HomeAbout UsCIO/CISO ServicesIncident Handling ServicesCompliance Services

Compliance Services

-- Providing executive and technical leadership for SSAE16/SOC 1 and 2, PCI, and HIPAA areas.

 

Mike Daveler has dealt with many legal/regulatory, compliance and security issues; recent projects included performing a full PCI DSS 2.0 readiness assessment of a medical device division of a large multinational corporation, leading the SOC 1 Type 2 certification efforts for a leading prepaid debit card company, and also leading the efforts for a top cloud provider in attaining their SOC 2 Type 2/3 compliance certification.

All projects required a deep knowledge of the compliance requirements, as well as leading the efforts from both a project management and management/technical design, review and remediation focus.  These projects also involved extensive, regular communications with management, divisions, and outside auditors, as well as regular internal status reports and briefings.

Below are a few examples of compliance project engagements:
 
 
HIPAA Security Readiness Assessment, Independent Benefits Administrator.
  • Currently performing a complete HIPAA security readiness assessment of the potential risk and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) against HIPAA control requirements.
  • Perform external and internal vulnerability assessments of infrastructure devices and servers using QualysGuard; provide detailed analysis of findings and remediation requirements.
  • Use of an innovative quantitative evaluation that provides appraisal ratings of administrative, technical and physical controls for each major area within the HIPAA security standards

 

Security Lead/SME, Leading Cloud Services Company.

  • Led efforts to successfully attain a SOC 2 Type 2 and SOC 3 compliance certification within 60 days.  Implemented additional controls for even greater security for internal corporate systems.
  • Chaired a Data Loss Prevention (DLP) working session for an independent investment and wealth management firm (customer of the cloud services company).  Presented several design and operational improvements for the environment.
  • Provide CISO-level guidance and advice to senior management for strategic and operational security requirements for internal corporate and customer environments.

 

PCI Readiness Review, Medical Device Division, Multinational Corporation.

  • Complete PCI 2.0 readiness review including issuance of a full report covering all 12 PCI areas and remediation requirements.  Work completed in the client-required 30-day period.
  • Created as-is and proposed PCI compliant and secure infrastructure network diagrams.  Reviewed all operational and technical areas, including policies and procedures, infrastructure design, application development, and global office connectivity.
  • Identified areas of non-compliance and required remediation efforts, and prepared presentation for senior management.

Infrastructure and Security Review, Proposed Data and VoIP Re-Design Project, Midwestern USA Regional Medical Center.

  • Reviewed all design documents, infrastructure, and interviewed IT staff to ensure HIPAA security compliance.
  • Reviewed Nortel and Cisco router and firewall security configurations, as well as design and security of VLANs for hospitals, clinics and business partners.  Identified key areas for security improvements.  Recommended a meshed, high-availability core and edge firewall design for increased security and throughput.
  • Made additional security recommendations for Intrusion Detection and Prevention (IDS/IPS) systems for critical areas, centralized logging and analysis of all log files from infrastructure devices and fileservers, and policy manager software to push out security and management policies to infrastructure devices and to enforce policy compliance on end devices connecting to the network.