Comprehensive Information Security Management and Compliance

Compliance Engineering provides a wide range of solutions and services that increase operational efficiency and reduce liabilities and cost. Every solution is fully integrated into your environment and supported by our technical services team.

Find Out More

Comprehensive Security Management and Compliance


Faced with increasing complex industry and federal regulatory compliance requirements, enterprise organizations wrestle with the scope, cost and resources necessary to maintain information technology compliance standards. Compliance Engineering's assessment and risk management services help organizations understand, measure, and validated a wide range of compliance initiatives.

Compliance Engineering's methodology is based on a comprehensive program-wide security framework, which takes into account an organization’s maturity level and risk tolerance. It helps develop roadmaps and strategies to solve an organizations most complex problems or build a reliable security program. Compliance Engineering helps companies create a security strategy that has measureable objectives and achievable goals.




Audit & Assessment Services

  • PCI DSS (Certified QSA Company)
  • HIPAA-HITECH and Meaningful Use
  • NERC CIP
  • ISO 27001
  • FISMA
  • SSAE16 SOC 2 & 3
  • Gramm Leach Bliley
  • Corporate Security Status Assessment
  • Banking Services

Managed Security Services

  • Hawkeye Vision Security Monitoring
  • 24/7 Security Operations Center
  • PII/PCI/PHI Data Discovery as a Service
  • Hawkeye MTSS Security Tool Health Monitoring
  • Security Tool Management
  • Managed Vulnerability Scanning
  • Managed Intrusion Detection

Professional Services

  • Virtual CISO
  • Application Security Consulting
  • Security Tool Implementation and Engineering
  • Remediation Consulting
  • SIEM Architecture and Implementation
  • Penetration Testing
  • Vulnerability Scanning
  • Hawkeye PIIFinder Data Discovery
  • Staff Augmentation
  • Policy and procedure development

Audit & Assessment Services


Wide Range of Assessment Services

Compliance Engineering’s Risk Management & Security Assessments establishes the current baseline security of a Company, focusing on people, process and technology. Our security assessment provides an analysis of the technical security controls and mechanisms, following a proven methodology for identifying and reducing risk.

Compliance Engineering models the assessment to meet your industry, legislative, and regulatory compliance requirements. Compliance Engineering performs assessments and audits for various size organizations, from complex enterprises to small and medium businesses, as well as for different industries with multiple regulatory requirements, such as: financial services, government, communications, healthcare, energy, oil and gas and retail.

Compliance Engineering’s security specialists can help you gain an understanding of your current information security status to help limit the potential impact of vulnerabilities and provide a plan for incremental improvements to tighten the security of the company.

PCI Assessment Services | HIPAA/HITECH Consulting Services | NERC CIP Services
Corporate Security Status Assessment | Banking Regulatory Compliance Services

PCI Assessment Services


Introduction and PCI Data Security Standard Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

PCI DSS is a set of comprehensive industry standards created to help protect valuable credit card information. Compliance Engineering's PCI assessment services will objectively review your current PCI DSS compliance status, providing a detailed phased approach, including security management, controls, policies, procedures, security tool management, vulnerability scanning, penetration testing and critical security standards.

Assessment Methodology

  1. Define what is in scope for the assessment
  2. Conduct a pre-assessment meeting to establish expectations, identify the key players, provide guidance and setup client in the project management portal
  3. Receive and review all relevant policies, procedures, and technical documentation
  4. Provide an initial report of findings which identifies problems/issues and provides recommendations for remediation
  5. Final on-site PCI data security assessment
  6. Generate a PCI DSS v3.1 Report on Compliance (ROC)
  7. SOC Managed Security Services
  8. Conduct quarterly and/or on-demand vulnerability scans to fulfill ongoing PCI compliance requirements
  9. Conduct Scheduled Penetration Testing
  10. Security Log Monitoring and FIM Monitoring

Assessment Services

  • PCI DSS v3.1 Gap Assessment
  • PCI DSS v3.1 Report on Compliance(ROC)
  • (SAQ) Self-Assessment Questionnaire Assistance
  • Remediation Consulting
  • PII Finder
  • Vulnerability Scanning
  • Penetration Testing
  • Policy & Procedure Development
  • Breach & Forensic Investigations
  • Managed Security Services through our Security Operations Center

PCI Data Security Standard v3.1 – High Level Overview

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements:

Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

HIPAA/HITECH Consulting Services


Maintaining compliance with HIPAA Privacy and the HITECH Security rules creates a significant resource constraint on Covered Entities. Healthcare organizations and their business associates must assess, remediate, validate and maintain ongoing compliance activities for their organization. The number, reach and complexity of healthcare regulations continue to increase. The HITECH Act tightened breach notification requirements, increased financial liability amounts and established that Covered Entities are in fact liable for their Business Associates. In effect, this created a healthcare ecosystem.

