Information Security:

In today’s business environment, information is the lifeblood for any organization. Increasingly, organizations and their information systems are exposed to security threats from a wide range of sources including computer assisted fraud, espionage, sabotage, vandalism, fire, flood etc. Computer viruses, hacking and denial of service attacks have become more common and sophisticated.

Cyber security consists of technologies, processes and controls designed to protect systems, networks, programs, devices and data from cyber-attacks. Effective cyber security reduces the risk of cyber-attacks and protects against the unauthorised exploitation of systems, networks and technologies.

What is Cyber Security?

Cyber security focuses on protecting computer systems – including hardware, software, data and digital infrastructure – from unauthorised access or being otherwise damaged or made inaccessible.

In recent years, cyber security has come under intense media scrutiny because of a rapid increase in the size and number of attacks, and the degree of effect on individuals, governments and organisations.

Moreover, the introduction of the GDPR (General Data Protection Regulation) in 2018 means organisations must implement appropriate security measures to protect the personal data they process or risk substantial financial losses.

All well-informed organisations now consider cyber security a critical business issue.

Why is cyber security important?

The cost of cybercrime is at an all-time high, and incidents often take months to be discovered – often by a third party. For instance, APTs (advanced persistent threats) use continuous hacking techniques to gain access to a computer system and can remain inside for months before the intrusion is observed.

The costs of data breaches are soaring

Emerging privacy laws can mean significant fines for organisations. The high-profile EU GDPR (General Data Protection Regulation) has a maximum fine of €20 million or 4% of annual global turnover, whichever is greater. Such penalties are usually on top of damages and other legal action. There are also non-financial costs to be considered, such as organisational sustainability and reputational damage.

Cyber-attacks are becoming increasingly sophisticated

Cyber-attacks continue to grow in sophistication, with attackers using an ever-expanding variety of tactics, including social engineering, malware and ransomware.
Cyber-attacks are lucrative-Usually, cyber attackers seek some type of benefit and will invest in various techniques, tools and technology to achieve their motives. Financial gain is a common motivation, but they may also be driven by political, ethical, intellectual or social incentives.

 

Cyber security is a critical, board-level issue.

New regulations and reporting requirements make cyber security risk oversight a challenge. The board will continue to seek assurances from management that their cyber risk strategies will reduce the risk of attacks and limit financial and operational impacts.

A strong cyber security stance is a key defence against cyber-related failures and errors and malicious cyber-attacks, so having the right cyber security measures in place to protect your organisation is vital.

  1. What is ISO 27001-Information Security Management System 

An Information Security Management System (ISMS) is a systematic approach for managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems. 

  1. a) Why ISO 27001: 2022

  • Increase in trust with, respect to partners, customers and the public; 
  • Systematic detection of vulnerabilities:
  • Control of IT risks;
  • Reduce the chances of security breaches with the IT environment;
  • Keeping the confidentiality of information.   

  1. b) What are the Benefits: 

  • To mitigate the risk and information security breaches
  • To demonstrate due diligence and due care 
  • To have a proactive approach to legal compliance, regulatory and contractual requirements
  • To assure the internal controls of organizations
  • Management’s commitment to the security of business and customers’ information 
  • Helps organization to have competitive advantage

  1. c) Applicable to:

Suitable for any organisation, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organisations which manage high volumes of data, or information on behalf of other organisations such as data centres and IT outsourcing companies

2) ISO/IEC 27701:2019-Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.

This can be used by all types of organizations, which are Personally Identifiable Information (PII) controllers and/or PII processors processing PII, within an ISMS, irrespective of their size, complexity or the country they operate.

a) What is 27701:2019

ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.

ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII).  It covers how organizations should manage personal information and assists in demonstrating compliance with applicable privacy regulations.

b) Why is ISO/IEC 27701 

This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.

This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.

Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 system or implement ISO 27001 and ISO 27701 together as a single management system. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.

