What is TECH LOCK® Certified?
What makes it different from a “normal” data security audit?
You have many choices when selecting your audit process and partners. TECH LOCK Certified provides a unique approach with exceptionally qualified auditors.
Prior to beginning a TECH LOCK® Certified assessment, we first review what data elements a company stores, processes, or transmits. Some data elements that we look for include Cardholder Data, Protected Health Information, Social Security Numbers, and Federal Tax Information. Upon request, we can also include institution-specific information. For example, certain banks, guarantors, or creditors may want their data included in the scope of a specific type of assessment.
Multi-regulatory or “Holistic”
We map the data elements to relevant data security laws and regulatory standards. Some regulatory standards that we map data elements to include PCI DSS, HITRUST, NIST SP800-53, and ISO 27002. Some federal laws that we map data elements to include HIPAA, GLBA Safeguards Rule, and FISMA. Some state laws that we map data elements to include Massachusetts 201 CMR 17.00, Minnesota Plastic Card Security Act, and Nevada NRS 603A.
Once we map the data elements to the relevant laws, and regulatory standards, we develop an assessment plan to ensure that our audit covers all relevant data flows and data storage locations. This customized assessment plan conveys several benefits to our clients:
Since we conduct one audit against all relevant data security laws and regulatory standards, our clients save money because they don’t need to pay for multiple audits and certifications. TECH LOCK is one of the only companies in the world that is accredited to conduct PCI DSS, HITRUST, and FedRAMP assessments at the same time. This means that our client’s don’t need to first pay a PCI QSA to do a PCI DSS assessment, then a HITRUST CSF Assessor to do a HITRUST Assessment, and finally a FedRAMP 3PAO to conduct a FedRAMP assessment.
A typical audit may last for several weeks, followed by several more weeks of remediation, and then yet more time for validation of remediation and report writing. Companies that require several such audits every year end up spending a significant amount of time responding to audit requests instead of performing their day-to-day duties. Because TECH LOCK conducts its multi-regulatory audit all at once, our clients experience less overall time under audit and are able to spend more time on contributing to the bottom line.
Undergoing a multi-regulatory audit means that a holistic view of the security posture is taken. Our audit reports are trusted by our clients and our clients’ clients because they do not take a narrow view of specific business processes; they include all relevant business processes by default.
Objective and Standardized
TECH LOCK has developed a standardized set of controls and testing procedures that includes all of the laws and regulatory standards that we audit against. This is opposed to some types of audits (such as a SOC 2 audit) which allows organizations to select which controls would apply, and decide how to in-depth each control should be assessed. This leads to inconsistent audit reports across different organizations. Financial institutions, guarantors, and creditors that utilize many service providers are not well-served by this type of audit. Alternatively, every TECH LOCK® Certified assessment follows the same set of standardized controls and testing procedures, which provides organizations a more consistent view of the security posture of their service providers.
Our TECH LOCK® Certified assessment testing procedures peer deep inside an organization’s technical systems and processes. Our assessors are experienced with and certified in many relevant technologies, such as Microsoft and Cisco. We don’t just interview staff and then look for documented policies and procedures; we look at the specific configuration of all relevant information systems and network components to ensure the policies and procedures are followed. This goes above and beyond what many single-view audits against laws and regulatory standards with more generic requirements include.
For example, the FTC recommends that to comply with the GLBA Safeguards Rule, businesses “[use] password-activated screen savers to lock employee computers after a period of inactivity.” To confirm that this is being followed, our assessors will not just interview the IT Department and review a policy that requires password-protected screen savers; we will also review the actual information systems and network devices to confirm that these policies are applied to them.
To learn more about how TECH LOCK Certified could benefit your organization, contact firstname.lastname@example.org.
Doing business with third parties is critical to fulfill the needs of the business. However, in today’s data breach sensitive world, the risks are equal to the benefits. The same old strategies, processes, and practices when evaluating and managing third and fourth party risk are not sufficient in today’s advanced persistent threat world. TECH LOCK can provide a through assessment of your third party vendors to ensure they are following the same best practices and regulatory compliance you do within your own organization.
FedRAMP (Federal Risk and Authorization Management Program) establishes a process to provide secure and compliant cloud services to government agencies.
