Dependable assistance toward compliance to give your business that competitive edge
Movaci offers the guidance and assistance you can trust to give your business a competitive advantage. We understand that each industry has unique technology compliance concerns. With dedicated strategic guidance, we ensure that your organization complies with all the necessary technology regulations.
In addition to being able to support your organization, Movaci’s Data Center providers have also been independently audited and certified by SSAE 16. This ensures that we meet all strict technology regulations as well.
Our extensive industry experience includes:
- Federal Information Security Management Act (FISMA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Risk and Authorization Management Program (FEDRAMP)
- National Institute of Standards and Technology (NIST) Special Publication 800-171
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Personally Identifiable Information (PII)
ISO 27001 focuses on establishing an effective management system to minimize information security-related risks. The certification proves to your customers that business benefits are realized in a reliable and secure manner.
Movaci offers awareness training to understand and make use of the ISO 27001 approach. We help all levels of the organization to articulate the objectives, controls and governance structures required. This includes the preparation of service-specific security concepts, the development of processes and management controls and the creation of technical designs to address high risk areas.
Payment Card Industry Data Security Standard (PCI DSS) refers to the adherence to a series of security standards which were developed to set the technical and operational requirements for organizations accepting or processing payment transactions. PCI compliance is required for all entities that store, process, or transmit cardholder data.
Starting off with the twelve PCI DSS requirements, we familiarize you with a greenfield approach for you to get a better understanding and a feeling for the complexity and options of solutions available. Subsequently, your current set-up is reviewed to decide how to evolve your IT both technically and organizationally in order to meet the PCI DSS requirements. Movaci can help you with specifying the design changes needed along with product/vendor selection to define the target architecture. Our team of project managers, architects, and engineers as well as service managers are there to help you implement the target architecture and migrating legacy. After the preparation work has been completed, Movaci then goes through the PCI DSS audit side by side with you. As a partner to your IT organization, Movaci supports you each year to maintain your PCI compliancy. This includes helping you with the yearly re-audit.
Movaci’s HIPAA Assessment will provide your organization with the broadest insights of any IT assessment module. It consists of the following elements:
HIPAA Policies and Procedures
The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the HIPAA Security Rule. The policies spell out what your organization will do, while the procedures detail how you will do it.
HIPAA Risk Analysis
The HIPAA Risk Analysis identifies the locations of electronic Protected Health Information (ePHI), vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates of both the likelihood and impact of a threat acting on a vulnerability.
The analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI.
HIPAA Risk Profile
A Risk Analysis should be done no less than once a year. However, Network Detective has created an abbreviated version of the Risk Analysis called the HIPAA Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks and finds new ones that may have otherwise been missed and resulted in a data breach.
Movaci creates a HIPAA Management Plan that is based on the findings in the Risk Analysis. This plan focuses on minimizing, avoiding, or responding to all risks. It defines the strategies and tactics which your business will use to address these risks.
External Network Vulnerability Scan
Movaci provides detailed reports showing security holes and warnings, as well as informational items including CVSS scores as scanned from outside the target network, since external vulnerabilities could allow a malicious attacker access to the internal network.
We also conduct the HIPAA On-Site Survey, which is an extensive list of questions about physical and technical security that cannot be gathered automatically, such as how facility doors are locked or whether servers are on-site, in a data center, or in the Cloud.
Finally, we write up the Disk Encryption Report, which identifies each drive and volume across the network, determines whether it is fixed or removable, and if Encryption is active.
Evidence of HIPAA Compliance
Just performing HIPAA-compliant tasks is not enough. Audits and investigations require evidence that compliant tasks have been carried out and completed. Documentation must be kept for six years. Movaci manages all documented evidence and makes it accessible to the proper auditors or investigators.
File Scan Report
The File Scan Report identifies data files stored on computers, servers, and storage devices in order to determine which local data files are not protected and are thus at risk if a breach occurs. It does not read the files or access them; it merely records the file names and types. This report is useful in avoiding a data breach investigation.
User Identification Worksheet
The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated or should have had their access terminated can also be identified.
Many organizations assume that IT Service Management (ITSM) only relates to repair & maintenance of hardware or resolving issues, when in fact, ITSM should be used more broadly to identify the criticality of each service in line with its business objectives and then assess how to manage any technical disruptions and requests that may occur.
Movaci’s ITSM Gap Assessment assists in this important process. The service provides an in-depth view of your current service management practices, thus enabling you to have a complete performance check. It also verifies compliance with expected or agreed to service levels, standards and frameworks.
The relevant standards and benchmarks that we use are as follows:
- ITIL (Information Technology Infrastructure Library): ITIL (IT Infrastructure Library) is a widely accepted approach to IT Service Management (ITSM); it has been adopted by individuals and organizations across the world. It provides a cohesive set of best practices, drawn from the public and private sectors internationally. Our team employs Axelos certified ITIL Experts across all of the ITIL lifecycles, from Strategy to Continual Service Improvement.
- ISO/IEC 20000: ISO/IEC 20000 Service Management specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified in this document include the planning, design, transition, delivery and improvement of services to meet the service requirements and delivered value expectations.
Once the gaps are identified by this assessment, Movaci creates a Service Improvement Plan that offers a foundation for setting priorities, assigning ownership, allocating investments of time, money and human resources, as well as measuring and improving compliance with the stated guidelines and recommendations. This gaps-closure plan is tailored specifically to the identified gaps in your business or organization, all while keeping your budget and priorities in mind.
Movaci can help you make your website, application, or product General Data Protection Regulation (GDPR) compliant. Our GDPR services have been designed to strengthen the data security of users or customers across Europe and help reshape your approach towards data security. We provide complete GDPR compliance solutions to help protect your business from tough penalties.
Movaci offers a special, one-stop service to help organizations comply with Thailand’s Personal Data Protection Act. This new set of laws, which went into effect in 2021, imposes complex rules surrounding all forms of online data collection, storage, processing, and distribution.
Modeled after the EU’s GDPR initiative, Thailand’s PDPA applies to every organization that collects data from internet users who are based in Thailand. Compliance will be mandatory once the PDPA goes into effect, and organizations that fail to adhere to the new regulations will face stiff penalties.
Thailand’s PDPA aims to protect the digital privacy of ordinary internet users by requiring significant changes to the way online organizations typically operate. Websites will need to request permission from users to collect their data, after informing them in clear and direct language how that data will be used. Only upon receiving positive confirmation from the user will websites be allowed to collect that data – and each site must ensure that its store of user data is used only for the purposes explicitly agreed to.