Compliance Engineering provides comprehensive services that can help organizations of any size comply with HIPAA/HITECH regulations. Compliance Engineering has trained and certified personnel suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA/HITECH.

STEP 1: HIPAA/HITECH RISK ASSESSMENT

Conducting a HIPAA/HITECH Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Compliance Engineering helps Healthcare Companies find gaps that may exist between your current security posture and HIPAA/HITECH requirements such as:

The Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Notification Rule
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

The assessments are customized, scaled individually for Covered Entities and Business Associates. The assessment includes: identification and location of PHI on key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

STEP 2: REMEDIATION OF GAPS & VULNERABILITIES

Remediating Gaps & Vulnerabilities is critical because the Office of Civil rights (OCR), within HHS has launched the Audit Pilot Program, every covered entity or business associate is eligible for an audit. OCR investigations may result in penalties, which greatly vary and are determined by the date of the violation, whether the covered entity knew, or should have known, about the violation and whether the violation was due to willful neglect. Compliance Engineering has consulting services and tools that can help remediate HIPAA/HITECH non-compliance issues:

  • Policy and procedure development
  • IT Remediation Consulting
  • PII/PHI Finder
  • Vulnerability Scanning
  • Penetration Testing
  • Security Operations Center 24/7
  • Security Log Monitoring and FIM
  • Virtual CISO Consulting

STEP 3: CONSTANT ONGOING COMPLIANCE MANAGEMENT

The reality is that HIPAA/HITECH compliance is not an event but a process, an on-going process that requires compliance activities every month with documentation and evidence to support the accomplishment of these activities. Compliance Engineering helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA and provides a real-time view into the status of your compliance and security programs.

COVERED ENTITIES AND BUSINESS ASSOCIATES

The HIPAA Rules apply to covered entities and business associates.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.


NERC CIP Consulting


NERC CIP Compliance

Compliance Engineering Security Services help clients adhere to the comprehensive reliability standards that North American Electric Reliability Corporation (NERC) defined requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America's bulk electric systems.

NERC's nine mandatory CIP standards address the following areas:

  • CIP-001: Covers sabotage reporting;
  • CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System;
  • CIP-003: Requires that responsible entities have minimum security management controls in place to protect Critical Cyber Assets;
  • CIP-004: Requires that personnel with authorized cyber or unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness;
  • CIP-005: Requires the identification and protection of the Electronic Security Perimeters inside which all Critical Cyber Assets reside, as well as all access points on the perimeter;
  • CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets;
  • CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeters;
  • CIP-008: Ensures the identification, classification, response, and reporting of cybersecurity incidents related to Critical Cyber Assets; and
  • CIP-009: Ensures that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.

NERC CIP Gap Assessment

NERC CIP security and compliance assessments performed by knowledgeable, certified security professionals skilled in dealing with new and legacy industrial control environments, which provides prioritized and actionable remediation recommendations, based on industry benchmarked solutions.

Compliance Engineering’s expert security consultants review every element of your NERC-CIP compliance, including: policies, procedures, configuration management, certification and accreditation, remediation plans, and security awareness training.


Consultation & Remediation

Compliance Engineering’s experienced, certified security professionals assist in the following:

  • Identify protection goals, objectives and metrics consistent with corporate strategic plan
  • Assist in the development and implementation standards, guidelines and procedures related to the designated services to ensure ongoing maintenance of security
  • Assist in overseeing a network of designated security vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors
  • Interpret Scanning results to identify any additional vulnerabilities that need to be addressed
  • Assist with incident response as well as the investigation of security breaches
  • Serve as a consultant to the company for any industry or regulatory compliance requirements

Compliance Program Monitoring

Compliance Engineering’s Hawkeye Monitoring Tool Security Service and Security Operation Center (SOC) will assist Corporations with managing security tool sprawl, NERC CIP compliant Log Monitoring, Log Management, Vulnerability Management and Security Device Health Alerts.

