Comprehensive Information Security Management and Compliance

Compliance Engineering provides a wide range of solutions and services that increase operational efficiency and reduce liabilities and cost. Every solution is fully integrated into your environment and supported by our technical services team.

Find Out More

Comprehensive Security Management and Compliance

Faced with increasing complex industry and federal regulatory compliance requirements, enterprise organizations wrestle with the scope, cost and resources necessary to maintain information technology compliance standards. Compliance Engineering's assessment and risk management services help organizations understand, measure, and validated a wide range of compliance initiatives.

Compliance Engineering's methodology is based on a comprehensive program-wide security framework, which takes into account an organization’s maturity level and risk tolerance. It helps develop roadmaps and strategies to solve an organizations most complex problems or build a reliable security program. Compliance Engineering helps companies create a security strategy that has measureable objectives and achievable goals.



Audit & Assessment Services

  • PCI DSS (Certified QSA Company)
  • HIPAA-HITECH and Meaningful Use
  • ISO 27001
  • SSAE16 SOC 2 & 3
  • Gramm Leach Bliley
  • Corporate Security Status Assessment
  • Banking Services

Managed Security Services

  • Hawkeye Vision Security Monitoring
  • 24/7 Security Operations Center
  • PII/PCI/PHI Data Discovery as a Service
  • Hawkeye MTSS Security Tool Health Monitoring
  • Security Tool Management
  • Managed Vulnerability Scanning
  • Managed Intrusion Detection

Professional Services

  • Virtual CISO
  • Application Security Consulting
  • Security Tool Implementation and Engineering
  • Remediation Consulting
  • SIEM Architecture and Implementation
  • Penetration Testing
  • Vulnerability Scanning
  • Hawkeye PIIFinder Data Discovery
  • Staff Augmentation
  • Policy and procedure development

Audit & Assessment Services

Wide Range of Assessment Services


Compliance Engineering’s Risk Management & Security Assessments establishes the current baseline security of a Company, focusing on people, process and technology. Our security assessment provides an analysis of the technical security controls and mechanisms, following a proven methodology for identifying and reducing risk.

Compliance Engineering models the assessment to meet your industry, legislative, and regulatory compliance requirements. Compliance Engineering performs assessments and audits for various size organizations, from complex enterprises to small and medium businesses, as well as for different industries with multiple regulatory requirements, such as: financial services, government, communications, healthcare, energy, oil and gas and retail.

Compliance Engineering’s security specialists can help you gain an understanding of your current information security status to help limit the potential impact of vulnerabilities and provide a plan for incremental improvements to tighten the security of the company.

PCI Assessment Services | HIPAA/HITECH Consulting Services | NERC CIP Services
Corporate Security Status Assessment | Banking Regulatory Compliance Services

PCI Assessment Services

Introduction and PCI Data Security Standard Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

PCI DSS is a set of comprehensive industry standards created to help protect valuable credit card information. Compliance Engineering's PCI assessment services will objectively review your current PCI DSS compliance status, providing a detailed phased approach, including security management, controls, policies, procedures, security tool management, vulnerability scanning, penetration testing and critical security standards.

Assessment Methodology

  1. Define what is in scope for the assessment
  2. Conduct a pre-assessment meeting to establish expectations, identify the key players, provide guidance and setup client in the project management portal
  3. Receive and review all relevant policies, procedures, and technical documentation
  4. Provide an initial report of findings which identifies problems/issues and provides recommendations for remediation
  5. Final on-site PCI data security assessment
  6. Generate a PCI DSS v3.2 Report on Compliance (ROC)
  7. SOC Managed Security Services
  8. Conduct quarterly and/or on-demand vulnerability scans to fulfill ongoing PCI compliance requirements
  9. Conduct Scheduled Penetration Testing
  10. Security Log Monitoring and FIM Monitoring


The latest PCI DSS requirements specifiy that scheduled Data Discovery is a must! Compliance Engineering's PII Finder Data Discovery SaaS can help.

Click here to learn more!

