Security compliance is a legal concern for organizations in many industries today. Regulatory standards like PCI DSS, HIPAA, and ISO 27001 prescribe recommendations for protecting data and improving info security management in the enterprise.
ISO 27001 is a structured set of guidelines and specifications for assisting organizations in developing their own information security framework. The standard assists organizations in developing their own information security framework.
ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single 'reference point for identifying the range of controls needed for most situations where information systems are used'.
Report Preparation & Submission
We adopt a five-step methodology to manage the ISO 27001 implementation:
Step I: Understanding Business Functions
The purpose of this phase is to provide the initial planning and preparation for the assignment.
Step II: Data Acquisition
The purpose of this phase is to collect all relevant data pertaining to the scoped area. This is probably the most crucial phase, since it involves meeting the stakeholders and understanding their concerns.
Step III: Risk Assessment
Tensecure’s Risk assessment methodology is a multi-fold activity comprising assigning values to the identified critical information assets, threat assessment, Vulnerability Assessment & Penetration Testing exercise and Gap Analysis.
Step IV: Design & Build
The purpose of this stage is to develop detailed and functional IT security policies and procedures for the client in line with ISO 27001.
Step V: Action Plan
The main purpose of this stage is to provide the client with a Security Improvement Program which would help the client to have a continuous improvement as well as to get ISO 27001 certification.
The PCI DSS version 3.2.1 is comprised of six control objectives that contain one or more requirements. In all there are 12 specific requirements under these control objectives. The verification and reporting process may vary depending on the level of merchants and service providers. An organization is also expected to identify its category or type for identifying what requirements are applicable to it.
Report Preparation & Submission
Tensecure helps organizations meet all the requirements with the help of its robust consulting methodology. We ensure that these requirements are met through these 6 steps:
Step I: Build & Maintain A Secure Network
Installing, configuring, and providing guidance on maintaining firewalls, intrusion detection and prevention systems, anti-virus and anti-spyware solutions.
Step II: Protect Card Holder Data
Identifying the storage, transit channel, transit method, archival and retrieval of credit card data and securing the same. Identifying and implementing the appropriate controls at each data interface and data container.
Step III: Maintain A Vulnerability Management Program
Conduct regular vulnerability identification, assessment and reporting exercises with fix implementation.
Step IV: Implement Strong Access Control Measures
Identify all logical and physical access points and ensure the access controls are present as per the requirement of the standard.
Step V: Regularly monitor & Test networks
Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes
Step VI: Maintain An Information Security Policy
Draft and maintain a well-defined information security policy which addresses all the pre-requisites of the standard.