Cloud Service Providers (CSP) must meet FedRAMP in order to do business with US government agencies as part of the “Cloud first policy”. FedRAMP is designed as a “do once, use many” framework to create efficiency in government procurement of cloud services. As part of the program, CSPs pursuing FedRAMP are required to be independently assessed by a Third Party Assessment Organization (3PAO). TECH LOCK is authorized to conduct the required independent audits.
TECH LOCK compliance maintenance service provides ongoing compliance maintenance, documentation, audit prep and audit participation related to the customer’s infrastructure and applications. This service ensures maintenance and execution of the daily, weekly, monthly, quarterly and annual tasks required for data security certifications and regulatory compliance pertaining to the applicable standards.
Applicable maintenance tasks include:
|Bi-Annual Firewall & Router Configuration Review|
|Annual Review & Update Configuration Standards|
|Quarterly Check for CHD Retention Compliance|
|Quarterly Cryptographic Key Check|
|Monthly Anti-Virus Review|
|Monthly Confirmation of Security Patches|
|Weekly Vulnerability Notifications|
|On-Demand Review of Custom Code|
|On-Demand Change Control Review|
|On-Demand Public-Facing Web Application Review|
|Quarterly User Account Review|
|Quarterly Check for Physical Access Control Data Storage|
|Annual Media Inventory|
|Quarterly Check for Unauthorized Wireless Devices|
|Quarterly Internal Vulnerability Scan|
|Quarterly External ASV Vulnerability Scan|
|Annual Internal/External Penetration Test|
|Monthly IDS/IPS Review|
|Quarterly File-Integrity Monitoring Compliance|
|Annual Review & Update Security Policies|
|Annual Risk Assessment|
|Annual Security Awareness Training|
|Annual Service Provider Review|
|Annual Incident Response Plan Maintenance|
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
DID YOU KNOW?
PCI DSS § 11.2 requires internal and external vulnerability scans at least quarterly and after any significant changes. The external scans must be done by a PCI Approved Scanning Vendor (ASV).
TECH LOCK is a PCI ASV and PCI QSA for the United States, Caribbean & Latin America regions.
In addition to PCI DSS assessments, TECH LOCK also provides the following ancillary PCI DSS-related services:
- Consultation & Advice
As Qualified Security Assessors, TECH LOCK understands that PCI DSS compliance can sometimes be confusing. Do you need clarification on what level merchant or service provider you are? Do you have questions on how to interpret or apply a particular PCI DSS Requirement to your environment? Do you want to explore the possibility of network segmentation to reduce the scope, complexity, and cost of PCI DSS? Each business is different, and TECH LOCK provides experience and advice in navigating PCI DSS.
Companies just starting out down the path of PCI DSS compliance often aren’t ready for a PCI DSS assessment right away. While continuous compliance is the goal, the PCI DSS assessment is a point-in-time audit. TECH LOCK helps identify and prioritize gaps in PCI DSS compliance (such as required policies or procedures not being in place), so that your organization will be ready to pass on the first attempt.
TECH LOCK’s PCI DSS remediation services offer businesses a fast way to remediate PCI DSS assessment findings. We work with your QSA to determine the best path to compliance, and do the hands-on work to get you compliant. Click here for more information.
TECH LOCK’s penetration testing service provides our clients with an accurate view of their security posture.
A vulnerability scan can only take you so far; our team can perform the following types of penetration tests according to criteria aligned with your organization’s goals:
- Black Box, White Box
Our team can be equipped with as little or as much foreknowledge as you wish. Traditionally, a black box penetration test is where the penetration tester begins with little detail about the target (other than the scope). A white box penetration test is where the penetration tester begins with full knowledge of the target.
- Network / Application Penetration Testing
Most penetration tests include network and application penetration testing as standard.
- Web Application Penetration testing
Web application penetration testing includes identifying and exploiting SQL injection flaws, and combining with other methods such as social engineering in cross-site scripting and cross-site request forgery attack.
- Social Engineering
Social engineering involves human interaction. Examples of techniques employed are phishing e-mails and telephone calls used to obtain credentials and access to internal systems.
- Premise / Physical Security Testing
A network can be technically secure but physically vulnerable. Regularly testing physical security controls can be just as important as a network penetration test.
Performed from either an internal or external perspective, vulnerability assessments help identify potential vulnerabilities that hackers and malware can exploit.