Assessment Services

  • PCI DSS v3.2 Gap Assessment
  • PCI DSS v3.2 Report on Compliance(ROC)
  • (SAQ) Self-Assessment Questionnaire Assistance
  • Remediation Consulting
  • PII Finder
  • Vulnerability Scanning
  • Penetration Testing
  • Policy & Procedure Development
  • Breach & Forensic Investigations
  • Managed Security Services through our Security Operations Center

PCI Data Security Standard v3.2 – High Level Overview

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements:

Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
  • PCI DSS Requirement A3.2.5 - Implement a data-discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear-text PAN at least quarterly and upon significant changes to the cardholder environment or processes.
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

HIPAA/HITECH Consulting Services


Maintaining compliance with HIPAA Privacy and the HITECH Security rules creates a significant resource constraint on Covered Entities. Healthcare organizations and their business associates must assess, remediate, validate and maintain ongoing compliance activities for their organization. The number, reach and complexity of healthcare regulations continue to increase. The HITECH Act tightened breach notification requirements, increased financial liability amounts and established that Covered Entities are in fact liable for their Business Associates. In effect, this created a healthcare ecosystem.

Compliance Engineering provides comprehensive services that can help organizations of any size comply with HIPAA/HITECH regulations. Compliance Engineering has trained and certified personnel suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA/HITECH.


Conducting a HIPAA/HITECH Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Compliance Engineering helps Healthcare Companies find gaps that may exist between your current security posture and HIPAA/HITECH requirements such as:

The Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Notification Rule
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

The assessments are customized, scaled individually for Covered Entities and Business Associates. The assessment includes: identification and location of PHI on key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.


Remediating Gaps & Vulnerabilities is critical because the Office of Civil rights (OCR), within HHS has launched the Audit Pilot Program, every covered entity or business associate is eligible for an audit. OCR investigations may result in penalties, which greatly vary and are determined by the date of the violation, whether the covered entity knew, or should have known, about the violation and whether the violation was due to willful neglect. Compliance Engineering has consulting services and tools that can help remediate HIPAA/HITECH non-compliance issues:

  • Policy and procedure development
  • IT Remediation Consulting
  • PII/PHI Finder
  • Vulnerability Scanning
  • Penetration Testing
  • Security Operations Center 24/7
  • Security Log Monitoring and FIM
  • Virtual CISO Consulting


The reality is that HIPAA/HITECH compliance is not an event but a process, an on-going process that requires compliance activities every month with documentation and evidence to support the accomplishment of these activities. Compliance Engineering helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA and provides a real-time view into the status of your compliance and security programs.


The HIPAA Rules apply to covered entities and business associates.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

NERC CIP Consulting

NERC CIP Compliance

Compliance Engineering Security Services help clients adhere to the comprehensive reliability standards that North American Electric Reliability Corporation (NERC) defined requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America's bulk electric systems.

NERC's nine mandatory CIP standards address the following areas:

  • CIP-001: Covers sabotage reporting;
  • CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System;
  • CIP-003: Requires that responsible entities have minimum security management controls in place to protect Critical Cyber Assets;
  • CIP-004: Requires that personnel with authorized cyber or unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness;
  • CIP-005: Requires the identification and protection of the Electronic Security Perimeters inside which all Critical Cyber Assets reside, as well as all access points on the perimeter;
  • CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets;
  • CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeters;
  • CIP-008: Ensures the identification, classification, response, and reporting of cybersecurity incidents related to Critical Cyber Assets; and
  • CIP-009: Ensures that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.

NERC CIP Gap Assessment

NERC CIP security and compliance assessments performed by knowledgeable, certified security professionals skilled in dealing with new and legacy industrial control environments, which provides prioritized and actionable remediation recommendations, based on industry benchmarked solutions.

Compliance Engineering’s expert security consultants review every element of your NERC-CIP compliance, including: policies, procedures, configuration management, certification and accreditation, remediation plans, and security awareness training.


Consultation & Remediation

Compliance Engineering’s experienced, certified security professionals assist in the following:

  • Identify protection goals, objectives and metrics consistent with corporate strategic plan
  • Assist in the development and implementation standards, guidelines and procedures related to the designated services to ensure ongoing maintenance of security
  • Assist in overseeing a network of designated security vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors
  • Interpret Scanning results to identify any additional vulnerabilities that need to be addressed
  • Assist with incident response as well as the investigation of security breaches
  • Serve as a consultant to the company for any industry or regulatory compliance requirements

Compliance Program Monitoring

Compliance Engineering’s Hawkeye Monitoring Tool Security Service and Security Operation Center (SOC) will assist Corporations with managing security tool sprawl, NERC CIP compliant Log Monitoring, Log Management, Vulnerability Management and Security Device Health Alerts.

