Would you like to increase in trust with, respect to partners, customers and the public and systematic detection of vulnerabilities, control of IT risks, reduce the chances of security breaches.
ISO 27001-Information Security Management System
- Can help you to mitigate the risk and information security breaches;
- To demonstrate the due diligence and due care,
- To have a proactive approach to legal compliance, regulatory and contractual requirements
- To assure the internal controls of organizations
- Management’s commitment to the security of business and customers’ information
- Helps organization to have competitive advantage.
1. Introduction to ISO 27001:2013-Information Security Management System.
In today’s business environment, information is the lifeblood for any organization. Increasingly, organizations and their information systems are exposed to security threats from a wide range of sources including computer assisted fraud, espionage, sabotage, vandalism, fire, flood etc. Computer viruses, hacking and denial of service attacks have become more common and sophisticated.
2.What is ISO 27001-Information Security Management System
An Information Security Management System (ISMS) is a systematic approach for managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
Suitable for any organisation, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organisations which manage high volumes of data, or information on behalf of other organisations such as data centres and IT outsourcing companies.
Would you like to Prevents loss, abuse and unauthorized modification?
of information and ensure information is only accessible to authorized
persons and assist in compliance with legal requirements and data
ISO 27701-PRIVACY INFORMATION MANAGEMENT SYSTEM
ISO 27701: 2019-Privacy Information Management System:
1.Introduction to ISO/IEC 27701:2019-Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.
This can be used by all types of organizations, which are Personally Identifiable Information (PII) controllers and/or PII processors processing PII, within an ISMS, irrespective of their size, complexity or the country they operate.
2. What is 27701:2019
ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.
ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII). It covers how organizations should manage personal information and assists in demonstrating compliance with applicable privacy regulations.
3. Why is ISO/IEC 27701
This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.
Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 system or implement ISO 27001 and ISO 27701 together as a single management system. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
This standard is essential for every organization that is responsible and accountable for PII as it provides requirements on how to manage and process data and safeguard privacy. It enriches an already implemented ISMS, to properly address privacy concerns, by assisting the organizations to understand the practical approaches involved in the implementation of an effective management of PII.
4.Whom ISO 27701 is applicable:
Software development, Cloud companies, and IT support, Banks, Insurance companies, brokerage houses, Internet providers, Government agencies, Healthcare, pharmaceutical and food processing.
Would you like to Improve your consumer confidence, better data security, reduce maintenance costs, better alignment with evolving technology and Greater decision-making.
GDPR-General Data Protection Regulation
1.Introduction to GDPR-General data protection regulations
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it – and those people often have malicious intent.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
2.What is GDPR- General data protection regulations
GDPR stands for General Data Protection Regulation. It’s the core of Europe’s digital privacy legislation.
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
3.What does GDPR mean for businesses?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organisations based outside the region but with activity on ‘European soil’ will still need to comply.
- Obligations for data controllers;
- Rights for data subjects;
- Impact on cross-border data flows;
- Global influence.
5.Who does GDPR apply to?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’.
Are you a cloud service provider and would like to protect PII in public clouds?
Do you develop a long-term strategy, increase transparency, reduce reputation risks; win customer trust, inspires trust in your business, competitive advantage, protect your brand reputation and protect against fines?
ISO 27017-CODE OF PRATCICE FOR INFORMATION SECURITY CONTROLS-CLOUD SERVICE PROVIDERS
1.Introduction to ISO 27017:2015-Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
World over, organisations are increasingly getting aware of the business value that cloud computing brings and are taking steps towards transition to the cloud. A smooth transition entails a thorough understanding of the benefits as well as challenges involved. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it.
The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked.
As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options in order to protect their information systems.
2. What is ISO 27017?
ISO/IEC 27017 is a standard developed for cloud service providers and users for securing the cloud-based environment and minimising potential risk of a security incident.
ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. This is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.
This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.
The assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the ones that are most crucial to the organisation itself and their business practices
3. Why is ISO/IEC 27017 Important?
Cloud data security is vital, as clients will want to be sure that their data is safe while stored in the cloud. ISO/IEC 27017 standard allows the organisation to commit to a long-term goal.
The organisation will have an internationally standardised framework to base their Cloud Security. Upon the internalisation of the requirements needed, the organisation will be able to reduce operational and reputation risks and work towards a sustainable future.
The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others.
4.ISO 27017: 2017 is applicable to
Cloud service providers and cloud service customers.
Would you like your business to be a competitive advantage, protect your brand, reduces risks – ensure risks are identified, and controls are in place, protect against fines and help grow business.
ISO 27018-CODE OF PRACTICE FOR PROTECTION OF PII IN PUBLIC CLOUDS ACTING AS PII PROCESSORS
1.Introduction to ISO/IEC 27018:2019-Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing Personally Identifiable Information entrusted to them.
The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.
2.What is ISO 27018:2019:
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
3.Why ISO 27018:2019:
- Vast quantities of data are held in the public cloud, necessitating thorough protection requirements.
