Compliance Scanning Services™ from Palindrome provide clients the technical scanning and analysis capabilities required to to comply with regulatory requirements and corporate network security policies. Compliance Scanning Services™ include scheduled, periodic scanning of systems and networks for technical vulnerabilities to protect systems and data. Palindrome offers a range of scanning options to enable our clients to establish the scanning strategy that fits their organization best.

Compliance Scanning Services™ are tailored to meet specific industry requirements and regulations including PCI-DSS, ISO17799, GLBA, HIPAA, DIACAP/DITSCAP, and SOX 404. PCI-DSS (Payment Card Industry Data Security Standard), for example, requires payment card vendors and associated organizations to;

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
  

Scheduled, periodic scanning of network and hosts are only one component of the vulnerability management program. Many more capabilities are needed to achieve compliance with all requirements. Palindrome therefore designed the following levels of service to provide clients with the means to satisfy all of their information protection compliance requirements.

Service Levels

Tier 1: PCI Scanning (PCI)

Working in partnership with 403 Labs, LLC - a PCI-Approved Scanning Vendor - Palindrome provides basic PCI scanning services. Scans are scheduled on a recurring basis and reports are delivered electronically to the client via our secure portal. Reports are archived to allow clients to demonstrate the effectiveness of their scan-remediation activities over time.

Tier 2: Network Security Scanning (NSS)

PCI Scans are only one piece of a complex regulatory requirement. While basic PCI scanning, completed by a PCI-Approved Scanning Vendor, is an essential component of the Vulnerability Management Program, many clients require analysis and response capabilities to comply with much of the PCI standard. Network Security Scanning includes all Tier 1 capabilities described above, plus;

• External Penetration Testing - Comprehensive Testing of Network Perimeter Security using Multiple Tools and Techniques
• Data Analysis - Examination of Scan Reports and Provide Remediation Instructions
• Verification of Vulnerabilities - Confirm and Eliminate "False Positives" from Reports
  
• On-Demand Incident Response and Forensic Analysis

Tier 3: Compliance Management Service (CMS)

The Compliance Management Service provides clients with all capabilities essential to the ongoing management of a comprehensive Vulnerability Management Program and ensures continued compliance with regulatory standards. This includes all Tier 1 and Tier 2 capabilities listed above, plus;

• Scanning, Vulnerability Analysis and Penetration Testing of INTERNAL systems
• Risk Analysis over Customer Data
• Audit of Access Control Systems, including Audits of the Design and Operating Effectiveness of Controls
• Technical Architecture Review of Vulnerability Management Systems including Network and Application Firewalls, Intrusion Detection/Prevention Systems, and Anti-Virus Systems
• Due Diligence Auditing and Testing of Managed Security Vendors, such as Hosting, Managed Firewall, and Managed Perimeter Security Services
• Periodic Review of Policies and Procedures, and Audits to Determine Internal Compliance
• Monthly Conference Call on Vulnerability Management Strategy, including Technical Discussion of Remediation Alternatives and Recommendations
• Annual Compliance Evaluation to Assess Compliance with the Latest Regulatory Updates and Evaluate the Overall Compliance Management Program
• Availability of Senior Consulting Staff to Analyze Emerging Compliance Issues
• Additional Technical Services as Needed, Based on Regulatory and Industry Requirements