Compliance Reporting

Compliance Engineering assists companies with: Standard and customizable reporting, secure evidence repository for all NERC CIP compliance related assessments, results and reports; integrated ticketing with assignment, tracking, and journaling.

Corporate Security Status Assessment

Compliance Engineering’s Corporate Security Status Assessment (CSSA) establishes the current baseline security of a Company, focusing on people, process and technology. Our security assessment provides an analysis of the technical security controls and mechanisms, following a proven methodology for identifying and reducing risk. We review your security policies, procedures and controls in relation to ISO 27001:2013, NIST 800-53 best practices and business objectives. We also provide a social engineering assessment to understand the overall level of employee security awareness.

Compliance Engineering models the assessment to meet your industry, legislative, and regulatory compliance requirements. Compliance Engineering performs assessments and audits for various size organizations, from complex enterprises to small and medium businesses, as well as for different industries with multiple regulatory requirements, such as: financial services, government, communications, healthcare, energy, oil and gas and retail.

Compliance Engineering’s security specialists can help you gain an understanding of your current information security status to help limit the potential impact of vulnerabilities and provide a plan for incremental improvements to tighten the security of the company.

Compliance Engineering’s security specialists perform a variety of key tests and activities, including:

  • Evaluation of existing network security architecture
  • External and internal network vulnerability scanning and penetration testing
  • System security assessments of mission-critical servers
  • Application and Database vulnerability testing to uncover potential security weaknesses in software design and implementation
  • Wireless network security testing and assessment
  • Evaluate Asset management – inventory and classification of information assets
  • Evaluation of Operational controls and IT policies and procedures
  • Analysis of perimeter and internal security mechanisms
  • Interviews with key staff members
  • Physical security assessments to evaluate the susceptibility to physical security breaches
  • Review Information security incident response management – anticipating and responding appropriately to information security breaches
  • Review Business continuity management – protecting, maintaining and recovering business-critical processes and systems

The Final Report will include a grading format ranging from "severe to low" with recommendations for remediation. Reports are provided for both executive management and the technical teams. Compliance Engineering will conduct an exit interview to review and explain all necessary remediation tasks in detail.

Banking Regulatory Compliance Services

Information is one of a financial institution's most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution's earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.


The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program. The Federal Financial Institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, among other things. For more information on CE's banking industry services, please view our brochure here. Compliance Engineering is an associate member of the Georgia Banking Association.

Financial institutions should implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management, and employees.

Financial institutions must maintain an ongoing information security risk assessment program that effectively:
  • Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
  • Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
  • Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.

Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:
  • Appropriate consideration of prevention, detection, and response mechanisms,
  • Implementation of the least permissions and least privileges concepts,
  • Layered controls that establish multiple control points between threats and organization assets, and
  • Policies that guide officers and employees in implementing the security program.

The goal of access control is to allow access by authorized individuals and devices and to disallow access to all others. Authorized individuals may be employees, technology service provider (TSP) employees, vendors, contractors, customers, or visitors. Authorized devices are those whose placement on the network is approved in accordance with institution policy.
  • Access should be authorized and provided only to individuals whose identity is established, and their activities should be limited to the minimum required for business purposes.
  • Change controls are typically used for devices inside the external perimeter, and to configure institution devices to accept authorized connections from outside the perimeter.

Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by:
  • Monitoring network and host activity to identify policy violations and anomalous behavior;
  • Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events;
  • Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and
  • Responding to intrusions and other security events and weaknesses to appropriately mitigate the risk to the institution and its customers, and to restore the institution's systems.

Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.

Contact us

Managed Security Services

Compliance Engineering’s Hawkeye family of managed security services provides cost-effective turnkey solutions to solve some of the most difficult security problems facing your organization. Whether your need is Security Monitoring and Log Management (Vision), Security Tool Health Monitoring (MTSS) or PII Discovery (PIIFinder), there’s a Hawkeye Managed Security Service solution that addresses it.

Hawkeye Vision Security Monitoring

Ensure Security and Compliance with Hawkeye Vision

A turnkey managed solution for log management and security monitoring


A turnkey managed solution for log management and security monitoring.