Compliance Reporting

Compliance Engineering assists companies with: Standard and customizable reporting, secure evidence repository for all NERC CIP compliance related assessments, results and reports; integrated ticketing with assignment, tracking, and journaling.


Corporate Security Status Assessment


Compliance Engineering’s Corporate Security Status Assessment (CSSA) establishes the current baseline security of a Company, focusing on people, process and technology. Our security assessment provides an analysis of the technical security controls and mechanisms, following a proven methodology for identifying and reducing risk. We review your security policies, procedures and controls in relation to ISO 27001:2013, NIST 800-53 best practices and business objectives. We also provide a social engineering assessment to understand the overall level of employee security awareness.

Compliance Engineering models the assessment to meet your industry, legislative, and regulatory compliance requirements. Compliance Engineering performs assessments and audits for various size organizations, from complex enterprises to small and medium businesses, as well as for different industries with multiple regulatory requirements, such as: financial services, government, communications, healthcare, energy, oil and gas and retail.

Compliance Engineering’s security specialists can help you gain an understanding of your current information security status to help limit the potential impact of vulnerabilities and provide a plan for incremental improvements to tighten the security of the company.

Compliance Engineering’s security specialists perform a variety of key tests and activities, including:

  • Evaluation of existing network security architecture
  • External and internal network vulnerability scanning and penetration testing
  • System security assessments of mission-critical servers
  • Application and Database vulnerability testing to uncover potential security weaknesses in software design and implementation
  • Wireless network security testing and assessment
  • Evaluate Asset management – inventory and classification of information assets
  • Evaluation of Operational controls and IT policies and procedures
  • Analysis of perimeter and internal security mechanisms
  • Interviews with key staff members
  • Physical security assessments to evaluate the susceptibility to physical security breaches
  • Review Information security incident response management – anticipating and responding appropriately to information security breaches
  • Review Business continuity management – protecting, maintaining and recovering business-critical processes and systems

The Final Report will include a grading format ranging from "severe to low" with recommendations for remediation. Reports are provided for both executive management and the technical teams. Compliance Engineering will conduct an exit interview to review and explain all necessary remediation tasks in detail.


Banking Regulatory Compliance Services


Information is one of a financial institution's most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution's earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program. The Federal Financial Institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, among other things. For more information on CE's banking industry services, please view our brochure here. Compliance Engineering is an associate member of the Georgia Banking Association.

SECURITY PROCESS
Financial institutions should implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management, and employees.

INFORMATION
SECURITY RISK
ASSESSMENT
Financial institutions must maintain an ongoing information security risk assessment program that effectively:
  • Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
  • Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
  • Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.

INFORMATION
SECURITY
STRATEGY
Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:
  • Appropriate consideration of prevention, detection, and response mechanisms,
  • Implementation of the least permissions and least privileges concepts,
  • Layered controls that establish multiple control points between threats and organization assets, and
  • Policies that guide officers and employees in implementing the security program.

SECURITY
CONTROLS
IMPLEMENTATION
The goal of access control is to allow access by authorized individuals and devices and to disallow access to all others. Authorized individuals may be employees, technology service provider (TSP) employees, vendors, contractors, customers, or visitors. Authorized devices are those whose placement on the network is approved in accordance with institution policy.
  • Access should be authorized and provided only to individuals whose identity is established, and their activities should be limited to the minimum required for business purposes.
  • Change controls are typically used for devices inside the external perimeter, and to configure institution devices to accept authorized connections from outside the perimeter.

SECURITY
MONITORING
Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by:
  • Monitoring network and host activity to identify policy violations and anomalous behavior;
  • Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events;
  • Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and
  • Responding to intrusions and other security events and weaknesses to appropriately mitigate the risk to the institution and its customers, and to restore the institution's systems.

SECURITY PROCESS
MONITORING
AND UPDATING
Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.

Contact us

Managed Security Services


Compliance Engineering’s Hawkeye family of managed security services provides cost-effective turnkey solutions to solve some of the most difficult security problems facing your organization. Whether your need is Security Monitoring and Log Management (Vision), Security Tool Health Monitoring (MTSS) or PII Discovery (PIIFinder), there’s a Hawkeye Managed Security Service solution that addresses it.


Hawkeye Vision Security Monitoring


Ensure Security and Compliance with Hawkeye Vision

A turnkey managed solution for log management and security monitoring

A turnkey managed solution for log management and security monitoring.

