Businesses should regularly review their internal environments and practices against all relevant regulatory standards in order to ensure compliance. In addition, STN recommends a well-directed risk management process that lays the foundation for continuous improvement while enhancing your organization’s overall due diligence. This approach ensures best practice implementation, regulatory compliance, and a timely, targeted, and relevant program of continuous security improvement.

Financial Institutions (GLBA)

Planning a risk management program with continuous improvement as the goal allows stakeholders to make relevant security decisions. As a result of the Graham-Leach-Bliley Act (GLBA) and guidance from the FFIEC, organizations are directed to regularly review the administrative, physical and technical controls in place to protect information. By conducting risk assessments, financial institutions will identify weaknesses in policies, procedures and information systems. Risk assessments also help organizations identify vulnerabilities for mitigation to help prevent data loss and data breaches.

Healthcare Providers (HIPAA)

HIPAA requires organizations with PHI to regularly review the administrative, physical and technical safeguards utilized to protect the security of the information. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly referred to as the Meaningful Use Program.

Payment Card Industry (PCI DSS)

All merchants and service providers must have quarterly network scans and validate compliance annually with on-site audits by a Qualified Security Assessor (QSA), such as STN, or by completing a PCI Self-Assessment Questionnaire (SAQ).

• External scans from PCI Security Standards Council Approved Scanning Vendor (ASV)
• Scans support PCI DSS requirements and have been enhanced to include advanced risk reporting capabilities, including CVSS risk scoring and “audit-ready” reports

Adaptable to Fit Your Needs

Rather than a hindrance to business, compliance can become part of a proactive strategy for managing key resources. In order to make the process as adaptable as possible, your team can choose modular components or phase testing for the following areas:

• Administrative Controls Review
• Physical Security Assessment
• Internal or External Technical Assessment
• Vulnerability Scanning
• Internal or External Penetration Testing
• Wireless Testing
• Electronic Banking Controls
• Social Engineering Testing

STN testing adheres to industry standards and regulatory guidance for industries served including FFIEC, GLBA, FDIC, NCUA compliance for financials, healthcare compliance with HIPAA, utility compliance with NERC, FERC and government compliance with FISMA and CJIS. PCI compliant scanning, wireless testing and penetration testing are also available.

A risk-based approach is used to determine risk levels based on the National Institute of Standards and Technology guidance from the NIST Publication 800-30: Risk Management Guide for Information Technology Systems.