Configuring Hawkeye Vision is simple and straightforward: install the provided Hawkeye security appliance (virtual or physical) in your infrastructure, point your log sources to it, log into the Vision portal, and you’ll immediately see valuable, actionable data about what’s going on in your network.

Works with the platforms and tools you already have.

Hawkeye Vision supports hundreds of security tools and network devices, and dozens of operating system platforms; if you’ve got something that generates logs or other security data, Hawkeye Vision can probably understand it. And if it can’t, CE can develop a custom parser so that it can.

World-class correlation rules and threat intelligence provided out of the box.

Hawkeye Vision is pre-configured with hundreds of rules to detect a wide variety of potential issues affecting the security of your network and data. Unlike traditional SIEM tools where you’re expected to develop (or hire expensive consultants to develop) rules and reports, CE’s team of skilled security engineers have already done the work for you. Plus, our real-time threat intelligence feeds provide up to the moment data on potentially suspicious hosts and potential attacks.

socHawkeye Vision is part of Compliance Engineering’s Hawkeye Security and Compliance SaaS “Security as a Service”
platform supported by a 24x7 Security Operations Center in Atlanta GA

Cloud-hosted SaaS model for maximum value.

Because the analytics and reporting engine for Hawkeye Vision is hosted in our own secure private cloud, there’s no need to buy expensive SIEM software or servers to host it. And our per-device pricing model means you only pay for what you need; organizations with small environments can finally afford enterprise SIEM-class service, and large organizations can benefit from the cost savings of not having to host and maintain SIEM in house.

Security Expertise is only a click or a call away.

Hawkeye Vision is supported by our 24/7 Security Operations Center staffed with security professionals with the skills to analyze events, investigate suspected incidents, and assist with remediation steps. Our service plans range from self-service options with per incident access to our analysts to full 24/7 SOC outsourcing; you choose the plan that best fits your needs and budget.

PII Finder Data Discovery

hawkeye Hawkeye PII Finder Client Dashboard

Hawkeye PII Finder Data Discovery

Compliance Engineering's Hawkeye PII Finder Data Discovery solution is a proven software/service offering that leverages broad datasource capability with scalability, backed by the professional engineers at the Compliance Engineering Security Operations Center. Designed to find a virtually limitless variety of sensitive data, PII Finder is especially tailored to quickly and accurately discover Credit Card, Financial, Health and Insurance data wherever they may be.

Whether it's within files on Windows shares, stored in databases (Oracle, MSSQL, MySQL, MongoDB, DB2, etc), housed in a Mainframe datastore, or just lurking on a remote UNIX filesystem, PII Finder can discover the data.

Contact us


Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single individual. The importance of protecting PII is a not just a “common sense” best practice. Keeping PII secure is also dictated by many regulations and privacy laws. Examples include credit card numbers, Social Security numbers, phone numbers, addresses, and other sensitive data.


Compliance Engineering's Hawkeye PII Finder Data Discovery solution allows a business to discover and take a full inventory of personally identifiable information (PII), intellectual property (IP), payment card industry (PCI) and HIPAA/HiTECH data in order to scope and measure its associated risk. Powered by Compliance Engineering Hawkeye technology, PII Finder Data Discovery offers a streamlined and comprehensive way to boost security audit capabilities while protecting security investments.


Personally Identifiable Information (PII) is the most private kind of data stored about people and, if it is breached or stolen, it causes adverse events like identity theft or medical fraud. For example, the Department of Defense, the Department of Veterans' Affairs, handlers of PII and Protected Health Information (PHI) such as an insurance or personal investment company, and employers such as a hotel chain, have all reported significant losses of PII and PHI data; in some cases up to 25 million records. Protecting the information is not easy, but it is vital.

Compliance Engineering’s 7 Step PIIFinder Process

  1. Scoping Documentation
  2. Asset Classification
  3. Job Scan Request
  4. Scanning (Monitor via Job Scheduler)
  5. Analysis
  6. Reporting
  7. Remediation

Key Features

  • Answers the questions How Many and Where?
  • Helps clients locate sensitive data in database and file systems
  • Improved security and audit capabilities
  • Cost and scope reduction for Industry and Regulatory Compliance
  • Establish trusted and approved baselines


  • Fast Deployment - Agentless technology
  • Broadest Coverage (M/F, i-Series, Unix, MS...)
  • Cost effective solution - SaaS
  • CE SOC performs scan analysis and reporting


  2. Names
  3. All geographic subdivisions smaller than a state, including: street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial 3 digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census
  4. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death. All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  5. Telephone number
  6. Fax number
  7. E-mail address
  8. Social Security number
  9. Medical record number
  10. Health plan beneficiary number
  11. Account numbers
  12. Certificate or license number
  13. Vehicle identifiers and serial numbers (including license plates)
  14. Device identifiers and serial numbers
  15. Web URL
  16. IP address
  17. Biometric identifiers, such as fingerprints and voiceprints
  18. Full-face photos and any comparable images
In addition, any other unique identifying number, characteristic, or code can become a risk depending entirely upon the data structure and methodologies of your organization.


PCI DSS 3.2 has been released! Compliance Engineering's PII Finder Data Discovery Solution is an effective tool to aid in compliance with updated requirements.
A3.2.5 Implement a data-discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear-text PAN at least quarterly and upon significant changes to the cardholder environment or processes.
Data-discovery methodology must take into consideration the potential for clear-text PAN to reside on systems and networks outside of the currently defined CDE.
PCI DSS Reference: Scope of PCI DSS Requirements
A3.2.5.1 Ensure effectiveness of methods used for data discovery—–e.g., methods must be able to discover clear-text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.
The effectiveness of data-discovery methods must be confirmed at least annually.
PCI DSS Reference: Scope of PCI DSS Requirements
PCI DSS requires that, as part of the scoping exercise, assessed entities must identify and document the existence of all clear-text PAN in their environments. Implementing a datadiscovery methodology that identifies all sources and locations of clear-text PAN, and takes into consideration the potential for clear-text PAN to reside on systems and networks outside of the currently defined CDE or in unexpected places within the defined CDE—for example, in an error log or memory dump file— helps to ensure that previously unknown locations of clear-text PAN are detected and properly secured.

Managed Tools Security Service

What is MTSS?

Companies use a variety of tools to manage and monitor the security of their network and application infrastructure, picked acording to their needs and requirements. They are generally expensive, and it's imperative that the output be actionable and properly directed. In order to assure proper operation, the tools themselves must be kept healthy, current, and properly configured. This is time consuming and requires a broad skillset to perform effectively, a skillset not often present or affordable for the companies. Compliance Engineering offers a world-class Managed Tool Security Service (MTSS) from our Security Operations Center based in Atlanta to address these needs and more in a secure, economical fashion.

Why would my company need MTSS?

Typical customers have 10-25 security products to combat the persistent threats from the hostile world they operate in. The constant threat combined with the high cost and a shortage of skilled security engineers has put many companies at risk. Simply put, companies are unable to maintain and utilize the strategic investment in core security technologies to maximize their potential use. CE offers a comprehensive MTSS that will manage any security technology that the customer has acquired.

Methodology for Security Tool Management

Compliance Engineering’s tested and proven methodology enables us to assess your existing security tool portfolio, perform rationalization to eliminate functional redundancies, quickly develop and execute a plan to configure tools to their optimum state while fulfilling your organization’s compliance and security requirements.

Security Tool Management as a Service


With CE’s MTSS, we either maintain the tools located at your facility or hosted in our SOC which allows your engineers to focus on securing your organization. Our fully staffed 24.7.365 operations center monitors and maintains tool availability, health, applies patches and performs version upgrades to keep your security tool environment in optimal shape. CE will also perform vulnerability scans, develop reports, policies, develop tool content, and provide incident investigation for your security tool portfolio.


Professional Services

Overview of Services

In addition to Application Security Consulting, Vulnerability Scanning, and Penetration Testing, Compliance Engineering’s Professional Services business is prepared to take your security to the next level. Our engineers are certified in many of today’s most important technologies and systems. We can perform Hawkeye PII Finder data discovery as a professional service in addition to configuring it within a broader system via our Managed Security Services architecture.

Once shortcomings have been identified, our engineers stand ready to assist you with immediate remediation tasks as well as planning for your future architecture to prepare you for a more secure future.

As partners with HP, IBM, Sophos, Vormetric, RSA, and more, Compliance Engineering is uniquely qualified to assist your business with security tool implementation and engineering, as well as SIEM architecture and implementation. Once implemented, we stand ready to assist you with maintenance and even staff augmentation if necessary to keep your systems running smoothly. Supported by our 24x7 SOC, our services are ready to help you now and in the future.

