Audit & Compliance
Why do companies need Configuration Audit?
- Configuration Audits provide a mechanism for determining the degree to which the current state of the system is consistent with the latest baseline and documentation.
- Provide greater visibility into the status of a project by evaluating the status of the items.
- Determine the traceability from requirements and CRs to the implementation by investigating the baselines and changes to the baselines.
Information in this age has become the most important asset to any business. It acts like a currency, driving business and commerce across the world consequently taking a proactive approach to data protection could dwindle the risk.
Each organization has specific information security compliance duties that cannot be neglected. Protecting information means managing risk but they too often overlooked or brushed off due to absence of standard approach to security and compliance obligations. It is believed virtually all the companies are exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation. There has to be a security policy, guidelines and best practices in place to check their security measures are ensuring that their activities are aligned with their strategic business's security goals and standards.
- ISO 9001:2015(QMS)
- ISO 22301(Business Continuity Management)
- ISO 27001(ISMS)
- Risk Management Frameworks:NIST SP 800-30 and ISO 31000.
- SOC type 1 and 2
- GDPR Certified
- PCI DSS
- COBIT 5
ISO 9001:2015 is the latest and updated version of ISO 9001 standard. The digit '9001' stands for 'quality management system (QMS)' and '2015' is year of revision. Hence ISO 9001:2015 is certification of quality management system of an organisation. QMS (ISO 9001) certification encompasses every aspect of your business right from planning, purchase till after sales services. So achieving ISO 9001 certificate literally means that you have well defined & well implemented SOP's for all your business processes. ISO 9001 certification is a symbol of trust for your customers.
Benefits of ISO 9001 CertificationISO 9001:2015 certification brings immense benefits to your organisation. Few important benefits are :-
1. QMS improves your working system
2. Our organisation becomes no more person dependent
3. Properly implemented ISO 9001 standard reduces business losses
4. ISO 9001 certification is very help-full in getting overseas business
5. ISO certification is required in different government & private tenders
6. ISO 9001 certificate improves corporate & social image of your organisation
ISO 22301(Business Continuity Management)
ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization
ISO 22301 has adopted the new format for writing management system standards and it includes the following ten main clauses:
3.Terms and definitions
ISO 27001(ISMS) (Information Security Management System)
ISO 27001:2013 is a universally recognised ISMS standard developed by 'ISO' (International Organization for Standardization). This standard provides guidelines on how to establish an effective information security management system (ISMS) in an organisation.
ISO 27001 standard can be used by any organisation to protect its data & avoid possibilities of potential 'cyber attacks'.
Benefits of ISO 27001:2013
ISO 27001:2013 is the only audit-able global ISMS standard which has acceptance worldwide. By implementing ISMS you can assure your clients that their crucial information is secured in your organisation.
ISO 27001 helps you in meeting requirements of GDPR (General Data Protection Regulation) & hence you become able to meet contractual & legal responsibilities.
Risk Management Frameworks:NIST SP 800-30 and ISO 31000.
The Risk Management Framework is a United States federal government policy and standards to help secure information systems (computers and networks) developed by National Institute of Standards and Technology.
The Risk Management Framework (RMF), illustrated at right, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
- Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. Vested party is identified.
- Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. If any overlays apply to the system it will be added in this step
- Implement the security controls identified in the Step 2 SELECTION are applied in this step.
- Assess third party entity assess the controls and verifies that the controls are properly applied to the system.
- Authorize the information system is granted or denied an Authority to Operate (ATO), in some cases it may be postponed while certain items are fixed. The ATO is based off the report from the Assessment phase.
- Monitor the security controls in the information system are monitored in a pre-planned fashion documented earlier in the process. ATO is good for 3 years, every 3 years the process needs to be repeated.
The RMF steps include:
SOC type 1 and 2
ervice organization control (SOC) reports can be either a Type 1 or a Type 2 report.
A Type 1 report is management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.
A Type 2 report goes a step further, where the service auditor also reports on the operating effectiveness of those controls. The differences between the reports are:
- A Type 1 report describes the procedures and controls that have been installed, while a Type 2 report provides evidence about how those controls have been operated over a period of time
- A Type 1 report attests to the suitability of the controls being used, while a Type 2 report contains an opinion regarding the operating effectiveness of those controls over the audit period.
- A Type 1 report describes procedures and controls as of a specific point in time, while a Type 2 report covers how the controls have been operating during the audit period.