 

This standard is essential for every organization that is responsible and accountable for PII as it provides requirements on how to manage and process data and safeguard privacy. It enriches an already implemented ISMS, to properly address privacy concerns, by assisting the organizations to understand the practical approaches involved in the implementation of an effective management of PII.

c) What benefits it brings to business:

  • Protect the organization’s reputation
  • Build customer’s trust
  • Increase customer satisfaction
  • Increase transparency of the organization’s processes and procedures
  • Maintain the integrity of customers’ and other interested parties’ information
  • Ensure information within the company secure and effective
  • Ensures information is available on time
  • Prevents loss, abuse and unauthorized modification of information
  • Ensures information is only accessible to authorized persons
  • Assists compliance with legal requirements and data protection

  1. d) Whom ISO 27701 is applicable: 

Software development, Cloud companies, and IT support, Banks, Insurance companies, brokerage houses, Internet providers, Government agencies, Healthcare, pharmaceutical and food processing. 

3) ISO 22301:2019-Security and resilience-Business continuity management systems requirements

Floods, cyber-attacks, IT breakdowns, supply chain issues or loss of skilled staff are just some of the possible threats to the smooth running of an organization. If not addressed effectively, they can cause disruption or even business failure. Consistent planning for what to do when disaster strikes means a more effective response and a quicker recovery.

  1. What is ISO 22301?

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

BCM (business continuity management) is a type of risk management designed to address the threat of disruptions to business activities or processes. It involves managing risks to ensure that mission-critical functions continue to provide an acceptable level of service, even in the event of a major disaster.

  1. Why is ISO 22301 important?

This standard is crucial for organizations to enhance their resilience against various unforeseen disruptions, ensuring continuity of operations and services. It helps in identifying risks, preparing for emergencies, and improving recovery time.

  1. What business benefits BCMS can bring to my business?

  • Reduced costs and less impact on business performance when something go wrong. 
  • The ability to reassure clients, suppliers, regulators and other stakeholders that the organization has sound systems and processes in place for business continuity.
  • Improved business performance and organizational resilience
  • A better understanding of the business through analysis of critical issues and areas of vulnerability

  1. Whom ISO 23001 is applicable: 

All organizations, regardless of size, industry or nature of business. It is also relevant to certification and regulatory bodies as it enables them to assess an organization’s ability to meet its legal or regulatory requirements.

4) PCIDSS-Payment Card Industry Data Security Standard Compliance 

Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

  1. What is PCI-DSS:

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

  1. Why PCI-DSS

  • To reduce the risk of debit and credit card data loss.
  • It suggests how this could be prevented, detected, and how to react if potential data breaches occur. 
  • It provides protection for both merchants and cardholders

  1. What benefits it bring to business:

  • Reduces the Risk of a Data Breach
  • Helps to Avoid Fines
  • Protects Customers
  • Improves Brand Reputation
  • Imparts a Mindset of Security
  • Serves as a Globally Accepted Standard
  • Provides a Starting Point for Other Regulations
  • Peace of Mind

  1. Applicable to 

Those who are associated with payment cards including merchants of all sizes, financial institutions, point-of-sale vendors, hardware and software developers.

5) HIPAA- Health Insurance Portability and Accountability Act:

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for delicate patient data protection. Organizations which deal with protected health information (PHI) have to have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Anyone who provides treatment, payment, and operations in healthcare and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates have to also be in compliance

  1. What is HIPAA- Health Insurance Portability and Accountability Act:

The HIPAA privacy rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI)”.  

The HIPAA Privacy Rule is to assure that an individual’s health information is properly protected while allowing the individual’s necessary health information that is needed to provide and promote quality health care, is protected. The HIPAA Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare. 

The HIPAA Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. Covered entities regulated by the Rule are required to comply with all of its applicable HIPAA requirements.

