Council (FFIEC) is a Federal interagency body with the authority to apply uniform standards, principles, and report forms to be used in federal inspection of banks and other financial institutions. These institutions are subject to FFIEC regulations by the Board of Governors of the Federal Reserve Bank, the Federal Deposit Insurance Corporation, National Credit Union Administration, the Office of the Comptroller of the Currency, or the Office of Thrift Supervision.

Because the FFIEC has the full power of the government behind it, and because your institution may be subject to inspection from a number of different angles, it is essential that you understand what the FFIEC requires and are prepared to adhere to those requirements.

FFIEC is highly specialized - and we maintain a high level of expertise in the field. We provide an assessment of your current network and show you how to remodel it to bring it line with required standards and principles. We also show you how to upgrade your reporting forms as the FFIEC demands. If that documentation requires changes from your current system, we develop a plan to integrate it into your working setup so as to minimize disruption.

Learn about:

Credit Card Security

The major credit card companies, Visa, MasterCard, and American Express, have all initiated security programs to safeguard customer accounts and to make using their cards online safer.

Alawy's assessments include the information security standards published by: Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP) program and American Express.

Alawy can provide credit card security assessment and certification for your organization.

Learn about: