NDB provides comprehensive Experian EI3PA assessments for service providers that store, process, an/or transmit Experian provided data. Experian shares data with thousands of businesses throughout the world, and as such, they demand that these very businesses undertake annual EI3PA compliance assessments. Modeled after the PCI DSS standards, Experian’s EI3PA framework is comprehensive, challenging, and can take quite some time to complete. What’s needed is an expert assessor with years of experience working with Experian’s EI3PA framework, and that’s exactly what NDB offers. Call our seasoned EI3PA assessor today directly at 1-800-277-5415, ext. 705 to learn how we can help your business become compliant.
North America’s Leading Provider of EI3PA Audits
We’ve been working with the EI3PA standards for years now, performing audits from coast to coast for service providers that store, process, and/or transmit Experian provided data. While the EI3PA framework does closely mirror the PCI DSS standards, there are differences that you need to be aware of. Additionally, for service providers new to the EI3PA process, NDB offers a proven, lockstep methodology that saves both time and money.
A Proven, Six Step EI3PA Audit Process
With NDB, we follow a structured process – more specifically – a six-step process that works very well for all of our clients. From the initial scoping & readiness assessment to ongoing continuous compliance measures, we have you covered every step of the way.
- Phase I: Scoping & Readiness Assessment
- Phase II: Documentation Remediation
- Phase III: Operational & Technical Remediation
- Phase IV: Performing the Actual Audit
- Phase V: Issuance of EI3PA Assessment
- Phase VI: Ongoing Continuous Compliance Measures
Phase I: Scoping & Readiness Assessment
The very first step in any EI3PA assessment is to perform a scoping & readiness assessment for ensuring the following goals are met:
Identifying and confirming project scope in regards to business processes, personnel involved, physical locations, relevant third-parties, etc.
Assessing control readiness against the prescribed EI3PA framework and identifying gaps and deficiencies that need to be corrected prior to the audit beginning.
Putting in place project milestones for different phases that include deliverables from both the client and the EI3PA auditing firm.
With a scoping & readiness assessment for NDB, service providers gain much-needed clarity and a clearer understanding of all aspects of the overall EI3PA engagement. Knowing what you’re getting into when it comes to auditing helps lay the groundwork for an efficient and cost-effective EI3PA engagement.
Phase II: Documentation Remediation (i.e., Policies and Procedures)
Much like any of today’s growing compliance mandates, the EI3PA assessment process requires service providers to develop robust information security policies and procedures. Without them, EI3PA compliance is simply not attainable. The challenge with documentation is three-fold.
First, organizations undergoing EI3PA compliance are greatly unaware – even shocked at times – at the volume of documentation that needs to be in place. Second, most organizations don’t have the bandwidth to develop policies and procedures for meeting EI3PA compliance. And third, even if they’ve found an adequate resource internally, they still need to source high-quality templates.
NDB offers comprehensive information security policy writing services for the EI3PA assessment process. We also offer world-class templates to service providers willing to author them on their own time.
If you’re new to EI3PA compliance – and don’t have much in the way of information security policies and procedures – then expect to develop upwards of fifty (50) different stand-alone InfoSec policies. That’s quite a bit, and its why service providers undergoing the EI3PA assessment process use our world-class templates. Call our seasoned EI3PA assessor today directly at 1-800-277-5415, ext. 705 to learn how we can help your business become compliant.
Phase III: Operational/Technical/Security Remediation
When we speak about the phrase “Operational – Technical – Security” remediation, it’s about the necessary configuration changes and other “heavy lifting” activities that need to take place. It’s much more than just writing policies and procedures (as stated in Phase II). Here are common examples of Phase III remediation initiatives that need to be undertaken:
- Re-configuring systems for ensuring they meet stated guidelines. Examples would be hardening servers by removing unnecessary functionality, strengthening password complexity rules, installing a web application firewall, and much more.
- Undertaking vulnerability scanning on a regularly scheduled basis.
- Installing audit logs and audit trails.
- Installing a network-based intrusion detection system.
- Installing File Integrity Monitoring (FIM) all in-scope servers.
- Performing an annual risk assessment.
- Testing your incident response plan.
- Implementing company-wide security awareness training.
Phase IV: Performing the EI3PA Audit
EI3PA audits can be challenging indeed, largely because organizations are unaware of what to expect. Setting expectations early in the audit process is crucial. We can’t tell you how many times we’ve heard from new clients about challenges and issues during an audit because of lack of communication and an overall misunderstanding of the audit process itself. Here are some helpful guidelines when undertaking an EI3PA audit – and really – these guidelines can be applied to any type of audit as your organization goes through:
EI3PA audits are about collecting audit evidence and validating controls. With that said, expect to provide the auditors with a large amount of data. Specifically, auditors will request the following:
Screenshots of system settings
- Information security policies and procedures
- Evidence of a risk assessment performed
- Evidence of security awareness training performed
- EI3PA audits are also about validating controls, so expect auditors to view system settings, etc.
- Work with your auditors, be clear and transparent at all times, and don’t try and hide anything – that’s the true secret for auditing success. Trust on this, we’ve been performing EI3PA assessments for years all throughout North America. Call our expert EI3PA assessor today directly at 1-800-277-5415, ext. 705 to learn how we can help your business can become compliant.
Phase V: Issuance of EI3PA Assessment
Once all the required fieldwork activities and audit deliverables have been completed, the findings within the report must be sent to Experian. From that point on, they will become the final approving authority in determining if an organization is in fact EI3PA compliant. Remember, the auditor cannot issue a final EI3PA certification, only Experian, so please keep this very important point in mind.
Phase VI: Ongoing Continuous Compliance Measures
Once your annual EI3PA compliance and certification has been successfully obtained, it’s important to remember that monitoring one’s controls is critical. This is not the EI3PA auditor’s job – it’s your responsibility – so assign an internal employee such a task. Monitoring controls means conducting regularly scheduled assessments on internal controls – the critical policies, procedures, and processes within one’s daily infrastructure.
You don’t want to wait for the next audit to find issues – being proactive is the key here. NDB can help assist in developing an ongoing continuous monitoring program, one that’s efficient, cost-effective, and incredibly valuable. Call our expert EI3PA assessor today directly at 1-800-277-5415, ext. 705 to learn how we can help your business become compliant.