Why HIPAA- Health Insurance Portability and Accountability Act:

  • Secure and confidential storage of patient’s data.
  • Better coordination of healthcare data due to standardisation of data formats.
  • Do away with health plan–specific reporting and filing requirements for hospitals and health care providers.
  • Reduce paper involvement in managing healthcare records.
  • Avoid sanctions due to improper handling of data records and data breaches.

What are the benefits of HIPAA 

HIPPA protects patients against following violations:

  1. Disclosure or use of protected health information (PHI) without authorization.
  2. Absence or lack of technical safeguards to protected health information.
  3. Inability for patients to access their protected health information.
  4. Lost or stolen devices with PHI data.
  5. Illegal or excessive access to patient’s files by employees.

d) HIPAA is applicable to:

HIPPA regulations include: medical centres, clinics, and hospitals; private practices; outpatient providers; hospices and adult care providers; pharmacies; laboratories; health plans and insurance providers.

GDPR-General data protection regulations

Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it – and those people often have malicious intent. 

Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so. 

a)What is GDPR- General data protection regulations

GDPR stands for General Data Protection Regulation. It’s the core of Europe’s digital privacy legislation. 

At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. 

b) What does GDPR mean for businesses?

GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organisations based outside the region but with activity on ‘European soil’ will still need to comply. 

  1. Why GDPR
  • Obligations for data controllers; 
  • Rights for data subjects;  
  • Impact on cross-border data flows;
  • Global influence.

d) What benefits it brings to business: 

  • Improved consumer confidence

  • Better data security

  • Reduced maintenance costs

  • Better alignment with evolving technology

  • Greater decision-makinge

e) Who does GDPR apply to? 

GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs  a GDPR compliance strategy. 

There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’.

Federal Certification

Expert advisory and assessment services to comply with broad range of federal compliance frameworks, including FedRAMP (NIST 800-53r4), CMMC (NIST SP 800-171), CCPA, FFIEC, NYDFS, CJIS, DoD RMF, and FISMA.

 

  • Successfully Expand into federal markets
  • Gain access to new state and local government agency revenue streams
  • Global network to perform certification by local teams in the local language
  • Collaborative, tailored approach based on specific client use cases, business limitations, and technical environment
  • Federal Compliance services for wherever you are in the compliance journey

What is FedRAMP and NIST 800-53

The United States Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. It enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Any cloud services that hold federal data must be FedRAMP Authorized. FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.

  1. FedRAMP and NIST 800-53

The NIST 800-53 standard is a standard published by the National Institute of Standards and Technology (NIST), which creates and promotes the standards used by federal agencies to implement the Federal Information Security Management Act (FISMA) and manage other programs designed to protect information and promote information security. It is used as the information security standard for both FISMA and FedRAMP. 

The standard includes the following:

  1. Standards for categorizing information and information systems by mission impact.
  2. Standards for minimum security requirements for information and information systems.
  3. Guidance for selecting appropriate security controls for information systems.
  4. Guidance for assessing security controls in information systems and determining security control effectiveness.
  5. Guidance for certifying and accrediting information systems.
  1. GLBA / FFIEC Assessment

The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to protect the security, confidentiality, and integrity of such information. The Federal Financial institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance.

  1. Web Application Security 

Web Application Penetration test

Web Application Penetration test or “ethical hack” evaluates an application’s ability to withstand attack. This will help you to Identify, re mediate and secure internal or third party developed applications against the vulnerabilities & logic flaws that lead to attack and exploitation.

