A leading healthcare payer remediated audit findings four months ahead of schedule to meet PCI DSS standards.
SITUATION
Our client recently acquired a new subsidiary and is focused on preventing security breaches that have troubled them in the past. They have encountered ongoing compliance challenges and needed to prepare for an upcoming audit under the Payment Card Industry Data Security Standard (PCI DSS). They sought a trusted and reliable technical partner to implement an external assessor’s recommendations for all their current and future acquisition audits. Due to our long-standing trusted partnership, including a successful cybersecurity integration with this client, and our threat and vulnerability management expertise, Everforth Apex was the partner our client requested to manage this remediation program.
SOLUTION
Everforth Apex quickly formed a team to address identified gaps. This team includes technical engineers specializing in data security, cloud and infrastructure security, and identity and access management (IAM), as well as PCI subject matter experts and a dedicated project manager. Our team implemented an agile remediation approach, tailored to our customer's environment, which included:
Developed a Scalable and Repeatable Remediation Program Used for Future Mergers and Acquisitions Activities
-
Managing the Plan of Action and Milestones (POAM) including audit gaps, recommendations, mapped internal controls and frameworks, and details of remediation efforts with semi-weekly communications.
-
Developing network architecture and cardholder data (CHD) flow diagrams of the cardholder data environment (CDE), identifying the location of stored, processed, and transmitted CHD.
-
Documenting playbooks and governance procedures based on newly designed and implemented tools and controls.
-
Developing and documenting a secure baseline configuration for critical systems within the CDE.
-
Assisting in developing the new subsidiary’s PCI Self-Assessment Questionnaire (PCI SAQ) report based on the level of applicability.
Everforth Apex designed a repeatable and scalable process, ensuring that our client is prepared for their next audit by creating playbooks for efficiently onboarding new team members and documenting a structured remediation workflow. This provided crystal-clear visibility into our process for all stakeholders and teams involved.
RESULT
Our custom approach and managed service enabled Everforth Apex to efficiently remediate all gaps for this subsidiary four months ahead of schedule, and they successfully passed their follow-up audit. This approach also helped our client improve the security programs at other subsidiaries, reduced time required for onboarding a subsidiary, minimized disruptions during acquisitions, and enhanced their customers’ perception of security.