Configuring Hawkeye Vision is simple and straightforward: install the provided Hawkeye security appliance (virtual or physical) in your infrastructure, point your log sources to it, log into the Vision portal, and you’ll immediately see valuable, actionable data about what’s going on in your network.

Works with the platforms and tools you already have.

Hawkeye Vision supports hundreds of security tools and network devices, and dozens of operating system platforms; if you’ve got something that generates logs or other security data, Hawkeye Vision can probably understand it. And if it can’t, CE can develop a custom parser so that it can.

World-class correlation rules and threat intelligence provided out of the box.

Hawkeye Vision is pre-configured with hundreds of rules to detect a wide variety of potential issues affecting the security of your network and data. Unlike traditional SIEM tools where you’re expected to develop (or hire expensive consultants to develop) rules and reports, CE’s team of skilled security engineers have already done the work for you. Plus, our real-time threat intelligence feeds provide up to the moment data on potentially suspicious hosts and potential attacks.



Hawkeye Vision is part of Compliance Engineering’s Hawkeye Security and Compliance SaaS “Security as a Service”
platform supported by a 24x7 Security Operations Center in Atlanta GA

Cloud-hosted SaaS model for maximum value.

Because the analytics and reporting engine for Hawkeye Vision is hosted in our own secure private cloud, there’s no need to buy expensive SIEM software or servers to host it. And our per-device pricing model means you only pay for what you need; organizations with small environments can finally afford enterprise SIEM-class service, and large organizations can benefit from the cost savings of not having to host and maintain SIEM in house.

Security Expertise is only a click or a call away.

Hawkeye Vision is supported by our 24/7 Security Operations Center staffed with security professionals with the skills to analyze events, investigate suspected incidents, and assist with remediation steps. Our service plans range from self-service options with per incident access to our analysts to full 24/7 SOC outsourcing; you choose the plan that best fits your needs and budget.


PII Finder Data Discovery




Hawkeye PII Finder Client Dashboard

Hawkeye PII Finder Data Discovery

Compliance Engineering's Hawkeye PII Finder Data Discovery solution is a proven software/service offering that leverages broad datasource capability with scalability, backed by the professional engineers at the Compliance Engineering Security Operations Center. Designed to find a virtually limitless variety of sensitive data, PII Finder is especially tailored to quickly and accurately discover Credit Card, Financial, Health and Insurance data wherever they may be.

Whether it's within files on Windows shares, stored in databases (Oracle, MSSQL, MySQL, MongoDB, DB2, etc), housed in a Mainframe datastore, or just lurking on a remote UNIX filesystem, PII Finder can discover the data.

Contact us

DISCOVER PERSONALLY IDENTIFIABLE INFORMATION

Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single individual. The importance of protecting PII is a not just a “common sense” best practice. Keeping PII secure is also dictated by many regulations and privacy laws. Examples include credit card numbers, Social Security numbers, phone numbers, addresses, and other sensitive data.

Compliance Engineering's Hawkeye PII Finder Data Discovery solution allows a business to discover and take a full inventory of personally identifiable information (PII), intellectual property (IP), payment card industry (PCI) and HIPAA/HiTECH data in order to scope and measure its associated risk. Powered by Compliance Engineering Hawkeye technology, PII Finder Data Discovery offers a streamlined and comprehensive way to boost security audit capabilities while protecting security investments.

Personally Identifiable Information (PII) is the most private kind of data stored about people and, if it is breached or stolen, it causes adverse events like identity theft or medical fraud. For example, the Department of Defense, the Department of Veterans' Affairs, handlers of PII and Protected Health Information (PHI) such as an insurance or personal investment company, and employers such as a hotel chain, have all reported significant losses of PII and PHI data; in some cases up to 25 million records. Protecting the information is not easy, but it is vital.

