Compliance Testing

It is essential to know that existing and newly installed networks will get the job done, as designed. That’s where compliance testing comes in.

It is essential to know that existing and newly installed networks will get the job done, as designed. That’s where compliance testing comes in.

Compliance testing is an audit of the implemented controls to check if all the specified standards (NIST, ISO, PCI-DSS, etc.) are met. Equa’s team meticulously checks to be sure that security standards are properly enforced and implemented. Such tests can include:

Network penetration testing services

Penetration testing helps to validate the efficacy of defensive mechanisms and determine how well the current security policies are functioning.

  • A penetration test, or “pen test,” evaluates the security of IT infrastructures, using a controlled environment to safely attack, identify, and exploit vulnerabilities. These vulnerabilities may exist in operating systems, services, networks, and application. They may also exist due to improper configurations or risky end-user behavior.
  • Penetration tests run by Equa’s engineer typically are performed using manual and/or automated technologies to systematically stress and compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other potential points of exposure.
  • Information about security weaknesses that are successfully identified or exploited through penetration testing is typically aggregated and presented to IT and network system managers helping them make strategic decisions and prioritize remediation efforts.
  • Equa’s penetration testing services help IT professionals measure risk and evaluate the consequences that attacks, or similar incidents, may have on resources and operations.

Payment card industry (PCI) compliance services

This is testing to measure the system’s abilities to maintain compliance and mitigate risk with PCI DSS compliance services, including vulnerability and penetration testing, gap analysis, and quarterly review assessments.

Any organization that accepts so-called “p-cards” as a form of payment or provides services to merchants in the areas of transmission, storage or processing of credit card data must comply with the standards of the Payment Card Industry (PCI) Security Standards Council. Noncompliance can have damaging effects, such as fines, higher transaction fees, loss of banking relationships and reputational harm in the wake of data breaches.

Though they may be aware of the obligation, many organizations may not know their current PCI status or may not understand how best to implement a PCI program and remain in compliance. Equa’s PCI compliance services help you to determine your readiness for a certified PCI ASV authorized assessment.

  • PCI compliant penetration testing – This testing determines if potential vulnerabilities in internet-facing and internal applications and systems jeopardize cardholder data security.
  • PCI gap assessment – A gap assessment results in steps needed to achieve compliance and to understand how to maintain compliance with evolving security compliance obligations.
  • PCI service provider quarterly review– Starting in 2018, PCI service providers must conduct quarterly reviews to confirm personnel are following security policies and operational procedures. Equa’s services enable clients to establish a process to meet the quarterly requirement. The reviews also identify where you need to take corrective measures.

As an overview of the PCI-DSS objectives and compliance, we have provided a table that outlines these items and identifies tests that provide a thorough assessment of compliance to these objectives and requirements.

Control Objectives, PCI DSS Requirements Tests

To build and maintain a secure network, Equa deploys the following tests

  • Install and maintain a firewall configuration to protect cardholder data – Risk Assessment, Vulnerability Assessment, Pen, Web Application
  • To defend against use of use vendor-supplied defaults for system passwords and other security parameters – Risk Assessment, Vulnerability Assessment, Pen, Web Application
  • Protect stored cardholder data – Risk Assessment, Social Engineering, Vulnerability Assessment, Pen, Web Appellation
  • Assure encrypted transmission of cardholder data across open, public networks – Vulnerability Assessment
  • Assure use and regularly updates of anti-virus software on all systems commonly affected by malware – Risk Assessment, Internal Vulnerability Assessment
  • Develop and maintain secure systems and applications – Risk Assessment, Vulnerability Assessment, Pen, Web Application
  • Implement/maintain strong, access control measures by restricting access to cardholder data by business need-to-know – Risk Assessment
  • Ensure assignment of a unique ID to each person with computer access – Risk Assessment, Social Engineering
  • Restrict physical access to cardholder data – Risk Assessment, Social Engineering
  • Track and monitor all access to network resources and cardholder data – Risk Assessment
  • Regularly test security systems and processes – Risk Assessment, Vulnerability Assessment, Pen, Web Application
  • Maintain a policy that addresses information security – Risk Assessment

Health Insurance Portability and Accountability Act (HIPAA) compliance services

HIPAA risk assessments are not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings helps organizations comply with many other areas on the HIPAA compliance checklist and should be reviewed regularly, when changes to the workforce, work practices or technology occur.

Depending on the size, capability and complexity of a covered entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely complex task.

The objectives of a HIPAA risk assessment include

  • Identifying the Protected Health Information (PHI) that your organization creates, receives, stores and transmits, including PHI shared with consultants, vendors and business associates.
  • Identifying the human, natural and environmental threats to the integrity of PHI, including those which are both intentional and unintentional.
  • Assessing what measures are in place to protect against threats to the integrity of PHI and the likelihood of a “reasonably anticipated” breach occurring.
  • Determining the potential impact of a PHI breach and assigning each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.

Documenting the findings and implementing measures, procedures and policies, where necessary, to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.

Note: Records for the HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.

The HIPAA Security Rule contains the standards that must be applied to safeguard and protect PHI when it’s at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual.

Also note: There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards.

Technical safeguards include

Implementation specification (required or addressable)

  • Implement a means of access control (required) – This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
  • Introduce a mechanism to authenticate ePHI (addressable) – This mechanism is essential in order to comply with HIPAA regulations, as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
  • Implement tools for encryption and decryption(addressable) – This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server and decrypt those messages when they are received.
  • Introduce activity logs and audit controls (required) – The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
  • Facilitate automatic log-off of PCs and devices(addressable) – This function logs authorized personnel off the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.

Physical safeguards include

Implementation Specification (required or addressable)

  • Facility access controls must be implemented (addressable) – Controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
  • Policies for the use/positioning of workstations (required) – Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
  • Policies and procedures for mobile devices (required) – If users can access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
  • Inventory of hardware (addressable) – An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.

Administrative safeguards include

Implementation Specification (required or addressable)

  • Conducting risk assessments (required) – Among the Security Officer´s main tasks is compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all the ways in which breaches of ePHI could occur.
  • Introducing a risk management policy (required) – The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
  • Training employees to be secure (addressable) – Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
  • Developing a contingency plan (required) – In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
  • Testing of contingency plan (addressable) – The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
  • Restricting third-party access (required) – It is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
  • Reporting security incidents (addressable) – The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.

Equa’s HIPPA compliance services will help private practices determine their compliance, create a plan for compliance, and maintain compliance.

Get Started with Equa’s Compliance Testing

Please complete the form below or
call us at 240-270-7025.

  • This field is for validation purposes and should be left unchanged.

Powered by experience. Empowered by innovation.