Credit Union
IT Controls Review

FFIEC/NCUA/FDIC

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organization’s adherence to a desired standard. This standard can be a specific security standard (like NIST) or industry best practice. Managerial and operational (policies and procedures) controls are the foundation of all organizational security controls.

IT managerial and operational controls should set the tone for the organization with regard to information security. For 20 years, E3 has been providing credit unions with GAP assessments for their IT controls based on FFIEC, NCUA and state examination standards.

Bank IT Controls Review

FFIEC/FDIC/GLBA/FACTA

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organization’s adherence to a desired standard. This standard can be a specific security standard (like NIST) or industry best practice. Managerial and operational (policies and procedures) controls are the foundation of all organizational security controls.

IT managerial and operational controls should set the tone for the organization with regard to information security. For 20 years, E3 has been providing banks and other financial institution with GAP assessments for their IT controls based on FFIEC, GLBA, FDIC, FACTA and state examination standards.

Security Best Practice Standards

ISO 27002:2013

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organization’s adherence to a desired standard.

The ISO 27002 security standard is one of the industry’s most comprehensive and recognized across various types of businesses. Initially developed as the BS7799, the ISO 27002 security standard continues to be updated to set best practice standards for an organization’s information systems.

Government Cyber Security Assessment

Nist 800-53

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organization’s adherence to a desired standard.

Many governmental agencies are required to achieve the NIST 800-53 accreditation. E3 has worked with both federal and state agencies to meet certification and accreditation process. The 800-53 standard evaluates a group’s controls in areas of management, operational, and technical safeguards (or countermeasures). These countermeasures are prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. The standard has gone through five revisions and our consultants are experienced with each update.

Government Cybersecurity Assessment

NIST CyberSecurity Framework

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organization’s adherence to a desired standard.

This security framework is a voluntary standard consisting of guidelines and best practices to manage cybersecurity-related risk. E3 has worked with both version 1 and 1.1 of the framework and helped government and private organizations who have chosen to adopt this methodology for managing their information security risk. There are five main categories within the framework. Each of the five categories are broken into sub-categories with defined objectives. We can help assess organizations to determine if they are meeting these objectives, and identify areas of weakness that need to be improved.

Security Assessment for non-governmental organizations

NIST 800-171

Our Information Security Managerial Controls Review (MCR) assesses the organization’s security program including:

• Policy Documentation

• Information Systems Policies Review and Assessment

• Procedure Documentation

• Technical Controls and Aggregate Security

Through interviews, documentation review, and testing, E3 evaluates an organizations’ adherence to a desired standard.

Many organizations work with or provide services for governmental organizations. The protection of sensitive federal information while residing in nonfederal systems and organizations is of paramount importance to federal agencies. It can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure. We can help your non-governmental agency assess its adherence to this mandated security standard.

HIPAA Security Assessment

Description

The Health Insurance Portability and Accountability Act (HIPAA), signed into law in August 1996, requires the Department of Health and Human Services (DHHS) to adopt national uniform standards for the electronic transmission of certain health information. The intent of HIPAA is "administrative simplification" and protection of patient privacy. 

Detail

DHHS divides proposed security requirements into the following four groups:

1. Administrative procedures - documented general practices for establishing and enforcing security policies.

2. Physical safeguards - documented processes for protecting physical computer systems, buildings, etc.

3. Technical security services - processes that protect, control, and monitor access.

4. Technical security mechanisms - mechanisms for protecting information and restricting access to data transmitted over a network.

Who is affected by HIPAA regulations?

HIPAA affects all health care organizations. Organizations will need to focus on HIPAA compliance in the following areas:

• Electronic data interchange (EDI) transactions for health plan enrollment, eligibility, claims payment, premium payment, coordination of benefits, and referral/authorization - HIPAA will mandate specific EDI transaction standards and code sets for data.

• Storage and reporting of identifiers - Patient IDs, provider IDs, payer IDs, and employer IDs will be standardized under HIPAA for purposes of electronic transactions. As a result, information systems devoted to administrative, financial, and clinical applications must be able to capture, store, and report these identifiers.

• Protecting confidentiality of individually identifiable patient information in an automated system - Organizations must be able to demonstrate sound practices that protect patient confidentiality and security.

Organizations and vendors in the health care industry will need to understand the elements of HIPAA and be aware of the required changes. Providers and health plans will need to review their current information systems for HIPAA compliance. Organizations should also closely review their current confidentiality and security practices. Third-party reviews are required. Also, providers and health plans will need to institute policies for selection and acquisition of new information systems that require vendors to demonstrate compliance with known HIPAA requirements and a commitment to meet future requirements.