Compliance Engineering’s 7 Step PIIFinder Process

  1. Scoping Documentation
  2. Asset Classification
  3. Job Scan Request
  4. Scanning (Monitor via Job Scheduler)
  5. Analysis
  6. Reporting
  7. Remediation

Key Features

  • Answers the questions How Many and Where?
  • Helps clients locate sensitive data in database and file systems
  • Improved security and audit capabilities
  • Cost and scope reduction for Industry and Regulatory Compliance
  • PCI, HIPAA, FISMA/NIST, ISO...
  • Establish trusted and approved baselines

Differentiators

  • Fast Deployment - Agentless technology
  • Broadest Coverage (M/F, i-Series, Unix, MS...)
  • Cost effective solution - SaaS
  • CE SOC performs scan analysis and reporting

THE EIGHTEEN TYPES OF DATA DEFINED IN GOVERNMENT REGULATIONS:

  1. PAN and TRACK DATA
  2. Names
  3. All geographic subdivisions smaller than a state, including: street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial 3 digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census
  4. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death. All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  5. Telephone number
  6. Fax number
  7. E-mail address
  8. Social Security number
  9. Medical record number
  10. Health plan beneficiary number
  11. Account numbers
  12. Certificate or license number
  13. Vehicle identifiers and serial numbers (including license plates)
  14. Device identifiers and serial numbers
  15. Web URL
  16. IP address
  17. Biometric identifiers, such as fingerprints and voiceprints
  18. Full-face photos and any comparable images
In addition, any other unique identifying number, characteristic, or code can become a risk depending entirely upon the data structure and methodologies of your organization.

COMPLY WITH PCI DSS DATA DISCOVERY REQUIREMENTS.

PCI DSS Requirement 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
  1. Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
  2. Specific retention requirements for cardholder data
  3. Processes for secure deletion of data when no longer needed
  4. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention

Managed Tools Security Service



What is MTSS?

Companies use a variety of tools to manage and monitor the security of their network and application infrastructure, picked acording to their needs and requirements. They are generally expensive, and it's imperative that the output be actionable and properly directed. In order to assure proper operation, the tools themselves must be kept healthy, current, and properly configured. This is time consuming and requires a broad skillset to perform effectively, a skillset not often present or affordable for the companies. Compliance Engineering offers a world-class Managed Tool Security Service (MTSS) from our Security Operations Center based in Atlanta to address these needs and more in a secure, economical fashion.

Why would my company need MTSS?

Typical customers have 10-25 security products to combat the persistent threats from the hostile world they operate in. The constant threat combined with the high cost and a shortage of skilled security engineers has put many companies at risk. Simply put, companies are unable to maintain and utilize the strategic investment in core security technologies to maximize their potential use. CE offers a comprehensive MTSS that will manage any security technology that the customer has acquired.

Methodology for Security Tool Management

Compliance Engineering’s tested and proven methodology enables us to assess your existing security tool portfolio, perform rationalization to eliminate functional redundancies, quickly develop and execute a plan to configure tools to their optimum state while fulfilling your organization’s compliance and security requirements.

Security Tool Management as a Service

With CE’s MTSS, we either maintain the tools located at your facility or hosted in our SOC which allows your engineers to focus on securing your organization. Our fully staffed 24.7.365 operations center monitors and maintains tool availability, health, applies patches and performs version upgrades to keep your security tool environment in optimal shape. CE will also perform vulnerability scans, develop reports, policies, develop tool content, and provide incident investigation for your security tool portfolio.


Professional Services


Overview of Services

In addition to Application Security Consulting, Vulnerability Scanning, and Penetration Testing, Compliance Engineering’s Professional Services business is prepared to take your security to the next level. Our engineers are certified in many of today’s most important technologies and systems. We can perform Hawkeye PII Finder data discovery as a professional service in addition to configuring it within a broader system via our Managed Security Services architecture.

Once shortcomings have been identified, our engineers stand ready to assist you with immediate remediation tasks as well as planning for your future architecture to prepare you for a more secure future.

As partners with HP, IBM, Sophos, Vormetric, RSA, and more, Compliance Engineering is uniquely qualified to assist your business with security tool implementation and engineering, as well as SIEM architecture and implementation. Once implemented, we stand ready to assist you with maintenance and even staff augmentation if necessary to keep your systems running smoothly. Supported by our 24x7 SOC, our services are ready to help you now and in the future.

Virtual Information Security Officer

Compliance Engineering’s Virtual Information Security Officer (VISO) is our security specialist who serves as an extension to your business and is responsible for the development, implementation and management of your organization's corporate security vision, strategy and programs. The virtual information security officer is retained on a contractual basis and provides critical decision making support related to both physical and information security issues.

The virtual information security officer works across all business and functional lines to ensure a strategic and comprehensive approach in mitigating operational risks. Through research and benchmarking, our VISO will work with you to be compliant with regulatory mandates, and define your desired state. They will also assess your current state, and initiate security program development based on a gap analysis. The Virtual ISO cycle is complete with strategic planning (prioritization, tasks, and timelines).


