pent 001Compliance areas explained


Payment Card Industry – Data Security Standard. The Payment Card Industry standards are put in place to protect both businesses and their customers. They were created to prevent credit card fraud, hacking, and other cybersecurity threats. A company that does not follow these standards risks losing their ability to process payments. Any business that processes, stores, or transmits credit card numbers must be PCI DSS compliant. Gratia Inc. can help your business with all aspects of compliance including network security, data protection, vulnerability management, access control, monitoring and testing, and information security. Call or email us today to set up a consultation with our team!


Health Insurance Portability and Accountability regulations are necessary for healthcare organizations to follow. These regulations are put in place to protect patient information from cyberthreats. HIPAA compliance assures that patient information will stay secure and be protected against unauthorized use, theft, or disclosure. If your business or organization processes healthcare information, you are required to follow HIPAA regulations. Gratia Inc. is excited to help your business become HIPAA compliant and assure that your business remains compliant with future regulations.


The Risk Management Framework set forth by the National Institute of Standards and Technology outlines a process that incorporates risk assessment into an information system. Controls can be integrated with the framework to focus on a particular system, protect multiple systems, or both. The RMF Process contains these six steps: Categorization, Selection, Implementation, Assessment, Authorization, and Monitoring. Each of these steps performs a specific function that ultimately protects your business. At Gratia Inc., we strive to offer the best in cybersecurity. By pairing our expertise with your business, you will remain protected against any and all cyberthreats.


This revision to the National Institute for Technology and Standards publication attempts to address security programs risks at the source. It is meant to assure a solid framework lies at the foundations of all organizations including the Department of Defense, the Intelligence Community, and any civilian agencies that may work with them. This update addresses areas of technology like cloud computing, insider threats, and supply chain security that require more controls than in the past. Compliance with these standards ensures that your organization has the best framework and monitoring. Gratia Inc. is able to help your business identify weaknesses in your security framework, address them, and continue to monitor for additional threats. Choose Gratia Inc. to protect your business.

NIST 800-171

Compliance with NIST 800-171 is required by US federal agencies to protect controlled unclassified information. These CUI requirements are used by federal agencies in contracts with non-federal organizations. If your business works with the federal government and processes, stores, transmits, or provides security for CUI, you must be NIST 800-171 compliant. Gratia Inc. can help your business if you are attempting to become compliant in order to work with a federal agency, if you want to make sure your business is up-to-date with current compliance standards to preserve your government contracts, or if you need help maintaining compliance standards.


The European Union General Data Protection Regulation impacts companies that process data in the EU or process information about EU citizens anywhere in the world. The goal of these regulation is to provide individuals with more control over their information by limiting the ways businesses can collect their information. Compliance with these guidelines may involve providing easier access to personal data, complying with the “right to be forgotten,” and assuring expedited notifications to the NSA if a data breach occurs. If your business would like to become EU GDPR compliant, contact our team by phone or email to set up a consultation. Gratia Inc. is excited to protect the integrity of your business.

ISO 27001        

ISO/IEC 27001 is a broad standard that applies to all types of organizations and businesses. Protection against information security risks is the primary goal of your company’s Information Security Management System. The ISMS is the framework that will allow your business to identify, analyze, and address threats to information security. Additionally, the ISMS ensures that your business will remain current with ever-changing security threats and vulnerabilities. Gratia Inc. has a team that can work directly with your business to achieve ISO 27001 compliance that works for you.

ISO 27002

ISO 27002 is an internationally recognized Code of Practice for Information Security Management. These standards outline general principles for initiating, implementing, maintaining, and improving information security management in your organization. Compliance to these standards may involve benchmark assessments, progress checkpoints, gap analysis, and designing a plan for improvement. The team at Gratia Inc. is skilled in the implementation of compliance standards and ready to put their years of experience to work for you.


The National Credit Union Administration requires credit unions to create a security program that assures the protection of customers’ private records and information.  These security programs must be designed to control risks associated with the sensitive information they process. Measures can include access controls and encryption of customer information. Gratia Inc. is here to help you design and implement these processes in your business. The Gratia Team is experienced with NCUA compliance regulations and we’re ready to protect your business!

SOX 404

The Sarbanes-Oxley Act applies to financial practice and corporate governance. Most importantly, the SOX Act ensures that a company’s directors and officers are aware of and accountable for the financial state of their company. If you need guidance about how to make your business SOX compliant, call Gratia Inc. today to speak to a member of our team and create a custom plan to fit your business’ cybersecurity needs. We will help protect your business by monitoring and maintaining compliance.


SANS Consensus Audit Guidelines focus on an offensive approach to cybersecurity. SANS CAG is concerned with safeguarding your business’ critical systems resources. The best practices set forth in The Twenty Critical Security Controls for Cyber Defense are designed to preserve the integrity and availability of your real and logical critical resources. Gratia Inc. understands the research and development that inspired these information security initiatives. We are ready to work with your business to implement these best practices into your security program.


The Gramm-Leach-Bliley Act compliance assessment outlines guidelines for information security programs. These guidelines address administrative, technical, and physical safeguards that protect these three key parts of a business. The GLBA states that the information security program can be tailored to the size, nature, and scope of each individual area. The Gratia Team is experienced in compliance assessments and enthusiastic about protecting your business.

DODI 8500

The DoD Information Assurance Certification and Accreditation Process is a process developed by the Department of Defense to require risk management to be applied to Information Systems. The DoD promotes information assurance controls as the first, and most important, security requirement for automated information systems. The Gratia Team can help you design your business’ IA controls based on your system’s mission assurance category and confidentiality level.