Virtual Information Security Officer

Compliance Engineering’s Virtual Information Security Officer (VISO) is our security specialist who serves as an extension to your business and is responsible for the development, implementation and management of your organization's corporate security vision, strategy and programs. The virtual information security officer is retained on a contractual basis and provides critical decision making support related to both physical and information security issues.


The virtual information security officer works across all business and functional lines to ensure a strategic and comprehensive approach in mitigating operational risks. Through research and benchmarking, our VISO will work with you to be compliant with regulatory mandates, and define your desired state. They will also assess your current state, and initiate security program development based on a gap analysis. The Virtual ISO cycle is complete with strategic planning (prioritization, tasks, and timelines).

Application Security Consulting

Your web applications are the perimeter of your network!

Web applications are an important part of business operations. However, web applications can be easily exploited by hackers who may attempt to steal sensitive data or simply deface the site. Companies who conduct business over their web sites face additional challenges. The Payment Card Industry (PCI) Security Standards Council requires companies who process credit cards over the Internet to either complete a Web Application Vulnerability Assessment or a Web Application Firewall. Compliance Engineering’s application security engineers have the expertise in the latest application vulnerabilities and assessment methods to assist you if your company is seeking PCI certification or simply wants to ensure that there are no weaknesses in your web applications.

The National Institute of Standards and Technology estimates that nearly 92% of security breaches are facilitated by weaknesses in web applications.

Compliance Engineering employs certified security practitioners in a number of functional areas including Application Security. In addition to certifications and years of experience, our consultants are active in the community with membership in several user groups and foundations. Our consultants were founders of the Atlanta OWASP chapter.


  • Web Application Security Testing - Our web application security penetration testers have the necessary background and expertise in web application development to provide top notch security testing. We’ve performed web application testing for some of the world’s largest retailers, financial institutions and consumer products companies. We provide a risk assessment report that is tailored to your environment and applications.
  • Web Application Firewall - Network firewalls and intrusion detection systems can not protect web applications. Let our experts help you select and implement the web application firewall that is appropriate for your needs.
  • Application Security Consulting - Our consultants have performed application security consulting for a number of Fortune 100 companies. Our consultants understand the importance of the Three Pillars of Software Security:

    Applied Risk Management
    Software Security Touch Points

Vulnerability Scanning Services

Compliance Engineering’s vulnerability scanning solutions seek to help organizations garner information regarding potential weaknesses by discerning which vulnerabilities pose tangible risks to their IT and networking assets. Compliance Engineering’s scanning service offers a proactive secure approach on applications, databases and network vulnerabilities rapidly identifying and security flaws allowing and organization to better protect private and critical information. Compliance Engineering’s Vulnerability Scanning Services provide:

  • Internal and external vulnerability scanning
  • Supports physical, cloud and virtual infrastructure
  • Security vulnerability management team for expert consulting and support
  • Reporting and remediation workflow tools via portal
  • Integrated Managed Security Services for a more comprehensive view of your security posture
  • Security Operations Center Support 24/7
  • Policy and Compliance scanning for PCI, HIPAA, and GLBA

Compliance Engineering's Vulnerability Management Methodology

Risk assessments are only as good as the vulnerability data they are built upon, and fresh vulnerability data is essential. compliance engineering's vulnerability discovery utilizes rule-driven profiling to gather and analyze information repositories available in every enterprise to automatically and accurately deduce vulnerability data on all network nodes.

Compliance Engineering helps organizations determine which vulnerabilities are critical. two approaches commonly used together for analysis:

  • Hot Spot Analysis Finds groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed by patching.
  • Attack Vector Analysis Uses a methodical approach that finds specific high-risk attack vectors around one or more hosts that would require quick remediation (Patching, Shielding, Network Configuration) to eliminate exposure of specific targeted assets.

Compliance Engineering helps to prioritize the identified vulnerabilities to target remediation efforts. traditionally, scanner reports prioritize vulnerabilities based on asset importance and a pre-defined vulnerability severity ranking, typically based on the common vulnerability scoring system (cvss) scoring. but this doesn’t prioritize the vulnerabilities within your network. compliance engineering helps analyze a vulnerability’s severity rating, asserting that the criticality of a vulnerability depends on several factors, including existing security controls, threat data, the business asset, and the impact of a potential attack.

