Please note that strategic assets and staff of Arsenal Security Group’s U.S. and U.K. operations have been obtained by Protiviti. Beginning January 15, 2013, this site will redirect you to www.protiviti.com. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has more than 70 offices in over 20 countries.

EI3PA Compliance Assessment

The Quick Read

	Industry accepted unified compliance and governance framework
	Ability to assess level of compliance, identify gaps and determine risk to your business
	International Standard that has achieved worldwide acceptance as a management model for Information Security

Who Needs a EI3PA Assessment?

	Any Processor that receives, processes, stores and delivers Experian data must maintain a technical certification from a qualified security assessor (as defined by the PCI Security Council). Such certifications must be certified and maintained in good standing, at all times.
	Companies in need of a unified compliance framework for corporate governance.
	Companies seeking to reduce risk, document compliance performance, and demonstrate security due diligence to auditors, board members and customers.

What is a EI3PA Compliance Assessment?

Experian's Independent Third Party Assessment (EI3PA) program requires you to select a PCI Qualified Security Assessor (QSA) to perform your assessment. Arsenal is an authorized PCI QSA and is well versed in Experian's EI3PA Assessments. In addition to EI3PA Arsenal provides Payment Card Industry (PCI-DSS) Assessments, Payment Application (PA-DSS) Assessments, Penetration Testing, Facilitated Risk Assessments and PCI Approved Scanning Vendor (ASV) services.

We provide three offerings that are tailored to meet the resellers assessment needs:

	EI3PA Assessment Services The scope of our EI3PA Assessment Services includes a thorough review of all 6 control areas and 12 requirements as defined in PCI DSS Standard. Arsenal utilizes proprietary applications and tools that provides detailed questionnaires, checklists and scoring to clearly identify areas of concern. The assessor will identify the functional areas and documentation needed to complete the Assessment, Review documentation including but not limited to policies, network topography and network scans, Screen a sample of systems that store, transmit or process EI3PA data to ensure the data is protected and prepare the Report on Compliance. If needed the QSA-certified auditor will prepare a detailed gap analysis and remediation plan to ensure compliance for the actual audit.
	Quarterly Scanning Services The Quarterly Security Scanning will include scheduling, scanning, reporting and recommendations in accordance with the Standards set forth in PCI DSS Security Scanning Procedures. Scanning includes: Network probing to determine which IP addresses and services are active, Scanning all filtering devices such as firewalls or external routers (if used to filter traffic), Scanning Internet-facing web servers, Scanning Internet-facing application servers, Scanning applicable DNS, email, virtual hosts servers.
	External and Internal Penetration Services The Internet Security Assessment service is designed to provide you with a comprehensive review of your Internet environment across your technology architecture and your management processes. The technology architecture review includes design and configuration analysis as well as vulnerability and intrusion testing to ensure hackers can not breach your information or cause undue harm to your business. Additional components included in this Internet Security Assessment are: Internet and Intranet architecture review to understand how you have segmented untrusted (external) traffic from gaining direct access to your trusted (internal) networks Interviews to determine management controls that are implemented and repeatable as standard practice Vulnerability scanning and penetration testing to determine potential security exposures that could be leveraged by an internet hacker.

EI3PA Compliance Assessment Engagement Process and Deliverables

After an initial call, the Arsenal Security Group Senior Partner will prepare a statement of work within 2 days and we normally can begin an engagement within two weeks. During the engagement we will use interviews, questionnaires, physical tours and technical tools to develop our assessment. We usually use 1-2 consultants in tandem with our Senior Partner to complete an engagement. We will provide an executive summary, a detailed report with all of our findings and recommendations, and a final onsite presentation. Our engagement is not complete until all of our deliverables have been reviewed and accepted by our client.

About Arsenal Security Group
Arsenal Security Group is a security consulting firm that is focused on close client coordination and collaboration. From the initial meeting through the final presentation, one of Arsenal Security Group’s Senior Information Security Professionals will be the primary contact for all engagement activities. We proactively conduct weekly calls with our client when engaged and meet with clients on a quarterly basis to review and understand their security posture – even when we are not actively engaged on assignment to ensure they are aware of new security risks or regulatory changes they may impact their business.