- Data breaches can include individual loss of rights and freedoms, identity theft, monetary penalties and huge loss of reputation for the responsible data controller.
- Compliance to protect personal data and ensure it is treated in accordance with the law.
- Any organisation, large or small, in any sector. The standard is especially suitable where the protection of personal data such as payroll, HR or clients payment details are stored in a cloud environment.
- If your organisation is already implementing ISO 27001 ISMS then you are covered for 70% of the regulations within ISO 27001. However, if you are operating using cloud base technologies then ISO 27018 has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud
Would you prefer to reduce the risk of a data breach, to avoid fines, protect customers, improve brand reputation, impart a mindset of security, provide a starting point for other regulations and peace of mind.
PCI DSS-PAYMENT CARD INDUSTRY DATA SECURITY STANDARD FOR COMPLIANCE
1.Introduction to PCIDSS-Payment Card Industry Data Security Standard Compliance
Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
2.What is PCI-DSS:
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
- To reduce the risk of debit and credit card data loss.
- It suggests how this could be prevented, detected, and how to react if potential data breaches occur.
- It provides protection for both merchants and cardholders.
Those who are associated with payment cards including merchants of all sizes, financial institutions, point-of-sale vendors, hardware and software developers.
Would you protect patients against following violations?
- Disclosure or use of protected health information (PHI) without authorization;
- Absence or lack of technical safeguards to protected health information?
- Inability for patients to access their protected health information;
- Lost or stolen devices with PHI data;
- Illegal or excessive access to patient’s files by employees.
HIPAA-Health Insurance Portability and Accountability Act
1.Introduction to HIPAA- Health Insurance Portability and Accountability Act:
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for delicate patient data protection. Organizations which deal with protected health information (PHI) have to have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Anyone who provides treatment, payment, and operations in healthcare and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates have to also be in compliance
2.What is HIPAA- Health Insurance Portability and Accountability Act:
The HIPAA privacy rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI)”.
The HIPAA Privacy Rule is to assure that an individual’s health information is properly protected while allowing the individual’s necessary health information that is needed to provide and promote quality health care, is protected. The HIPAA Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
The HIPAA Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. Covered entities regulated by the Rule are required to comply with all of its applicable HIPAA requirements.
3. Why HIPAA- Health Insurance Portability and Accountability Act:
- Secure and confidential storage of patient’s data.
- Better coordination of healthcare data due to standardisation of data formats.
- Do away with health plan–specific reporting and filing requirements for hospitals and health care providers.
- Reduce paper involvement in managing healthcare records.
- Avoid sanctions due to improper handling of data records and data breaches.
4.HIPAA is applicable to:
HIPPA regulations include: medical centres, clinics, and hospitals; private practices; outpatient providers; hospices and adult care providers; pharmacies; laboratories; health plans and insurance providers.
Would you be interested in reduction in incidents, improved incident management, response time and interruptions to IT service, approach towards an integrated process to deliver IT services, improved customer satisfaction, client retention, service and delivery consistency.
ISO 20000-IT SERVICE MANAGEMENT SYSTEM
1.Introduction to ISO 20000-1:2018-IT Service Management System
Service businesses exist to supply their customers with intangible benefits such as providing amenities, facilities, or advice. Perhaps to an even greater extent than physical goods, success in the service sector means understanding and meeting your customers’ expectations. But, in a fast-paced, digital world, these expectations constantly change.
In today’s dynamic service environment using ISO/IEC 20000-1:2018 can be incorporated with popular management methods (such as Agile, Lean or DevOps), service management frameworks and methodologies (ITIL®, COBIT®, CMMI-SVC®), and additional standards (ISO 9001, ISO/IEC 27001, ISO 31000) into the IT service management system.
2.What is ISO 20000-1:2018
It is an international standard for quality management that specifically focused on IT service. It ensures that the organizational service delivery is carried out in a way that drives customer satisfaction through improved service.
This standard specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an IT SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
3.Why ISO 20000-1:2018
- To improve quality of company services;
- Demonstrate organizations ability to meet customer requirements
- To get competitive advantage,
- To demonstrate reliability.
4.Whom it is applicable:
- Any organization seeking services from service providers and requiring assurance that their service requirements are fulfilled;
- Any organization that requires a consistent approach by all its service providers, including those in the supply chain;
- Service providers who intend to demonstrate their capability for the design, transition, delivery and improvement that fulfil requirements;
Does your organization endure high volumes of client and stakeholder requests for assurance?
Does your company need assurance from the vendors that handle your sensitive data?
If you are a service organization and are commonly facing audit requests from customers this could be the perfect, certification to ensure you save on time and money, while also assuring security to all your stakeholders.
SOC-Service Organization Control:
Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data
based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.
SOC -2 has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.
There are two types of SOC reports:
- Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II details the operational effectiveness of those
2) SOC 2 certification
SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
Trust principles are broken down as follows:
The security principle refers to protection of system resources against unauthorized access. Access Controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.
The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system.
This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failoverand security incident handling are critical in this context.
c. Processing integrity:
The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.
However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.
Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.
Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.