  • Explore weakness as a hacker and demonstrate the potential consequences
  • OWASP and SANS framework to meet HIPAA, PCI DSS, SOX and GLBA
  • Comprehensive report with detailed risk analysis and recommendations
    Global presence with renowned research and 24/7 incident response

  1. Web Services & Application Vulnerability Scanning

  • Web Services & Application Vulnerability Scanning provides a comprehensive evaluation of the security posture of an application or solution based on web services technologies like SOAP or REST.
  • Support modern technologies such as Mobile, JSON, REST, SOAP, HTML5 & AJAX
  • Intelligent Scanning cover OWASP Top 10, SANS Top 25, OSSTMM, WASC
  • Meet requirements of PCI, FISMA, OWASP, SOX, HIPAA, GLBA and more
  • Access to Industry Recognized and Certified Experts
  • Deeper analysis with interactive reports

  1. Source Code Security Assessment

  • On demand managed and automated Static / Source Code Security Assessment to help developers eliminate vulnerabilities and to build secure software.
  • Detection of 890+ vul. categories listed by OWASP and SANS
  • Support byte and source code of 21 different languages
  • Reporting with correlated results prioritized by severity
  • Comply with PCI DSS, PA DSS HIPAA, and FISMA
  • Easy to manage with no maintenance.

  1. Mobile App Security Assessment

  • Mobile Application Security Assessment Service Identify vulnerabilities, malicious or potentially risky actions in mobile applications and help you to prioritize, re mediate and secure your mobile apps before deployment.
  • Include both static and dynamic mobile security testing techniques
  • Easy to manage: no hardware, no software, and no maintenance
  • OWASP Top 10 Mobile framework to comply PCI and HIPPA
  • Support for iOS, Android, Blackberry,and Windows
  • Unique Behavioral analysis and privacy checks

  1. Infrastructure Security: 

  2. Network / PCI ASV Vulnerability Scanning

  • Cloud based PCI DSS approved network vulnerability scanning solutions to identify vulnerabilities in systems, network devices, applications and databases.
  • PCI ASV accredited for accurate internal and external vulnerability scanning
  • Demonstrate compliance with PCI DSS, FISMA, HIPAA and GLBA
  • Easy to manage: no hardware, no software, and no maintenance
  • Non-intrusive scanning of physical and cloud infrastructure
  • Prioritized remediation plan with dedicated support

  1. Network Penetration testing

  • Network Penetration testing service evaluate the security posture of the Network Infrastructure by mimicking real attacks that exist in both external and internal network infrastructures.
  • Gain deeper visibility than a vulnerability scanner or tool-based assessment
  • Customize each engagement to meet individual client needs
  • Execute real-world attack techniques to identify risk posture
  • Reproducible step-by-step procedures of exploitation’s
  • Demonstrate PCI, HIPAA and GLBA compliance

  1. Firewall Security Assessment

  • Firewall Security Assessment helps you gain visibility on firewall configuration and access lists to secure, optimize, comply with regulations and manage to keep them secure from external threats.
  • Support wide range of firewall’s and network devices
  • Secure upload and confidential handling of your exported configuration file
  • Demonstrate PCI DSS, SOX, ISO, NSA, NERC and FISMA compliance
  • Prioritized remediation plan with dedicated expert guidance
  • No remote access or credentials required

  1. Cloud Security Assessment

Cloud Security Assessment help protect the confidentiality, integrity and availbility of systems and data in your organization’s growing cloud environment and to maintain compliance.

  • Infrastructure as a Services (IaaS), or Software as a Service (Saas) support
  • Meet all regulatory, legal and compliance requirements when deploying in the cloud
  • Test whether a hacker could gain access to your cloud instance or the data behind it
  • Non-intrusive remote engagements to simulate cyber attacks and identify gaps
  • Reduce administrative overhead and automate repeatable testing processes

  1. SOC-SERVICE ORGANIZATION CONTROL

  • What is SOC 2

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data

based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

SOC -2 has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.

These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.

  1. There are two types of SOC reports:

Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.

Type II details the operational effectiveness of those

2)    SOC 2 certification

SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.

  1. Trust principles are broken down as follows:

  2. Security:

The security principle refers to protection of system resources against unauthorized access. Access Controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.

IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.

  1. Availability:

The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system.

This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failoverand security incident handling are critical in this context.

  1. Processing integrity:

The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.

However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

  1. Confidentiality:

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.

Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

  1. Privacy

The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).

Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.