Application Security Consulting


Your web applications are the perimeter of your network!

Web applications are an important part of business operations. However, web applications can be easily exploited by hackers who may attempt to steal sensitive data or simply deface the site. Companies who conduct business over their web sites face additional challenges. The Payment Card Industry (PCI) Security Standards Council requires companies who process credit cards over the Internet to either complete a Web Application Vulnerability Assessment or a Web Application Firewall. Compliance Engineering’s application security engineers have the expertise in the latest application vulnerabilities and assessment methods to assist you if your company is seeking PCI certification or simply wants to ensure that there are no weaknesses in your web applications.

The National Institute of Standards and Technology estimates that nearly 92% of security breaches are facilitated by weaknesses in web applications.

Compliance Engineering employs certified security practitioners in a number of functional areas including Application Security. In addition to certifications and years of experience, our consultants are active in the community with membership in several user groups and foundations. Our consultants were founders of the Atlanta OWASP chapter.

COMPLIANCE ENGINEERING OFFERS SERVICES IN THESE KEY AREAS:

  • Web Application Security Testing - Our web application security penetration testers have the necessary background and expertise in web application development to provide top notch security testing. We’ve performed web application testing for some of the world’s largest retailers, financial institutions and consumer products companies. We provide a risk assessment report that is tailored to your environment and applications.
  • Web Application Firewall - Network firewalls and intrusion detection systems can not protect web applications. Let our experts help you select and implement the web application firewall that is appropriate for your needs.
  • Application Security Consulting - Our consultants have performed application security consulting for a number of Fortune 100 companies. Our consultants understand the importance of the Three Pillars of Software Security:

    Applied Risk Management
    Software Security Touch Points
    Knowledge

Vulnerability Scanning Services


Compliance Engineering’s vulnerability scanning solutions seek to help organizations garner information regarding potential weaknesses by discerning which vulnerabilities pose tangible risks to their IT and networking assets. Compliance Engineering’s scanning service offers a proactive secure approach on applications, databases and network vulnerabilities rapidly identifying and security flaws allowing and organization to better protect private and critical information. Compliance Engineering’s Vulnerability Scanning Services provide:

  • Internal and external vulnerability scanning
  • Supports physical, cloud and virtual infrastructure
  • Security vulnerability management team for expert consulting and support
  • Reporting and remediation workflow tools via portal
  • Integrated Managed Security Services for a more comprehensive view of your security posture
  • Security Operations Center Support 24/7
  • Policy and Compliance scanning for PCI, HIPAA, and GLBA

Compliance Engineering's Vulnerability Management Methodology

Risk assessments are only as good as the vulnerability data they are built upon, and fresh vulnerability data is essential. compliance engineering's vulnerability discovery utilizes rule-driven profiling to gather and analyze information repositories available in every enterprise to automatically and accurately deduce vulnerability data on all network nodes.

Compliance Engineering helps organizations determine which vulnerabilities are critical. two approaches commonly used together for analysis:

  • Hot Spot Analysis Finds groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed by patching.
  • Attack Vector Analysis Uses a methodical approach that finds specific high-risk attack vectors around one or more hosts that would require quick remediation (Patching, Shielding, Network Configuration) to eliminate exposure of specific targeted assets.

Compliance Engineering helps to prioritize the identified vulnerabilities to target remediation efforts. traditionally, scanner reports prioritize vulnerabilities based on asset importance and a pre-defined vulnerability severity ranking, typically based on the common vulnerability scoring system (cvss) scoring. but this doesn’t prioritize the vulnerabilities within your network. compliance engineering helps analyze a vulnerability’s severity rating, asserting that the criticality of a vulnerability depends on several factors, including existing security controls, threat data, the business asset, and the impact of a potential attack.

