Dedication of Security and Compliance
BraveSoft makes compliance a top priority. We have aligned our security controls and processes with industry-proven security best practices.
We work with third-party auditors to regularly test our systems, controls, and processes. BraveSoft is certified compliant for several regulatory and cybersecurity standards, including PCI DSS and HIPAA, among others.
A security gap analysis is performed to assess current systems against national standards and governance objectives. networks, access policies and resources are designed in custom templates, CIS hardened, and can be rebuilt in a consistent manner. Proprietary scanners correct misconfigured resources, ensuring that resources are as close as possible to an ideal, standard state.
BraveSoft holds the following certifications and designations:
- PCI DSS Level 1-Certified (Highest attainable)
- HITRUST CSF-Certified (Certified for HIPAA Compliance)
- SSAE16 SOC 2 Type II Compliance
What is PCI DSS?
The Payment Card Industry Data Security Standard (also known as PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
PCI DSS Compliance Checklist
So how can an organization comply with PCI DSS requirements? PCI DSS compliance and cyber security systems requires you to be able to handle numerous requirements on your PCI DSS compliance checklist, including:
- Network Monitoring: PCI DSS requires your organization to identify and monitor all systems that come in contact with credit card data. For many businesses, this comprises a large chunk of business systems.
- Vulnerability Assessment: PCI DSS includes a mandate that all security systems are analyzed for vulnerabilities on a regular basis.
- Intrusion Detection: Monitoring traffic in your system is essential to your organization’s security, and identifying intrusions and attacks is even more essential.
- Event Correlation: Event correlation software both captures user activities and correlates events in your system, spotting patterns in authentication attempts and behaviors to spot threatening or unusual behavior.
- Log Management: PCI DSS event log management and storage is the basis of automatically collecting logs about events in your system as they happen. By collecting these logs, along with all applicable peripheral data, your team has all the material they need to investigate and report on events thoroughly.
- Reporting: Reporting is an essential part of PCI-DSS compliance for regulated businesses, as the regulations require businesses to report on breaches as soon as possible after an event occurs.
What is HITRUST?
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis and resilience.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act, which is a set of regulations concerning the handling of medical information, including privacy and security. The regulation requires that any companies handling healthcare data, from hospitals to insurance companies, must comply with HIPAA security standards when transmitting and storing electronic protected health information (ePHI).
Why Is HIPAA Standards Important?
Compliance with HIPAA standards is required of all healthcare businesses due to the sensitive nature of information handled by these companies. A single attack on a health-related business can result in lost or stolen data that has broad ramifications on the health, safety and financial security of patients, and these attacks are becoming both more frequent and more aggressive. Failing to comply with HIPAA standards can result in severe consequences for healthcare businesses, including:
- Reputational: The moment it’s revealed that a company’s information was hacked, that company’s reputation decreases. This is particularly true for healthcare businesses due to the sensitive nature of the information they carry. Such reputational damage can negatively impact future business and lose the trust of patients and partners alike.
- Legal: Since HIPAA compliance is a federal requirement of all healthcare businesses, failure to comply with HIPAA requirements can result in severe fines. These fines multiply if a breach occurs as a result of HIPAA noncompliance. Patients may even sue the business because of their negligence.
- Financial: Between the reputational and legal damage done to a healthcare organization due to HIPAA noncompliance, financial damages can be steep. Often, these damages are enough to bankrupt entire healthcare enterprises.
These factors mean HIPAA compliance is an absolute must. While these regulations won’t protect against all threats your healthcare business might face, they pose a strong baseline off of which your business can build. The first step, however, is to achieve HIPAA compliance.
What is SOC?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.
Before 2014, cloud vendors only had to meet SOC 1 (SSAE 16) compliance requirements. Now, any company storing customer data in the cloud must meet SOC 2 compliance requirements in order to minimize risk and exposure to that data.
So what does SOC 2 require, exactly?
It’s considered a technical audit, but it goes beyond that: SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that a company’s information security measures are in line with the unique parameters of today’s cloud requirements. As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a necessity for a wide variety of organizations.
BraveSoft Data Center is managed and protected by Armor Security Operations (SecOps). The Armor is staffed with experts in each of these areas:
- Indications and Warnings (I&W): 24/7/365, this team is always monitoring your security posture, looking for anomalies and suspicious activity. In the event of potential compromise, they quickly escalate security events for deeper assessment and response.
- Incident Response & Forensics (IRF): When suspicious activity is detected, our IRF team dives into forensics analysis to determine if the incident is a true positive. If a compromised host is detected, they work with the customer to contain, eradicate and recover from the threat, usually in less than 24 hours. After the threat is remediated, they coordinate with customers to the address root cause of the compromise and prevent future attacks through the same vector.
- Vulnerability Threat Management (VTM): Threat actors are always looking for an easy way in to your environment. This is why vulnerability and patch management are essential for lowering your environment’s surface area of attack. Our aggressive vulnerability assessment program keeps our customers’ infrastructure hardened against attack.
- Threat Resistance Unit (TRU): Our TRU team provides actionable cyber threat intelligence that allows us to anticipate, and block a large majority of the cyber-attacks against our customers, allowing us to provide unparalleled protection in the cloud. We collect and analyze data from 150 plus threat intelligence feeds to create a detailed overview of current and emerging threats. This keeps us a step ahead of threat actors, able to block their attacks before they even have a plan of attack.
- Friendly Network Forces (FNF): We combined former National Security Agency online operators with our most experienced Armor engineer, to create an internal threat hunting team. These talented threat hunters look for gaps or seams in the security surveillance of our customer networks. In other words, we have the best hackers in the world, trying to break into our environment to make sure no one else can.