Advisory, protection, and monitoring services.
Securing the effective barriers between your business and the risks to ensure its safety and resilience for years to come.
Do you want to make sure and feel more confident that your organization is secured? With our end-to-end advisory, protection, and monitoring services, we proactively detect and prevent potential threats before they reach your network. With cyber threats on the rise, it is more important than ever to protect your organization and maintain regulatory compliance to ensure business continuity. Movaci protects against threats and prevents breaches that can severely damage your business, reputation, employees, clients, and assets.
Movaci’s Full Assessment Reports include:
Guidance and assistance you can trust to give your business a competitive advantage.
At Movaci, we understand each industry has unique technology compliance concerns. With dedicated strategic guidance, we ensure your organization complies with all the necessary technology regulations.
Our Extensive Industry Experience Includes:
In addition to being able to support your organization, Movaci’s Data Center providers have also been independently audited and certified by SSAE 16 which ensures we meet strict technology regulations as well.
Federal Information Security Management Act (FISMA)
We work with your organization to ensure you are compliant with FISMA standards and capable of passing an upcoming audit.
Health Insurance Portability and Accountability Act (HIPAA)
Under a signed Business Associate Addendum, we can provide an assessment of your environment to ensure compliance with HIPAA regulations to protect patient confidentiality.
Federal Risk and Authorization Management Program (FEDRAMP)
We leverage our cloud partners to help ensure cloud solutions meet strict FEDRAMP compliance standards.
National Institute of Standards and Technology (NIST) Special Publication 800-171
We understand and adhere to these regulations and can help ensure confidentiality on controlled unclassified information (CUI) and other sensitive information.
Payment Card Industry (PCI) Data Security Standard (DSS)
We conduct audits and advise on the necessary next steps your organization should take to achieve and maintain compliance.
Personally Identifiable Information (PII)
We scan your network to uncover unprotected, sensitive data, and conduct a privacy audit in accordance with NIST Special Publication 800-122.
PCI DSS Assessments
The PCI Assessment will provide your organization with the broadest insights of any IT assessment module.
Your PCI Assessment will consist of the following elements:
PCI Policies & Procedures Document
The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the PCI DSS. The policies spell out what your organization will do, while the procedures detail how you will do it. In the event of a PCI Compliance audit, the first things an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific sections in the PCI DSS Requirements and supported by the other reports included with the PCI Compliance module.
PCI Management Plan
Based on the findings in the Risk Analysis, the organization must create a Risk Management Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, our assessment provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Management plan defines the strategies and tactics the organization will use to address its risks.
Evidence of PCI Compliance
Just performing PCI-compliant tasks is not enough. Audits and investigations require evidence that compliance tasks have been carried out and completed. Documentation must be kept for six years. The Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is accessible and the detail to satisfy an auditor or investigator is included in this report.
PCI Risk Analysis Report
PCI is a risk-based security framework and the production of a Risk Analysis is one of primary requirements for PCI compliance. In fact, a Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic stores of, and/or the transmission of Cardholder Data,
vulnerabilities to the security of the data, and threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability. The Risk Analysis helps
Card Processing Merchants and their 3rd party Service Providers to identify the component of the Cardholder Data Environment (CDE), how the data moves within, and in and out of the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Cardholder Data at rest and/or during its transmission. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect one or more system components in the CDE itself.
External Network Vulnerability Scan
Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access the internal network.
Internal Network Vulnerability Scan
Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers (once inside a network) and internal users from exploiting weaknesses typically protected by external firewalls.
PCI Pre-Scan Questionnaire
This questionnaire contains a list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility controls access, firewall information, application development, to authentication and change management standards.
External Port Security Worksheet
This worksheet allows you to document business justifications for all of the allowed ports, the protocol configured to use a specific port, and the documentation of any insecure configurations implemented and in use for a given protocol.
Cardholder Data Environment ID Worksheet
The Cardholder Data Environment Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access Cardholder Data. This is an effective tool in developing data management strategies including secure storage and encryption.
Necessary Functions Worksheet
This worksheet enables the PCI readiness specialist to inspect and document the features and capabilities of Antivirus Software deployed on computers throughout network both in and out of the Cardholder Data Environment (CDE).
Server Function ID Worksheet
Per PCI DSS Requirement 2.1.1, only one function per server can be implemented in order to prevent functions that require different security levels from co-existing on the same server. The Service Function Identification worksheet enables you to document server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).
User Identification Worksheet
The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified. This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logins, such as Admin, Billing Office, etc., which are not allowed by PCI since each user is required to be uniquely identified.
AntiVirus Capability Identification Worksheet
For each server in the Cardholder Data Environment (CDE), this worksheet presents startup applications, services, and other functions, allowing you to identify functions which are unnecessary for the server to fulfill its primary function.
PAN Scan Verification Worksheet
The Deep Scan includes a Personal Account Number (PAN) scanner. The results of the PAN scan are presented in this worksheet, allowing you the opportunity to investigate and verify if the detected numbers are truly an identifying account number/credit card.
Compensating Controls Worksheet
PCI allows compensating controls to be put in place to mitigate potential security issues in the environment. All discovered issues are presented in this worksheet to allow you to document the compensating controls that may be in place.
PCI Layer 2/3 Diagram* – This diagram shows the various components discovered along with their Layer 2 and Layer 3 connections. Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted. Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI.
ASV Certified Reports
These reports are generated by an Approved Scan Vendor and offered at a nominal additional fee per scan. The PCI Attestation of Scan Compliance serves as your certificate or proof that the Host/IP address has passed the PCI-DSS standards for external vulnerabilities. The PCI Compliance Executive Report provides a summary of any vulnerabilities discovered, their severity, CVSS Score and exceptions while the PCI Detailed Vulnerability Report provides expanded information, including descriptions of the nature of the vulnerability and remediation suggestions if applicable.