Compliance Engineering's final step is remediating critical vulnerabilities. for effective vulnerability management, remediation should be integrated into the solution and should consider all security controls:

  • Are patches available? Can a patch be deployed or is it ‘un-patchable’ due to system integration issues, location, availability requirements, application limitations, etc?
  • Can system changes remediate the vulnerability? Will reconfiguring the network or changing access controls mitigate the vulnerability?
  • What other security controls are available? Are there other security controls that may provide protection such as firewalls, IPS or Anti-Malware, etc.?
  • Remediation should consider all security controls, not just patching, and the availability of security controls should be part of the prioritization process

Penetration Testing Services


Penetration testing evaluates an organization’s ability to secure its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. Test results validate the risk posed by specific security vulnerabilities or flawed processes, enabling prioritization of remediation efforts. By regular scheduling of comprehensive penetration testing, organizations can more effectively anticipate security risks and prevent breaches to critical systems and valuable information. Compliance Engineers Penetration Testing Services include:

  • Network & Systems Penetration Tests
  • Application Penetration Tests
  • Wireless Penetration Tests
  • Source Code Security Audits

Compliance Engineering uses a phased approach to perform a Penetration Test against an organization’s infrastructure:

  • Identifying key assets test points and the attack vectors
  • Clearly defining the test scenarios to be used
  • Penetration testing executed with status reports
  • Immediate identification of critical risks
  • Thorough summarized Penetration testing report
  • Security consulting to assist with remediation

Penetration testing provides detailed information on actual, exploitable security threats. By performing a penetration test, an organization can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows an organization to intelligently prioritize remediation, apply needed security patches and allocate security resources more efficiently.

Penetration testing should be performed on a regular basis to ensure more consistent IT security management. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

Remaining unaware of security risks can leave your organization vulnerable to attacks targeting the network, or a breach resulting in the loss, misuse or exposure of sensitive data. Our consultants will provide our clients with a secure and compliant Advanced Persistent Threat (APT) penetration test of their network. This can include internal or external networks, wireless networks, or your business' custom infrastructure and devices.

Compliance Engineering's Penetration Testing Consultants Will Help You:

  • Dramatically reduce the impact and likelihood of a breach through agreed upon rules of engagement
  • Meet compliance standards by prioritizing the defensive steps necessary to protect your business and its cyber environment
  • Understand your risk against the changing threats with the visual aids in our industry-exclusive Hawkeye software
Contact us

Partners


Give your business a competitive edge by joining Compliance Engineering’s Reseller Partner Program. If you offer a product or service that is complementary to our solutions and services, you can increase customer satisfaction and expand your revenue stream.

Compliance Engineering’s Technology Partner Program is designed for companies that offer products which are complementary to our information security solutions and services. We select our Technology Partners based on their expertise in their respective fields as well as their commitment to customer satisfaction.

THE COMPLIANCE ENGINEERING DIFFERENCE

  • A strong customer-centric focus. We develop close working relationships with our clients and continually strive to provide superior customer service.
  • Experience that spans nearly every industry and business environment, and companies of all sizes.
  • An agile business model that enables us to quickly adapt to changes in legislation or information security requirements.
  • In-depth knowledge of best practices in information security and risk management compliance.
  • Highly trained, knowledgeable consultants and subject matter experts with appropriate credentials and certifications
  • “Vendor neutral” consulting and audit services

Compliance Engineering is privately held and was formed in 2001 in Atlanta, Georgia. Our resume consists of successful consulting and audit engagements including many Fortune 500 firms and industry leaders around the world. Compliance Engineering is certified by the Georgia Minority Supplier Development Council #AT08-8130.

UNDERSTANDING THE IMPACT OF COMPLIANCE ON YOUR BUSINESS

Is your information security working as designed? Do you understand the risks to your business if there were a data breach? No matter what your business, failure to comply with relevant legislation or to fully protect confidential data or payment card information can have a devastating impact. Compliance Engineering's Information Security Compliance Practice is uniquely positioned to enable you to meet your compliance and information security goals.






Charles Burke

President

Charles Burke is the founder of Compliance Engineering, Inc. and has over 21 years of IT experience, 12 years of which are IT Security related. Mr. Burke has worked diligently to position CE as a respected and trusted information security company. A CISSP and Sun Certified Java Programmer, Mr. Burke worked as a software engineer for several metro Atlanta software companies including eShare, Telecorp, and Noble Systems. Prior to forming CE, Mr. Burke worked as a security lead for The Home Depot. Mr. Burke has also created several security applications for CE including CodeSpect for secure code reviews and PIIFinder for data discovery. Mr. Burke also founded the Atlanta chapter of the Open Web Application Security Project (OWASP) and is a speaker at security and compliance conferences. He has a B.S. in Computer Science from Georgia Southwestern State University and an M.S. in Management from Troy University.

