Compliance Auditing Services
Payment Card Industry (PCI), Healthcare (HIPAA), Banking (GLBA, FFIEC), Critical Infrastructure (e.g. NIST 800-171), CMMC .....
Compliance Made Easier
Compliance isn't easy. It's a continuous process and one that requires oversight throughout the year to ensure that policies and procedures stay current, controls are operating as required, and that those routine tasks are being completed within the designated frequencies. For some organizations, this responsibility falls on the same person or small team that's also responsible for ensuring the security of the organization's operations. Compliance isn't easy.
At Contextual Security Solutions, our focus is to lighten the load compliance brings to an organization. Whether it's helping you understand a control, its context, and how it impacts your unique environment, or if it's keeping you on schedule with the daily, monthly, quarterly, and annual tasks required within your industry, we are here to help. In addition, we will also help prepare you for those significant changes within the regulatory frameworks that are applicable to your environment. We make compliance easier.
Context Matters
Every engagement with Contextual Security Solutions is assigned a both compliance and a security consultant for the duration of the project. Since day one (back in 2012), this has been our modus operandi. If you have a question regarding segmentation testing as it relates to the PCI DSS 4.0 (requirement 11.4.5), or how to interpret the training requirements for HIPAA Breach Section §164.530(b), or the scope of NIST 800-171 requirement 3.1.9, you'll have a knowledgeable team ready to assist. Our practice managers have decades of experience across the compliance spectrum (PCI DSS, PCI SAQ, HIPAA, NIST 800-53, NIST 800-171, NIST CSF, ISO 27001, ISO 27002, CMMC, to name a few). Solid security begins with knowing, excels by doing.
IT Manager
Large Retail Merchant
Payment Card Industry (PCI DSS)
Does Cardholder data security keep you up at night?
If you make money, you likely process credit cards. If your transaction limits are high enough, you also are responsible for reporting the status of your infrastructure security to your acquiring bank according to the Payment Card Industry Data Security Standard (PCI DSS). Regardless of your compliance requirements, our methodology and suite of services for PCI DSS audits will leave you confident with the council and in your overall security posture.
Extensive Knowledge of Controls
As a Qualified Security Assessor Company (QSAC - designated by the Payment Card Industry Security Standards Council), we have performed countless PCI DSS audits and have extensive knowledge of controls and how to answer them. We regularly help customers bridge gaps between their current organizational status and compliance for their reporting level. We’ve helped many organizations who had mostly non-compliant controls and cardholder data in countless locations achieve compliant levels in a single review window.
Beyond the Framework
We have compliance experts with years of demonstrated experience on the technical side. We don’t just answer controls, we learn and know your cardholder data environment (CDE). With that knowledge and experience comes not only a strong commitment to being in your corner and reporting fairly, but infrastructure acumen that takes you beyond where the controls are and prepares you for where information security is going.
Healthcare (HIPAA)
What is the status of your “protected” health information?
Every year, medical organizations across the nation have breaches of electronic protected health information (ePHI). But what is more concerning is there are thousands more organizations with the same vulnerabilities that just haven’t been found yet. Are you among them? Do you have confidence in the location, protection, and defense of your protected health information?
Know where your data lives...
Many healthcare auditing firms promise to perform a HIPAA Security Rule, Breach, and Privacy review, but when they are done, do you really have confidence in the locations, storage, and protections in place over all of your protected health information? As part of our HIPAA Audit Protocol, we perform a deep dive into your people, processes, technologies (e.g. EHR/EMR's), and environments, find and assess risks to your ePHI, and help with recommendations so you can have peace of mind with your patient’s data.
Power through out briefings
While most auditors can hand out a report and sign off, we truly desire to be “in your corner” with respect to findings and recommendations. Our team gives detailed feedback to C-Level, technical, and board-level business leadership. We have advised top-level medical firms and medical retailers on remediation plans and given actionable advice digestible by both technical and non-technical organizational teams alike.
NIST 800-171, CMMC, etc.
Contextual Security Solutions' NIST Special Publication 800-171 audit is designed to assist organizations in meeting the controls required for protecting Controlled Unclassified Information (CUI) that they store, process and/or transmit. Our team of compliance consultants will help you navigate through the fourteen families of critical control groups found within the standard.
Our Cybersecurity Maturity Model Certification (CMMC -version 2) readiness assessment focuses on helping your organization align with the Department of Defense's information security requirements for Defense Industrial Base (DIB) partners. Following the proven approach Contextual Security Solutions applies to all of our compliance assessments, we will conduct an in-depth assessment of your organization's people, policies and procedures, technologies and environments to ensure we are meeting the spirit and rigger of the CMMC requirements.
New York DFS 23 NYCRR 500
Contextual Security Solutions has created an annual program for those organizations that must adhere to the New York State Department of Financial Services 23 NYCRR Part 500 Cybersecurity Regulations. Our Base Assessment of Security Elements (B.A.S.E.) NYCRR 500 Program addresses the following key components found in the most recent amendment to the regulation (November 2023):
1) Penetration Testing (500.5): Each covered entity shall conduct, at a minimum, penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least annually; and automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;
2) Vulnerability Scans (500.5): Each covered entity shall conduct automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.
3) Risk Assessment (500.9): Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity; criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.
4) Incident Response Plan Testing (500.16): Each covered entity shall periodically, but at a minimum annually, test its: incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and ability to restore its critical data and information systems from backups.
Additional Resources
Timeframes for Covered Entities
Timeframes for Class A Businesses
Timeframes for Small Businesses
If you'd like to learn more about our B.A.S.E. NYCRR 500 Program, please click the "Schedule a Discovery Call" button at the top of this page to schedule a 15-minute call with one of our experienced consultants.