CaaS Compliance-as-a-Service

What is HIPAA?

HIPAA is a U.S. law that outlines protection and security standards for health care data. HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.

Who is required to be compliant?

Any covered entity, defined as health care providers, health plans, and health care clearinghouses, that collect and use individually identifiable health information.

Primary Requirements

• Privacy: Patients’ rights to PHI
• Security: Physical, technical and administrative security measures
• Enforcement: Investigations into a breach
• Breach Notification: Required steps if a breach occurs
• Omnibus: Compliant business associates

How Does Ntirety Help?

Ntirety will perform an assessment of existing security controls and make recommendations on additional administrative and technical controls that will be required to comply with HIPAA Privacy and Security Rule. We assess your compliance posture through the design, implementation, and effectiveness of controls. For areas where gaps or deficiencies are noted, we provide detailed recommendations to assist with remediation efforts.​

Ntirety will get a clear understanding of your business model in order to determine your organization’s critical assets pertaining to Protected Health Information (PHI)

• Assess any existing policies and procedures, both formal and informal, governing the operations of the IT systems, end-user IT policies, and confidentiality practices.
• Assess logical security of the proposed systems including user access authorization, administration, and review processes.
• Assess physical security of selected sites where ePHI will be accessed.
• Analyze and evaluate network intrusion response plans, intrusion detection processes, and breach notification policies as they apply to HIPAA and the HITECH Breach Notification Requirements.
• Analyze and evaluate the business continuity/disaster recovery plan and testing for HIPAA requirements to the extent that they apply.
• Assess vendor management processes and vendor contracts for security and confidentiality responsibilities.
• Assess risks associated with network access/connectivity to third parties.

Review system architecture design and controls, and determine their level of adequacy as it pertains to providing secure infrastructure for storage and handling of health information and intellectual property:

• Review the network architecture to determine if it aligns with Security Best Practices, including firewalls, networks, VLANs, and administrative controls.
• Review your servers and other computing resources’ security configuration standards to ensure that they have been securely configured and managed, including, to the extent it applies.
• Review your plan for logging infrastructure including events to be logged and will work with you to ensure that all appropriate events are included in the plan.

Ntirety offers industry-leading, HIPAA-compliant, and HITRUST-certified solutions, including the following components:​

• Web application firewall
• Firewall​​
• Intrusion detection and prevention​​
• Multi-factor authentication​​
• SSL and VPN​​
• File integrity monitoring​​
• Security event log management and monitoring​​
• Data backups​

Schedule Your HIPAA Assessment

What is HITRUST CSF?

HITRUST CSF is a prescriptive and certifiable framework specifically created in response to multiple compliance requirements continuously evolving and subject to interpretation. It covers eight of the most common regulations and control frameworks (NIST, HIPAA, PCI, ISO 27001, and more) in Healthcare ​and Industries with sensitive data.​ The governing body regularly updates the requirements.

Who needs this certification?

Healthcare ​and Industries with Sensitive Data​​.

Primary Requirements

HITRUST is broken up into 19 control domains:

• Information Protection Program
• Endpoint Protection
• Portable Media Security
• Mobile Device Security
• Wireless Security
• Configuration Management
• Vulnerability Management
• Network Protection
• Transmission Protection
• Password Management
• Access Control
• Audit Logging & Monitoring
• Education, Training and Awareness
• Third Party Assurance
• Incident Management
• Business Continuity & Disaster Recovery
• Risk Management
• Physical & Environmental Security
• Data Protection & Privacy

How Does Ntirety Help?

Ntirety can help identify and document your controls, determine any gaps that need to be remediated prior to pursuing HITRUST and provide recommendations on how to remediate the gaps identified. We help you achieve your own HITRUST certification as an enterprise risk management and/or 3rd party risk assurance solution.​

• Alignment with national standards & requirements​​
• Help assessing your current and targeted cybersecurity posture
• Identify gaps in current programs and resources​
• Standardize your assessment and reporting documentation​​
• Improve management processes for cybersecurity risk
• Guide you through the HITRUST audit alongside an external HITRUST assessor

Work with a HITRUST-Certified Provider

What is PCI?

PCI-DSS is an information security standard for organizations that handle branded credit cards with the purpose of increasing controls around cardholder data and reducing fraud. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Who is required to be compliant?

Any organization that processes credit/debit card information, including merchants and third-party service providers that store, process, or transmit credit/debit card data. Primarily Retail​, Banking, and FinTech​.

How Does Ntirety Help?

Our comprehensive solutions address a sub-set of the 12 major requirements across your physical and logical environment. ​See chart below.

• PCI Mapping
  If you already have certain controls in place for other compliance reports, such as a SOC 2 report, we can identify those controls and map them to PCI DSS requirements.
• Self-Assessment Questionnaire (SAQ)
  All merchants are required to complete the Self-Assessment Questionnaire (SAQ). Based on your organization’s payment card processing, we will review your environment, policies, procedures and controls to help you understand the purpose of each question and the response needed to comply with the requirements in the SAQ.
• Readiness Assessment
  We will assess your current controls against the requirements of PCI DSS. This process allows us the time to identify and address problem areas prior to the onsite assessment.
• Onsite PCI Assessment
  We will guide you through your PCI audit, alongside with your QSA.

Schedule Your PCI Compliance Assessment

What is SOC?

A System and Organization Controls report (SOC 1, 2, or 3) is a widely recognized examination to maintain trust and confidence across your organization’s security and financial controls performance. SOC reports conform to the guidance prescribed by the American Institute of CPAs (AICPA) Statement on Standards for Attestation Engagements (SSAE). SOC 1 & 2 meets the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems.

Who is required to be compliant?

There’s not a particular industry that requires SOC; often it is businesses in financial services, including banking, investment, insurance and security.

Primary Requirements

• Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability – Information and systems are available for operation and use to meet the entity’s objectives.
• Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
• Confidentiality – Information that is designated “confidential” is protected to meet the entity’s objectives.
• Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information.

How Does Ntirety Help?

Ntirety can help identify and document your controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified. As a SOC 2, Type II certified provider, we’re knowledgeable in SOC requirements and offer best practices to pursue a SOC report. Our team delivers cloud-specific security and compliance expertise.

• Interpret requirements and documentation needs​​
• Identify gaps in current programs and resources​​
• Provide recommendations to remediate gaps and improve internal controls​
• Perform regular internal “mock” audits in preparation for the annual audit​​​

Schedule Your SOC Assessment

What is ISO 27001?

ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems. ISO/IEC 27001 is a set of information security standards that helps organizations manage the security of customer/employee data, financial information, intellectual property and third party data. Organizations are certified by an accredited certification body following successful completion of an audit.

Who needs this certification?

Compliance with ISO 27001 is not mandatory. An ISO certification conveys credibility and trust to vendors, customers and other stakeholders.​

Primary Requirements

Address the three dimensions of information security: Confidentiality, Integrity, and Availability. ISO 27001 is comprised of 114 controls which are grouped into 14 control categories:

• Information Security Policies
• Organization of Information Security
• Human Resources Security
• Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• Operational Security
• Communications Security
• System Acquisition, Development and Maintenance
• Supplier Relationships
• Information Security Incident Management
• Information Security Aspects of Business Continuity Management
• Compliance

How Does Ntirety Help?

• Controls policy and procedure development​
  We augment your organization’s internal process owners to establish appropriate policies that meet control objectives justified for inclusion to your management system.​
• Management system internal audit​
  We execute an independent, periodic internal audit against management system requirements. As part of the required documentation inspection, we determine sufficiency of sampled control procedures provided by your organization.

Schedule Your ISO Assessment

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy in the European Union and beyond. It is intended to improve and unify data privacy practices in regard to the data of EU residents. Any company that collects and/or processes the data of any EU citizens must comply with GDPR.

Who is required to be compliant?

Any company that collects or processes data from EU citizens.​

Primary Requirements

The General Data Protection Regulation establishes eight data privacy rights that apply to all users. Your organization is obligated to uphold these rights or face the severe penalties.

1. The right to access. Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge if requested.
2. The right to be informed. Individuals must be informed and give free consent (not implied) before gathering and processing their data.
3. The right to data portability. Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
4. The right to be forgotten. If users are no longer customers or withdraw their consent to use their personal data, they have the right to have their data deleted.
5. The right to object. If a user objects to your use or processing of their data, they can request that you stop. There are no exceptions to this rule. All processing must stop as soon as the user makes their request.
6. The right to restrict processing. Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
7. The right to be notified. Individuals have the right to be notified in the event of a personal data breach that compromises their personal data. This must happen within 72 hours of your first learning of the breach.
8. The right to rectification. Users can request that you update, complete, or correct their personal data.

How Does Ntirety Help?

Ntirety identifies strengths, challenges, recommendations and remediation actions necessary to meet GDPR compliance. We guide you along the process, considering your unique business model and data ecosystem.

• Help interpret requirements and gather information by walking through the Articles of GDPR​​
• Review policies, procedures and technologies​
• Conduct interviews
• Perform gap analysis and produce findings
• Provide recommendations and a prioritized roadmap to achieve GDPR compliance​

Schedule Your GDPR Assessment

What is CCPA?

The California Consumer Privacy Act is a law that secures new privacy rights for California consumers. This privacy law grants any California consumer the right to:

• Know what personal data is being collected about them
• Know whether their personal data is sold or disclosed and to whom
• Say no to the sale of personal data
• Access their personal data
• Request a business delete any personal information about a consumer collected from that consumer
• Not be discriminated against for exercising their privacy rights

Who is required to be compliant?

CCPA applies to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data, and:​

• Has annual gross revenues in excess of $25 million; or
• Possesses the personal information of 50,000 or more consumers, households, or devices; or
• Earns more than half of its annual revenue from selling consumers’ personal information.

Primary Requirements

For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:

1. Data inventory and mapping of in-scope personal data and instances of “selling” data
2. New individual rights to data access and erasure
3. New individual right to opt-out of data selling
4. Updating service-level agreements with third-party data processors
5. Remediation of information security gaps and system vulnerabilities

How Does Ntirety Help?

Ntirety provides a comprehensive review of your state of compliance by identifying strengths, challenges and remediation actions necessary for compliance. In addition, we will deliver a prioritized roadmap to guide you to full compliance with CCPA.

Working closely with Customer, Ntirety will gather information on your current state of policies, procedures and practices in the context of CCPA. Activities include:

• Review business model and personal data ecosystem​​
• Review policies, procedures and technologies
• Conduct interviews

Based on an understanding of your business, practices and procedures, Ntirety will analyze the information in the context of CCPA requirements.

We will overlay the gathered information with the specific CCPA requirements, identify strengths, gaps and necessary remediation efforts and provide you with findings and recommendations and a prioritized roadmap to CCPA compliance.

Schedule Your CCPA Assessment

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP authorization is required for U.S. Government vendors that offer cloud services, including SaaS solutions. If your business contracts with the government or if you do business with a government contractor, this may apply.

Who is required to be compliant?

Any commercial cloud service offering (CSO) to be used by a federal agency must demonstrate FedRAMP compliance.

Primary Requirements

The FedRAMP Joint Authorization Board (JAB) used the NIST SP 800-53 catalog of controls as a baseline for FedRAMP and made certain modifications to address the unique risks of cloud computing environments, including but not limited to multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.

The FedRAMP requirements and controls span across the following domains:

• Access Control
• Awareness and Training
• Audit and Accountability
• Security Assessment and Authorization
• Configuration Management
• Contingency Planning
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical and Environmental Protection
• System Security Planning
• Personnel Security
• Risk Assessment
• System and Services Acquisition
• System and Communications Protection
• System and Information Integrity FedRAMP also requires covered entities to implement a continuous monitoring program to ensure their cloud system maintains an acceptable risk posture.

You can think about the authorization process in four phases:

• Document
• Assess
• Authorize
• Monitor

How Does Ntirety Help?

Contact us for information.

Schedule Your FedRAMP Assessment

What is ITIL?

ITIL (Information Technology Infrastructure Library) is a framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business. This system of standards was developed by the British Office of Government Commerce (BGC). ITIL describes processes, procedures, tasks, and checklists which are neither organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency.

Who is required to be compliant?

All Industries

Primary Requirements

ITIL 4 defines four dimensions that should be considered to ensure a holistic approach to service management:

1. Organizations and people
2. Information and technology
3. Partners and suppliers
4. Value streams and processes
5. These dimensions are applicable to the service value system in general and to specific services

Service Value System

The service value System (SVS) represents “”how all the components and activities of an organization work together to facilitate value creation””. The ITIL 4 SVS includes several elements:

• Guiding principles
• Governance
• Service Value Chain
• Continual Improvement
• Practices

ITIL 4 includes 34 management practices as “sets of organizational resources designed for performing work or accomplishing an objective”. For each practice, ITIL 4 provides various types of guidance, such as key terms and concepts, success factors, key activities, information objects, etc.

The 34 ITIL 4 practices are grouped into three categories:

• General management practices
• Service management practices
• Technical management practices

How Does Ntirety Help?

Contact us for information.

Schedule Your ITIL Assessment

What is NIST?

The National Institute of Standards and Technology (NIST), a division within the U.S. Department of Commerce that promotes innovation and industrial competitiveness, recommends a set of vital cybersecurity standards for information systems, in addition to developing Federal Information Processing Standards (FIPS). NIST’s Framework has five core functions: Identify, Protect, Detect, Respond, and Recover. NIST defines the framework as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors. The catalog of security controls in Special Publication 800-53 can be effectively used to protect information and information systems from traditional and advanced persistent threats in varied operational, environmental, and technical scenarios. The controls can also be used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements.

Who is required to be compliant?

NIST 800-53 mandates specific security and privacy controls required for federal government and critical infrastructure

Primary Requirements

The NIST requirements and controls include the following:

1. Access Control
2. Media Protection
3. Awareness and Training
4. Physical and Environmental Protection
5. Audit and Accountability PL Planning
6. Security Assessment and Authorization
7. Personnel Security
8. Configuration Management
9. Risk Assessment
10. Contingency Planning
11. System and Services Acquisition
12. Identification and Authentication
13. System and Communications Protection
14. Incident Response
15. System and Information Integrity
16. Maintenance
17. Program Management

Media Protection Awareness and Training Physical and Environmental Protection Audit and Accountability PL Planning Security Assessment and Authorization Personnel Security Configuration Management Risk Assessment Contingency Planning System and Services Acquisition dentification and Authentication System and Communications Protection Incident Response System and Information Integrity Maintenance Program Management

How Does Ntirety Help?

Ntirety will assist in interpreting controls, asssist in scoping the responsibility of the controls as it relates to Ntirety and its service provider role.

Schedule Your NIST Assessment