Compliance Engineering's final step is remediating critical vulnerabilities. for effective vulnerability management, remediation should be integrated into the solution and should consider all security controls:

  • Are patches available? Can a patch be deployed or is it ‘un-patchable’ due to system integration issues, location, availability requirements, application limitations, etc?
  • Can system changes remediate the vulnerability? Will reconfiguring the network or changing access controls mitigate the vulnerability?
  • What other security controls are available? Are there other security controls that may provide protection such as firewalls, IPS or Anti-Malware, etc.?
  • Remediation should consider all security controls, not just patching, and the availability of security controls should be part of the prioritization process

Penetration Testing Services

Penetration testing evaluates an organization’s ability to secure its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. Test results validate the risk posed by specific security vulnerabilities or flawed processes, enabling prioritization of remediation efforts. By regular scheduling of comprehensive penetration testing, organizations can more effectively anticipate security risks and prevent breaches to critical systems and valuable information. Compliance Engineers Penetration Testing Services include:

  • Network & Systems Penetration Tests
  • Application Penetration Tests
  • Wireless Penetration Tests
  • Source Code Security Audits

Compliance Engineering uses a phased approach to perform a Penetration Test against an organization’s infrastructure:

  • Identifying key assets test points and the attack vectors
  • Clearly defining the test scenarios to be used
  • Penetration testing executed with status reports
  • Immediate identification of critical risks
  • Thorough summarized Penetration testing report
  • Security consulting to assist with remediation

Penetration testing provides detailed information on actual, exploitable security threats. By performing a penetration test, an organization can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows an organization to intelligently prioritize remediation, apply needed security patches and allocate security resources more efficiently.

Penetration testing should be performed on a regular basis to ensure more consistent IT security management. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

Remaining unaware of security risks can leave your organization vulnerable to attacks targeting the network, or a breach resulting in the loss, misuse or exposure of sensitive data. Our consultants will provide our clients with a secure and compliant Advanced Persistent Threat (APT) penetration test of their network. This can include internal or external networks, wireless networks, or your business' custom infrastructure and devices.

Compliance Engineering's Penetration Testing Consultants Will Help You:

  • Dramatically reduce the impact and likelihood of a breach through agreed upon rules of engagement
  • Meet compliance standards by prioritizing the defensive steps necessary to protect your business and its cyber environment
  • Understand your risk against the changing threats with the visual aids in our industry-exclusive Hawkeye software
Contact us


Give your business a competitive edge by joining Compliance Engineering’s Reseller Partner Program. If you offer a product or service that is complementary to our solutions and services, you can increase customer satisfaction and expand your revenue stream.

Compliance Engineering’s Technology Partner Program is designed for companies that offer products which are complementary to our information security solutions and services. We select our Technology Partners based on their expertise in their respective fields as well as their commitment to customer satisfaction.



  • A strong customer-centric focus. We develop close working relationships with our clients and continually strive to provide superior customer service.
  • Experience that spans nearly every industry and business environment, and companies of all sizes.
  • An agile business model that enables us to quickly adapt to changes in legislation or information security requirements.
  • In-depth knowledge of best practices in information security and risk management compliance.
  • Highly trained, knowledgeable consultants and subject matter experts with appropriate credentials and certifications
  • “Vendor neutral” consulting and audit services

Compliance Engineering is privately held and was formed in 2001 in Atlanta, Georgia. Our resume consists of successful consulting and audit engagements including many Fortune 500 firms and industry leaders around the world.

Bill Schmidt

Chief Operating Officer

Bill Schmidt has over 31 years of IT experience of which the past 24 years have been dedicated to IT Security and Compliance. He has held roles in Fortune 100 and security companies as Chief Information Security Officer, Security Architect, Data Security Manager, Network Manager and Client Services Manager. Mr. Schmidt has partnered extensively with security technology companies to enhance the usability and effectiveness of their products. He has led some of the largest and most complex security initiatives for public, private and government entities. Bill has assisted Boards, CIOs and CISOs with their Information Security Program Effectiveness. Mr. Schmidt is a graduate of the University of Georgia with a B.S. in Computer Science. UGA recognized as the ACM Top Programmer and worked for the University on a variety of research projects including the IBM Super Computer initiative.

Contact Us





Northeastern Sales



6 West Druid Hills Drive
Suite #401
Atlanta, GA 30329