TECH LOCK provides several vulnerability assessment services:
- Internal vulnerability assessment
Internal vulnerability assessments are run from within the network, where there are fewer firewalls and intrusion detection/prevention systems. Internal vulnerability scans that are run with elevated privileges are commonly used to verify patch management processes and also as a tool in a risk management program.
External vulnerability assessments give you an idea of what the typical hacker or malware agent sees – your firewall, web servers, mail server, and other Internet-facing systems. TECH LOCK’s external vulnerability assessment will help to identify any vulnerabilities you may have on these systems.
- Web Application
Web applications have quickly become the number one target for hackers. Web applications and their database back-end systems have many potential vulnerabilities that attackers can use to obtain their goal, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (XSRF). Based on the Open Web Application Security Project (OWASP), TECH LOCK’s web application vulnerability assessment service will help to identify all of your web application vulnerabilities.
The TECH LOCK Difference – All TECH LOCK consultants have direct technical hands-on administration and engineering experience with systems and applications, and are always trained on new technologies and systems. This provides us with a unique advantage over our competitors; our consultants are better able to interpret and measure control objectives across your enterprise.
As the first iterative step in the Risk Management Program, a properly performed risk assessment allows you to identify threats and accurately gauge both the quantitative and qualitative values of risks.
The risks for each company may be different, so it’s important to evaluate risk based on the classification of data, industry and the current security measures in place that can help mitigate potential issues.
Partially derived from the National Institute of Standards and Technology’s Special Publication 800-30 (Risk Management Guide for Information Technology Systems), our risk assessment service provides the groundwork for your organization to build and maintain a world-class Risk Management Program.
The TECH LOCK Difference – TECH LOCK consultants understand that a risk management program involves all levels of management, and we tailor our risk assessments to match your company’s organizational structure. We also provide much more than a simple risk assessment – we give you document templates, free online resources, and a deeper understanding of the risk management.
TECH LOCK identifies and catalogs all applicable requirements, customizes policy statements to your business, and helps you integrate the policies into your information security program.
Between the current laws, regulations and standards, there is much overlap in terms of security requirements. However, there are often nuances differentiating the overlapping requirements. TECH LOCK’s experience in multi-regulatory compliance helps you navigate this ‘regulatory jungle.’
Not all businesses are built the same – so it follows that not every business has the same policies and procedures. When faced with so many requirements coming from multiple directions, the best approach is the risk-based approach. TECH LOCK’s experienced consultants help you customize your policies and procedures so that they make sense for your organization and maintain your compliance.
It’s often not enough to simply write a policy and place it on your Intranet site or company file share. Managers and individual contributors need to understand the policies they are meant to follow. Employees can be the weakest link of an organization’s information security program; a workforce that understands and self-enforces company security policies can easily become the strongest link.
The TECH LOCK Difference – Unlike some of our competitors who will just give you a policy template with your company’s name on it, TECH LOCK will work with your business to customize and tailor appropriate information security policies based on organizational need and regulatory compliance objectives.
The HITRUST CSF is a certifiable framework that provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. Utilizing a common set of information security requirements, the Common Security Framework program delivers simplified compliance assessment and reporting for HIPAA, HITECH, state, and business associate requirements.
Similar to TECH LOCK’s Payment Card Industry Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) designation, HITRUST CSF is another credential that differentiates TECH LOCK from other consulting companies that haven’t or are unwilling to undergo rigorous due diligence of best in class auditing practices and processes which ensure the best ROI and data security for their clients. With less than 10 firms in North America able to currently perform both PCI DSS and HITRUST certifications, being recognized by HITRUST for our security experience and qualifications in addition to our PCI QSA designation demonstrates the strength of our information technology security experts and our leadership in the marketplace.
According to the Experian report “2014 Data Breach Industry Forecast,” the number of reported healthcare data breaches in 2014 is expected to surge. This is just one reason why we are seeing more regulation from both the federal and state level. Recently, the HIPAA Omnibus Rule was enacted which requires compliance with new data breach and privacy requirements. This is likely to increase fines and the frequency of headlines about incidents. On the State level, Texas recently signed into law Texas H.B. 300 which impacts ANY entity that conducts business in Texas and collects, uses, and/or stores Protected Health Information (PHI).
For organizations that have a merchant contract and/or store, process or transmit cardholder information in addition to collecting, using, and/or storing protected health information, TECH LOCK’s holistic compliance service will assist them in saving time and money when dealing with the complex regulatory environment that exists today.