Home . Our Services . Governance , Risk Management & Compliance (GRC)
Governance, Risk Management & Compliance (GRC)
What is ISO 27001?
ISO 27001 is a structured set of guidelines and specifications for assisting organisations in developing their own information security framework. The standard relates to all information assets in an organisation regardless of the media on which it is stored, or where it is located. The standard assists organisations in developing their own information security framework.
ISO 27001 has 11 domain areas, 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements.
ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single ‘reference point for identifying the range of controls needed for most situations where information systems are used’.
Benefits of ISO 27001 Implementation
Some of the benefits of implementing the ISO 27001 standard are as follows:
- Brings your organisation to compliance with legal, regulatory, and statutory requirements.
- Market differentiation due to positive influence on company prestige.
- Increases vendor status of your organisation.
- Increase in overall organisational efficiency and operational performance.
- Minimises internal and external risks to business continuity.
- ISO 27001 certification is recognised on a worldwide basis.
- Significantly limits security and privacy breaches.
- Provides a process for Information Security and Corporate Governance.
- Reduces operational risk while threats are assessed and vulnerabilities are mitigated.
- Provides your organisation with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy.
Adactin adopts a six-step consulting methodology to manage the ISO 27001 implementation:
Step I: Understanding Business Functions
Step II: Data Acquisition
Step III: Risk Assessment
Step IV: Prioritise
Step V: Design & Build
Step VI: Action Plan
PCI DSS QSA
Adactin Group provides consulting and compliance certification services to comply with and audit the PCI DSS standard. These include conducting gap analysis, implementing the necessary controls and also preparing the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
PCI DSS, is jointly released by credit card companies aimed at protecting card holder data. The standard requires the members, merchants, and service providers using credit card facilities to carry out regular PCI Scans and PCI Security Audits after implementing the standard.
PCI DSS Requirements– The PCI DSS version 3.2.1 is comprised of six control objectives that contain one or more requirements. In all there are 12 specific requirements under these control objectives. The verification and reporting process may vary depending on the level of merchants and service providers. An organisation is also expected to identify its category or type for identifying what requirements are applicable to it.
Adactin helps organisations meet all the requirements with the help of its robust consulting methodology. The requirements with corresponding role are as follows:
- Build and Maintain a Secure Network
- Protect Card Holder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Benefits of Implementing PCI DSS
Some of the benefits of obtaining PCI DSS are as follows:
- Provides guidance to organisations for protecting customer data
- Provides assurance to customers for the secure storage, transmission and use of their personal data
- Helps evade fines in case of a mishap
- Determine security posture and improvise
- Prioritising investment in infrastructure
3.4.2 PA DSS
In addition to consulting services for PCI DSS we provide services for complying applications against PA DSS – Payment Application Data Security Standard (previously known as PABP – Payment Application Best Practices).
Secure payment applications, when implemented in a PCI DSS compliant environment, will minimise the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks.
PA DSS Requirements– Adactin helps organisations meet all the requirements of PA DSS given its background in application security audits and PCI DSS implementations. The requirements of the standard vary from encrypting sensitive traffic over public networks and non-console administrative access to purging off sensitive data once used, logging payment application activity, ensuring updates to secure remote software and more provided in the ‘Requirements and Security Assessment Procedures’ document from the council’s web site.
Services and Benefits from Adactin:
We offer the following services independently and collectively as part of the PA DSS implementation exercise.
- Identifying ‘your’ PA DSS requirements
- Gap Analysis
- Designing Road map for Implementing Gaps
- Source Code Review
- Application Security Assessment
Coordination with PA DSS QSA
What is HIPAA Compliance?
Protecting the confidentiality, integrity and availability of patient information by healthcare organisations became a legal requirement via the Health Insurance Portability and Accountability Act, (HIPAA).
HIPAA Compliance is a US federal law, designed to protect the privacy of individually identifiable patient information, both physically and electronically. It provides continuity and Portability of health benefits to individuals in between jobs and also provides measures to combat fraud and abuse in health insurance and health care delivery (Accountability).
HIPAA Compliance is applicable to 3 Covered Entities (CE). They are:
- Health care providers who transmit information electronically (e.g., physicians, hospitals)
- Health care insurance companies; and
- Health care clearing houses (facilitators for processing of health information for billing purposes)
How can we help?
Regardless of size or complexity, if an organisation is a CE, there are 8 key steps it should consider when preparing to comply with the Security Rule.
- Obtain and Maintain Senior Management Support
- Develop and Implement Security Policies & Procedures
- Conduct and Maintain Inventory of ePHI
- Be Aware of Political and Cultural Issues Raised by HIPAA
- Conduct Regular and Detailed Risk Analysis
- Determine what is Appropriate and Reasonable
Prepare for on-going compliance