Bill Schmidt

Chief Operating Officer

Bill Schmidt has over 31 years of IT experience of which the past 24 years have been dedicated to IT Security and Compliance. He has held roles in Fortune 100 and security companies as Chief Information Security Officer, Security Architect, Data Security Manager, Network Manager and Client Services Manager. Mr. Schmidt has partnered extensively with security technology companies to enhance the usability and effectiveness of their products. He has led some of the largest and most complex security initiatives for public, private and government entities. Bill has assisted Boards, CIOs and CISOs with their Information Security Program Effectiveness. Mr. Schmidt is a graduate of the University of Georgia with a B.S. in Computer Science. UGA recognized as the ACM Top Programmer and worked for the University on a variety of research projects including the IBM Super Computer initiative.

Ulf Mattsson

Chief Technology Officer

Ulf was the Chief Technology Officer and a founder of Protegrity, Stamford CT. He created the architecture of Protegrity’s database security technology. Prior to joining Protegrity, He worked 20 years at IBM in software development and as a consulting resource to IBM's Research organization, specialized in the areas of IT Architecture and IT Security. He received his US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM Research in 2004.

He is the holder of more than 15 patents in the areas of Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of my research during the last 15 years is in the area of managing and enforcing policies (security, encryption & audit) for databases, including more than 10 joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.

Ulf is a research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security and a member of ANSI X9. Leading journals and professions magazines, including IEEE Xplore, ISACA and IBM Journals, have published more than 100 of his in-depth professional articles and papers. He received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems, Ingres, Google and other leading companies. He has given a series of presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). He received a master's degree in physics in 1979 from Chalmers University of Technology in Sweden, and degrees in electrical engineering and finance.

Jerry Wyble

VP & GM, Security & Assessment Services

Jerry brings over 25 years of Risk Management/Business Consulting, Information Technologies and Communications experience to Compliance Engineering. He is focused on delivering, Corporate Security Status Analysis, PCI DSS Certification, HIPAA-HITECH Compliance, ISO 27001 and FISMA/NIST assessments for SMB as well as Fortune 500 companies.

Prior to joining Compliance Engineering, Jerry founded and grew a Security & Risk Management company to a successful acquisition. Following the acquisition, as General Manager increased company revenue by 800%. He also has experience working for various government agencies as an engineer (TSSBI Clearance) and IBM Global Services, Business Innovation Services Division where he project Managed and was responsible for the planning, design, and installation of all the requirements pertaining to the roll out of IBM’s e-Business Centers of Innovation Worldwide. A $150,000,000 project and Received IBM’s “Excellence Award”, for Leadership Demonstrated. He has been a featured Speaker for IBM, Microsoft and 3COM at worldwide Conferences, and has articles published featuring system designs in technical trade publications.

Jerry has seven years International work experience, holds multiple IT and Security certifications, is a US Army Veteran and received his Bachelor of Science Degree from the University of Maryland.

Michael Livingston

Director of Channel Business Development

Michael Livingston brings over 25 years of IT experience of which the past 10 years have been dedicated to assisting companies in evaluating and implementing next generation technology in order to exceed business goals and regulatory requirements. Mr. Livingston has had repeated successes forging strategic long-term relationships with southeast channel partners. He is a judicious thinker with above-average ability to identify consumer needs and anticipate actions required to deliver desired solutions.

Robert Koonts

Southeastern Business Development

Robert brings over 25 years of information technology, telecom and cybersecurity experience. He is a sought-after expert on integration and utilization of technology to leverage and grow business. Robert has leveraged his knowledge and practical communication skills to assist companies like Aerstone, AT&T, Verizon, Inacom, and EDS to expand market share and revenues

Eric Adair

Director, Managed Security Services

Eric Adair is CE's senior infrastructure security consultant. He has over 17 years of IT industry experience, with 11 years in the security arena, specializing in the design and implementation of secure computing infrastructure. Mr. Adair has broad experience both as a manager and systems engineer at a number of Fortune 500 companies across a variety of industries.

Matt McClendon

Director, Application Development

With over 20 years IT industry experience, and 7 focused on security, Matt specializes in data security and management technologies. Matt has broad experience with Fortune 500 clients in industries ranging from manufacturing to banking, insurance and consulting. His familiarity with the operation of large enterprises enables excellent insight into data management and security optimization.

Let's Get In Touch!


Ready to start your next project with us? That's great! Give us a call or send us an email and we will get back to you as soon as possible!

800-516-3410