Governance, Risk Management & Compliance (GRC)

What is ISO 27001?

ISO 27001 is a structured set of guidelines and specifications for assisting organisations in developing their own information security framework. The standard relates to all information assets in an organisation regardless of the media on which it is stored, or where it is located. The standard assists organisations in developing their own information security framework. ISO 27001 has 11 domain areas, 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements. ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single ‘reference point for identifying the range of controls needed for most situations where information systems are used’.

Benefits of ISO 27001 Implementation

  • Brings your organisation to compliance with legal, regulatory, and statutory requirements.
  • Market differentiation due to positive influence on company prestige.
  • Increases vendor status of your organisation.
  • Increase in overall organisational efficiency and operational performance.
  • Minimises internal and external risks to business continuity.
  • ISO 27001 certification is recognised on a worldwide basis.
  • Significantly limits security and privacy breaches.
  • Provides a process for Information Security and Corporate Governance.
  • Reduces operational risk while threats are assessed and vulnerabilities are mitigated.
  • Provides your organisation with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy.

 Adactin Approach

Adactin adopts a six-step consulting methodology to manage the ISO 27001 implementation:

Step I: Understanding Business Functions
Step II: Data Acquisition
Step III: Risk Assessment
Step IV: Prioritise
Step V: Design & Build
Step VI: Action Plan

Payment Security

PCI DSS QSA

Adactin Group provides consulting and compliance certification services to comply with and audit the PCI DSS standard. These include conducting gap analysis, implementing the necessary controls and also preparing the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).

PCI DSS, is jointly released by credit card companies aimed at protecting card holder data. The standard requires the members, merchants, and service providers using credit card facilities to carry out regular PCI Scans and PCI Security Audits after implementing the standard.

PCI DSS Requirements– The PCI DSS version 3.2.1 is comprised of six control objectives that contain one or more requirements. In all there are 12 specific requirements under these control objectives. The verification and reporting process may vary depending on the level of merchants and service providers. An organisation is also expected to identify its category or type for identifying what requirements are applicable to it.

Benefits of Implementing PCI DSS

  • Some of the benefits of obtaining PCI DSS are as follows:

    • Provides guidance to organisations for protecting customer data
    • Provides assurance to customers for the secure storage, transmission and use of their personal data
    • Helps evade fines in case of a mishap
    • Determine security posture and improvise
    • Prioritising investment in infrastructure

 Adactin Approach

Adactin helps organisations meet all the requirements with the help of its robust consulting methodology. The requirements with corresponding role are as follows:

  • Build and Maintain a Secure Network
  • Protect Card Holder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

3.4.2 PA DSS

In addition to consulting services for PCI DSS we provide services for complying applications against PA DSS – Payment Application Data Security Standard (previously known as PABP – Payment Application Best Practices).

Secure payment applications, when implemented in a PCI DSS compliant environment, will minimise the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks.

PA DSS Requirements– Adactin helps organisations meet all the requirements of PA DSS given its background in application security audits and PCI DSS implementations. The requirements of the standard vary from encrypting sensitive traffic over public networks and non-console administrative access to purging off sensitive data once used, logging payment application activity, ensuring updates to secure remote software and more provided in the ‘Requirements and Security Assessment Procedures’ document from the council’s web site.

Services and Benefits from Adactin:

  • We offer the following services independently and collectively as part of the PA DSS implementation exercise.

    • Identifying ‘your’ PA DSS requirements
    • Gap Analysis
    • Designing Road map for Implementing Gaps
    • Source Code Review
    • Application Security Assessment

    Coordination with PA DSS QSA

Risk Assessment

Adactin provides Information Security Risk Management consulting services for managing and mitigating the risks to the organisation.

Assessing information security risks is one element of a broader set of risk management activities. Other elements include establishing a central management focal point, implementing appropriate policies and related controls, promoting awareness, and monitoring and evaluating policy and control effectiveness.

Some of the benefits of carrying out a Risk Assessment exercise are as follows:

  • Review Information Security Policy and Network Security Architecture and advise on and agree scope of the Information Security Management System
  • Agree control objectives (Statement of Applicability)
  • Review controls (interview, observation, inspection)
  • Information Security Management status report and findings
  • Final report with recommendations for improvement and options for implementation of ISO 27001.
  • Implement the recommendations to bridge the identified gaps

Adactin Approach

As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered including the following elements

  • Identifying threats that could harm and, thus, adversely affect critical operations and assets
  • Estimating the likelihood that such threats will materialise based on historical information and judgment of knowledgeable individuals
  • Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important
  • Estimating for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materialises, including recovery costs
  • Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organisational policies and procedures as well as technical or physical controls
  • Documenting the results and developing an action plan

HIPAA

What is HIPAA Compliance?
Protecting the confidentiality, integrity and availability of patient information by healthcare organisations became a legal requirement via the Health Insurance Portability and Accountability Act, (HIPAA).

HIPAA Compliance is a US federal law, designed to protect the privacy of individually identifiable patient information, both physically and electronically. It provides continuity and Portability of health benefits to individuals in between jobs and also provides measures to combat fraud and abuse in health insurance and health care delivery (Accountability).

HIPAA Compliance is applicable to 3 Covered Entities (CE). They are:

  • Health care providers who transmit information electronically (e.g., physicians, hospitals)
  • Health care insurance companies; and
  • Health care clearing houses (facilitators for processing of health information for billing purposes)

How can we help?

Regardless of size or complexity, if an organisation is a CE, there are 8 key steps it should consider when preparing to comply with the Security Rule.

  • Obtain and Maintain Senior Management Support
  • Develop and Implement Security Policies & Procedures
  • Conduct and Maintain Inventory of ePHI
  • Be Aware of Political and Cultural Issues Raised by HIPAA
  • Conduct Regular and Detailed Risk Analysis
  • Determine what is Appropriate and Reasonable
  • Documentation

Prepare for on-going compliance