The following section provides information on how Network Vigilance has worked with various industries to assist with IT security solutions, risk management or compliance solutions. Many of these industries are impacted by regulatory compliance requirements, independent auditors, industry regulators, or other IT security performance standards.
Select the following links for further information.
Because of explicit industry regulation for banks and credit unions, IT security programs and efforts continue to be scrutinized within the Financial Services Industry. To make things even more challenging, there are multiple and overlapping regulatory bodies, standards, policies, legal requirements and published guidance that are not synchronized between all entities because compliance jurisdictions and institution charters vary widely. Needless to say, what financial institutions are actually required to do to remain compliant is often a matter of interpretation that can vary significantly between regulators, auditors, and audit interpretations within IT departments.
Some of the different regulatory standards and requirements that we have security offerings around adhere to published recommendations and guidance from the following regulatory and standards bodies:
- Gramm-Leach-Bliley Act (GLBA)
- Federal Financial Institutions Examination Council (FFIEC)
- National Credit Union Association (NCUA)
- Federal Deposit Insurance Corporation (FDIC)
- Department of Financial Institutions (DFI)
- Office of Thrift Supervision (OTS)
- Federal Reserve Bank (FRB)
- Office of the Comptroller of the Currency (OCC)
In addition to credit unions and banks, Network Vigilance is able to provide security monitoring and management solutions to mortgage companies, broker-dealers, investment advisors, student loan originators, finance companies, and other service organizations.
Healthcare & Related Industries
If you have seen a healthcare professional in the last few years you should have signed a form regarding HIPAA regulations stating that locations policies regarding your protected health information. If you didn’t get a form to sign you may want to ask about it because it’s only one piece of the puzzle when it comes to information management within the healthcare community. The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Since its inception in 1996, HIPAA has been through several updates and revisions to keep up with the technological changes in the world around it. One of the most recent mandates, on July 27, 2009, allows for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) to the Office for Civil Rights (OCR).
Network Vigilance follows the standards and guidelines for HIPAA as stated in NIST publication SP 800-66 Revision 1.
The NIST RMF consists of six steps that are paramount to the effective management of risk resulting from the operation and use of information systems.
Government & Education
Government agencies and other public institutions today face some of the most formidable security threats and often have the fewest resources available to defend themselves. Some of the types of organizations that we have helped and continue to assist include the following:
- City Governments — Includes past engagements with city agencies including the DA’s office, fire and police departments and also including support of city data computing resources.
- County Service Agencies — These agencies range from courts, to law enforcement, to 911 call services, to multiple other vital service agencies that are required for public safety.
- Municipalities — Local municipalities including waste treatment, landfills, and water districts are among the most stressed, but most critically important services that need to be protected.
- Education — Includes both public and privately funded institutions of higher learning. These environments are uniquely challenging due to their open environments that allow anonymity to the student population with few access controls.
- Transportation Agencies — These include rapid transit districts, bus systems, subway systems, trains, airports, and port districts and are among some of the most vitally important national security concerns.
- State Agencies — State agencies also deal with vital sources of sensitive information, from financial data to personal information such as tax information, benefits data, and personal healthcare information.
Network Vigilance provides government agencies and departments a security partnership that enhances, not impedes their ability to safely and securely operate and serve their respective organizations. Network Vigilance has years of experience in working within the limits of agency and departmental bureaucracies to help each entity accomplish their IT security and risk management goals.
Network Vigilance holds CMAS contracts for Websense, Check Point and Tripwire. Several other manufacturer contracts are in process. For current status on other vendors, please contact your account manager.
As a certified small / micro business, Network Vigilance can provide CMAS contract provisioning without you paying the additional administrative fee associated with other, larger contractors.
Enterprise / Public
SARBANES-OXLEY ACT (SOX)
The Sarbanes Oxley Act of 2002 includes specific provisions that impact information security, specifically:
Section 201: Refers to services that are defined as outside the scope of practice for independent auditors. This provision defines a conflict of interest for your auditor to provide non-audit services such as IT consulting services, while they are also performing financial audit services for the same company.
Section 404: This provision requires a statement of management’s responsibility for establishing and maintaining adequate controls over financial reporting and an assessment of the sufficiency of those controls. Although, Sarbanes-Oxley does not require any specific method or definition of adequacy or effectiveness of controls, CobiT and COSO are widely recognized frameworks that are typically used to assess the adequacy of internal controls.
Organizations that are impacted by this legislation include:
- All public companies (There are exceptions for companies that are defined as having market capitalization less than 75 million)
- Private companies that are significant business partners of public companies which may be required to conform to a subset of SOX standards such as SAS70.
- Private companies that are positioning themselves to go public within two years
- Private companies that are looking to be acquired by or merge with a publicly traded company
Retail & E-Commerce
The Payment Card Industry (PCI) Data Security Standard has had a profound and far-reaching impact on businesses that process credit card information. The stakes are high. Credit card theft is the most popular and sought after form of financial fraud and exploitation in the world today. Combined losses and the financial business impact on organizations are in the billions of dollars worldwide.
This compliance standard not only applies to companies that conduct business on-line, but every other type of business that processes, accepts, or in some way uses credit cards in the course of doing business. Some of the critical protections that Security On-Demand provides today include the following:
- Broad compliance with PCI security objectives that make it easier to systemize security process
- External and Internal vulnerability scans that proactively identify known and potential weaknesses in the network, applications, and systems.
- Understanding of how to interpret and apply the PCI security standards to an individual company’s unique business and computing environment
- Through a security dashboard, an integrated frame work for viewing and understanding security risk as it relates to PCI, which helps the organization ensure they can pass audits, and meet standards of Due Care.
- Reporting and Log monitoring that specifically meets PCI reporting requirements without having to invest in purchasing and integrating multiple security technologies.
- Assurance and confidence that goes beyond “checklist” style compliance so that your expenditures help you protect sensitive data, manage risk, and lower maintenance costs.