The General Data Protection Regulation (GDPR) is a new set of rules created by the European Parliament in April 2016. Under this regulation, any company or individual that processes data by which an individual can be identified will also be held responsible for the protection of that data. This includes third parties such as cloud providers. Every company who wants to do business in an EU country needs to comply. In this blog, the 6 basic principles of the GDPR are explained.
The GDPR's Basic Principles
The principles of the GDPR are focused on the privacy rights of every person when it comes to collecting and processing their data:
- The Principles of Lawfulness, Fairness, and Transparency: These dictate that the personal data needs to be processed in a way that is lawful to the subject.
- The Principle of Purpose Limitation: The data processors can only use the data for the objectives they’ve explicitly described and justified.
- The Principle of Data Minimization: The information that is required has to be relevant for its purpose and limited to what is necessary.
- The Principle of Trueness, Accuracy: If some of the data is inaccurate, it should be removed or rectified.
- The Principle of Storage Limitation: Data is kept in a form which permits identification of persons for no longer than is necessary for the purposes for which the personal data is processed.
- The Principle of Integrity and Confidentiality: This principle stands for taking all required measures to ensure all the personal data is protected
Payment Card Industry Data Security Standard ", PCI DSS, formed in 2006 is a structure created by the PCI Security Standards Council. This open global forum raises awareness, manages, educates and develops the PCI Security Standards. For rapid development in payment card technology, PCI SSC is responsible for its regular updates. PCI DSS main aim is to set operational and technical requirements for individuals who own card holder data, so there could be a decrease in breaches in payment data security and fraudulent payment card activities.
PCI DSS compliance will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network and supporting technical documentation. The assessment process may include Interviews with company personnel to determine what PCI requirements are in place and where remediation is required.
PCI DSS Compliance Process
- Comprehensive review for cardholder data locations (CDE) & Applications
- Review of cardholder data systems
- Evaluate System Security
- Evaluate Environment Security
- Evaluate Non-Technical Environment
- Remediation support
Benefits of PCI DSS Compliance
- Reduces the cost of a data breach
- Improve customer relationship
- Protects your clients
- Provides a security standard
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities I involving anyone providing treatment, payment, and operations in healthcare and business associates organizations who has access to patient information and provides support in treatment, payment, or operations must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliant.
Elyan Labs consults for compliance with HIPAA is mandatory when organizations deal with PHI in any way. HIPAA exists to protect the security and the privacy of patients and their information. The act covers both protections from breaches and the necessary steps that must be taken if a violation does occur.
Elyan Labs ensures clients successful compliance of policies and procedures. Our team of Subject Matter Experts have the knowledge and skills to provide the consultancy and implementation services for the standard implementation.
What is COBIT 5?
COBIT 5 is the only business framework for the governance and management of enterprise IT. It is the product of a global task force and development team from ISACA, a non-profit, independent association of more than 140,000 governance, security, risk and assurance professionals in 187 countries.
COBIT 5 incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.
COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA's Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO).
Why use COBIT 5?
New user demands, industry-specific regulations and risk scenarios emerge every day. Maximizing the value of intellectual property, managing risk and security and assuring compliance through effective IT governance and management has never been more important.
No other framework focused on enterprise IT offers the breadth or benefits of COBIT. It helps enterprises of all sizes:
- Maintain high-quality information to support business decisions
- Achieve strategic goals through the effective and innovative use of IT
- Achieve operational excellence through reliable, efficient application of technology
- Maintain IT-related risk at an acceptable level
- Optimize the cost of IT services and technology
- Support compliance with relevant laws, regulations, contractual agreements and policies
Who uses COBIT 5?
COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in public sector.
COBIT 5 is used globally by those who have the primary responsibility for business processes and technology, depend on technology for relevant and reliable information, and provide quality, reliability and control of information and related technology.
Key COBIT 5 users include enterprise executives and consultants in the following areas:
- Audit and Assurance
- IT Operations
- Security and Risk Management
The HITRUST CSF (created to stand for "Common Security Framework", since rebranded as simply the HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards. The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA. Since the HITRUST CSF incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards, some organizations utilize this framework to demonstrate their security and compliance in a consistent and streamlined manner.
Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors, including organization type, size, systems, and regulatory requirements.
By continuing to improve and update the CSF, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that healthcare organizations leveraging the framework are prepared when new regulations and security risks are introduced.