COMPLIANCE

Value Add

PCI DSS

ISO 27002

NIST 800-53

GLBA

HIPPA

EU Privacy Standard



Value Add

Crimson Security brings several unique items to the table. Included in our compliance assessments are the following:

  • Remote Pre-Audit Preparation
  • Remediation Assistance
  • Custom Vulnerability Scanning and Ongoing Historical Reporting
  • No Limit Scanning Policy
  • Unique Simple & Detailed Reporting
  • Assessment Time Flexibility
  • No Hacker Policy
  • Ongoing Technical Support
  • Real World References

<Page top>


PCI Compliance

The PCI compliance standard is a “Narrow but Deep” assessment standard. Crimson is able to provide all levels of assessments to both Merchants and Service Providers.

Crimson Security Inc.’s PCI assessments are based on evaluating the security posture of the organization against requirements derived out of the PCI standard. The assessment also includes vulnerability scans that are conducted on both internal systems and devices and external scans.

Crimson’s process endeavors to ensure an end result of 100% PCI compliance by engaging with our clients using the following steps:

  • Initial conference call to discuss project scoping and business and security analysis
  • Onsite PCI GAP analysis
  • Final onsite PCI specific audit when remediation plan has been fully implemented
  • Issuance of fully compliant ROC to client and PCI

*Crimson Security is a fully qualified QSA

<Page top>


ISO 27002 Compliance

The new ISO27002 assessment standard is among the most “Broad & Deep” of security standards.

Crimson Security Inc.’s ISO27002 security assessments are based on evaluating the security posture of the organization against requirements derived out of the ISO27002 standard. The organization is then assessed in the 11 domains defined in the ISO27002 standard. The assessment also includes vulnerability scans that are conducted on both internal and external systems and devices.

Our assessment process includes the following general steps:

  • Preliminary Information Gathering
  • On-site Inspection, including:
  1. Document Review
  2. Interviews
  3. Inspection of physical & logical Configuration and Architecture
  4. Internal and External Vulnerability Scanning
  • Port Scanning
  • Vulnerability Testing
  • War Dialing

<Page top>


NIST 800-53

The NIST security standard is a very “Document and Process” heavy standard which covers a broad range of security controls.

Crimson Security Inc.’s NIST 800-53 security assessments are based on evaluating the security posture of the organization against requirements derived out of the NIST Special Publication 800-53 standard. Depending on client status, the High, Medium, or Low baseline will be used.

Our assessment process for this standard includes the following general steps:

  • Preliminary Information Gathering
  • On-site Inspection
  1. Document Review
  2. Interviews
  3. Inspection of physical & logical Configuration and Architecture
  4. Internal and External Vulnerability Scanning
  • Port Scanning
  • Vulnerability Testing
  • War Dialing

<Page top>


GLBA

GLBA authorizes the agencies that regulate financial institutions (FTC, SEC, etc.) to create information security standards for the institutions. Crimson Security Inc.’s GLBA security assessments are done under the umbrella structure of the ISO27002 using the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information". The Control areas include:

  • Preliminary Information Gathering
  • Access controls on customer information systems
  • Access restrictions at physical locations containing customer information
  • Encryption of electronic customer information
  • Procedures to ensure that system modifications do not affect security
  • Dual control procedures, segregation of duties, and employee background checks
  • Monitoring systems to detect actual attacks on or intrusions into customer information systems
  • Response programs that specify actions to be taken when unauthorized access has occurred
  • Protection from physical destruction or damage to customer information.

<Page top>


HIPPA

Crimson Security Inc.’s HIPPA security compliance assessments are done under the umbrella structure of the ISO27002 using The Department of Health and Human Services (HHS) and Centers for Medicare & Medicaid Services (CMS) “HIPPA Security Series”. The security standards are divided into the following categories:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards

<Page top>


EU Privacy Standard

Crimson Security assesses compliance with the EU Privacy Standard by using the UK ICO’s guidelines for the Data Protection Act. These guidelines include the following steps

  • Initial Risk Assessment to identify and classify data.
  • Compliance interviews covering organizational & Management issues
  • Compliance interviews covering ‘The Eight Data Protection Principles’
  • Compliance interviews covering Using Data Processors
  • Compliance interviews covering Notification
  • Compliance interviews covering Transitional Provisions

<Page top>

Crimson Security offers solutions that maximize efficiency
and provide the best ROI, while achieving a substantial
level of securityMission Statement
©  Crimson Security Inc. All Rights Reserved.