Regulatory compliance is a simple fact of doing business. There are very few organizations today that do not capture, process, store, transmit or rely on third party services for some kind of regulated information as part of their daily activities. As the value of information assets increase, so do the threats, risks and regulatory responses for data privacy and protection.

Compliance is no longer just a good business practice. It is now demanded by consumers, employees, shareholders, partners, industry associations and third-party commercial and government regulators. These entities are asking management and organizational leadership to formally attest to the compliance of information governance, security, and privacy practices of the organization.

Coalfire has developed structured processes and integrated into a web based engagement model to enable mapping information security approaches, controls, processes and compliance metrics for most major industry compliance requirements. We can help your organization not only understand your compliance requirements, but also develop business-centric strategies to remediate and maintain compliance. Coalfire has developed compliance solutions to enable your organization's compliance programs and help minimize the costs of ongoing compliance management.

Level 2, 3 and 4 Merchants and Level 3 Service Providers must complete an Annual Self-Assessment Questionnaire to evaluate their organization’s compliance in relation to the PCI Data Security Standard. Management must sign off on the accuracy of their self assessment assertions; sometimes without confidence that the requirements are truly understood by their staff or that the responses are truly an accurate assessment of compliance risk. Coalfire provides expert guidance and validation for companies seeking assistance with their internal review and reporting requirements. Coalfire delivers cost effective automated web-based solutions to facilitate the understanding of the assessment questionnaire, the accuracy of responses, tracking of compliance gaps and ease of assessment reporting to acquiring Banks.

For emerging Level 1 merchants and service providers, facing a full Report on Compliance assessment for the first time can be a disheartening proposition. The rigors of a first-year ROC almost always reveal significant gaps in operations, security processes, and controls- leaving the organization with many unanswered questions and an unclear roadmap to compliance.

Our PCI Pre-Audit Assessment helps organizations avoid the drain of capital and time associated with a first-time ROC by performing a rapid review of your security processes and controls against the full PCI DSS- but without the in-depth control operational testing required by the ROC testing procedures. Our process helps rapidly identify gaps and create a roadmap for success, allowing your organization to concentrate on meeting compliance timelines and budgetary constraints.

As a PCI QSA, Coalfire provides comprehensive security assessments of the Data Security Standard to Level 1 Merchants and Level 1 and 2 Service Providers, resulting in a documented Report on Compliance (ROC). The ROC provides independent validation of compliance to customers, card brands and acquiring Banks. Our ROC assessments are much more than a junior auditor quoting rules and putting checks on a list. Our ROC assessments are led by senior security and audit staff that maintain concurrent CISA and CISSP certifications. Our auditors intimately understand the retail and service provider processing models- and the idiosyncrasies that make your business unique. Many of our auditors have worked with PCI compliance initiatives since the initial VISA CISP and MasterCard SDP programs were released. We help our clients understand compliance risk, control options and compensating control strategies as they work toward achieving and maintaining PCI compliance- at costs that won't break the bank.

PCI compliance requires regular external network vulnerability scanning of all Internet facing systems that process or connect to payment card data. Coalfire is an Approved Scanning Vendor (ASV) for the PCI industry and has both self-service and managed solutions for meeting PCI compliance. Our scanning services are the right choice for safe, accurate and cost effective scanning compliance. We have built our services around the industry's best scanning engines and added report filtering that reduces false positives and negatives. Additionally our tools provide reporting output in XML, Word and Excel with sort-able data that makes assigning and tracking remediation easy. All of our PCI scan information is delivered through a secure portal solution that makes it easy to track status with all associated parties.

Payment applications are under attack at an unprecedented level today. Many payment applications have Internet connectivity, wireless or remote access enabled by merchants that were not incorporated into their initial designs. Most payment applications were developed when there was a drastically different threat and compliance environment in place. A payment application identified as insecure or the source of a compromise damages the reputation and success of the application vendor and merchants utilizing those applications. Payment application vendors are now receiving compliance validation demands from customers, acquirers, processors and PCI Assessors. By complying with Visa’s Payment Application Best Practices (PABP), application vendors can reduce risks to merchant operations and distinguish themselves as a trusted business partner.

Coalfire, a certified PABP assessor, provides validation services to help payment application developers achieve PABP compliance in a manner that makes sense for their application. Through our exclusive Rapid PABP Compliance Platform, we combine an adaptive intelligence self-help platform with a hands-on assessment methodology to guide clients through the PABP compliance process efficiently and cost effectively. Coupled with Coalfire’s certified application assessors, application developers use the Rapid Compliance Platform to select the compliance strategy that fits their application needs. Coalfire further provides value by communicating with Visa throughout the certification process, accelerating compliance with reduced impact on the development team.

Organizations faced with demonstrating control over their internal financial reporting processes understand the challenges of IT control testing and audit. Coalfire can help support the full lifecycle of your SOX ITGC program, from risk assessment and control selection to management testing. We understand that SOX ITGC begins with a "tops-down' examination of risk in order to justify control. We also understand that controls must make sense to the organization in order to truly yield benefit, and not just pain.

Our introductory level SOX ITGC Compliance Assessment performs management testing of your ITGC over financial reporting, in order to provide assurance of control effectiveness in advance of your annual audit. Coalfire can also help assess ITGC risk, select controls, document ITGC process controls, and manage your internal SOX IT Audit plan- providing end-to-end solutions.

Compliance to the 160 discrete privacy and security requirements under HIPAA poses managerial, operational and technological challenges to healthcare organizations. Coalfire's services assist HIPAA-covered entities of all sizes to identify their risks to protected health information in electronic form and prioritize and justify control approaches to mitigate those risks.

In 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA), which required “financial institutions” to implement privacy and security safeguards over personal financial information (PFI). While the implementation of GLBA was left up to different federal oversight agencies (such as the FTC, FDIC, OTS, and NCUA), all implementations require similar functions and controls for information security- including written information security programs and annual assessments of the information security program.

Coalfire GLBA Security Assessment services provide a comprehensive review of your information security program in order to understand the strengths, weaknesses, and overall compliance of your controls to the GLBA Title XII and Title XVI specifications.

The Federal Information Security Management Act (FISMA) was established in 2002 as a Federal law designed to increase the security posture of Federal Systems and their supporting entities. Since its establishment, an increasing number of Federal information systems and databases have been integrated into non-Federal agencies, including municipalities, law enforcement, and contractors.

Coalfire has a team of FISMA experts who can assist your organization in preparing for a system accreditation, FISMA audits, classifying assets, and conducting Risk Assessments. Our processes, tools, and methodologies are based on the core components established by NIST, such as Special Publications 800-53rev1 (Recommended Security Controls for Federal Information Systems), 800-30 (Risk Management Guide for Information Technology Systems), and FIPS-199 (Standards for Security Categorization of Federal Information and Information Systems).

For more information on Coalfire's compliance services, please contact: