Products and Services

Introduction | Policy Management System | Compliance Consulting
Compliance Tools  |  Compliance Monitoring

Policy Management System

The key to managing compliance issues in any organization is to start with a clearly defined Policy specifying the commitment for compliance, and setting out the behaviors expected of all employees, contractors and third party providers if applicable.  Standards or Guidelines must be developed that specify exactly what is required of the individuals subject to the policy.  Then the Policy and Standards must be incorporated into a procedural framework or implementation document.  The policy changes must be introduced into the organization, and stakeholders must be trained.  This is especially important, when the policy change requires change in behavior, or new procedures.  All too often, these last to steps are omitted, and the organization is at risk.

Command Center™ from META Security Group is a comprehensive policy and system vulnerability management system enabling organizations to reduce risk, reduce costs, and achieve regulatory compliance.  Command Center combines full life cycle policy management features with the industry's leading portfolio of policy templates.  Organizations can create and tailor policies to their unique circumstances, and use Command Center to deploy, track, and report on policy acceptance across the entire enterprise.  Command Center also combines the industry’s most comprehensive vulnerability database with a profile-based alert system that provides up to the minute information to address system security vulnerabilities.

Policy and Standards

The Policy module provides templates based on best practices and specific regulatory requirements.  The best practice modules can be tailored to fit the organization culture, common approach or structure.  Alternatively, existing institutional policy can be uploaded to the system. 

Command Center™ Templates currently exist for the following federal regulations:

·    HIPAA Privacy and Security Rules – The Health Insurance Portability and Accountability Act of 1996 provides protection of workers who leave their job from losing their ability to be covered by health insurance, and provides the protection of integrity, confidentiality and availability of electronic health information. 

·    Gramm-Leach-Bliley Act (GLBA) – Its purpose was to “modernize” financial services by allowing financial institutions to offer complete service offerings.  GLBA includes security guidelines containing a range of risk-management obligations focused on implementing the congressional policy of protecting customer data. 

·    The Federal Energy Regulatory Compliance (FERC) Security Standards -represents a minimum set of security requirements to ensure that electric market participants have a basic Security Program for protecting the electric grid and market from harmful, wide-ranging impacts on grid operations and market resources. 

·    The Federal Information Security Management Act of 2002 (FISMA) – provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and systems.  Requires all federal systems to implement NIST’s Federal Information Processing Standards (FIPS), which include information security controls. 

·   ISO 117799 - International Organization for Standardization Security Standard (ISO 17799) is an internationally recognized information Security Management standard consisting of security clauses, controls, and objectives comprising best practices in information security. 

Regulations with template frameworks currently under development include:

·    Sarbanes-Oxley – sets rules for audit firms and Board of Directors relating to conflicts of interest; requires an annual management assessment of internal controls and prohibits the destruction of documents to impede, obstruct or influence fraud investigations.

·    Patriot Act – provides law enforcement agencies with posers to investigate potential terrorist activity and expands capabilities for surveillance.  It provides for information sharing between federal investigative agencies, with greater abilities for federal investigators to collect and utilize information.

The Command Center™ system is first and foremost a structure and as such can be utilized to include conformation data for any set of policy and/or regulatory requirements. 

In addition, the structure provides a three-level hierarchy which implements Policy, Standards and Procedures.  Since it is a system accessed through web browsers, cross linkages are provided for easy navigation between the levels.  Command Center also provides links and copies of several security and compliance-related original sources, including best practices research reports, regulatory standards, the Information Security Journal and META Group research reports.

Awareness and Training

Part of the issue relating to policy enforcement is the lack of employee or constituent awareness (or interest).  The Awareness module can provide email direction, review and signoff by employee, or group.  Tracking mechanisms can trace the review and acceptance process.

System Vulnerability Tracking

One of the most difficult implementation processes in dealing with technology risk is that of ensuring that known and newly discovered system vulnerabilities are patched or corrected.  The Vulnerability module will provide a tracking and management mechanism to ensure fix distribution, implementation and compliance.  This module will focus on implementation of Security Policy, which may be a subset of the overall compliance process.

Alignment with Organization Procedures

No matter the compliance requirement, it is critically necessary to ensure that there is alignment between policy and practice.  Auditors, regulators and investigators all look carefully at the gap between how a given policy is documented and how it translates into process and procedure.  One of the important services of Totally Compliant is to ensure that the gap is minimized, and that the business processes that govern how an organization actually works are in consonance with the stated Policy and the implementing Standards.