Premium Security Assessment

The Premium Security Assessment Blueprint is designed for larger companies and those with compliance needs. Compliance requires not only an Annual Risk Analysis, but also proof of on-going efforts. The Premium level provides a framework for how to demonstrate and document on-going efforts. The Premium level assessment can be performed using either the HIPAA or PCI Compliance module (or both in situations where you have larger healthcare clients).

FREQUENCY

DETECTIVE

DELIVERABLE

PURPOSE

  • INITIAL / ANNUAL

  • HIPAA/PCI

  • Inspector

  • All Compliance Reports

  • Provides annual Evidence of Compliance and proof of risk analysis.

  • MONTHLY

  • HIPAA/PCI

  • HIPAA/PCI Risk Profile

  • HIPAA/PCI Management Plan (Change)

  • External Vulnerability Summary 

  • Demonstrates on-going compliance and remediation activity.

  • QUARTERLY

  • Inspector

  • Internal Vulnerability

  • Summary

  • Perform the quarterly vulnerability scans required by various compliance standards.

Required Tasks 
On a quarterly basis, an on-site visit with an Inspector appliance is required to perform the Internal Vulnerability and Layer 2/3 scan as well as performing the on-site survey. 

Estimated Time 
The cost to implement the Premium Blueprint varies greatly with the size of the organization. Most of the effort will consist of performing the annual Risk Analysis (8+ hours annually), quarterly Inspector scans (8 hours annually), and monthly scans (1 hour monthly). 

Perform Scans 
Initial/Annual

1. Go on-site. 
2. Perform complete HIPAA or PCI Compliance assessments. 

Monthly

1. Remote onto a server or workstation in the client’s network. 
2. Perform the HIPAA and PCI scans for use with the Risk Profiles (utilizing worksheets from the previous annual assessment). 

Quarterly

1. Go on-site. 
2. Connect the Inspector appliance. 
3. Initiate an Internal Vulnerability Scan. 
4. After scan completion, remove the Inspector. 


Report Review and Delivery 
Reports will should be generated per the blueprint based on the frequency. The Initial/Annual and Quarterly reviews will be done interactively either in person or online. Monthly reports can be delivered electronically to your client and reviewed as needed. On a monthly basis, our Iron Defence Security Consultant will review the set of generated reports, focusing mostly on the change reports, and looking for new issues in the Management Plans. For compliance purposes, all primary and supporting reports will be archived.