Compliances & Certifications
Compliances & Standard practices have become the most crucial factor in running a successful business or, in other terms, in gaining confidence of global clients.
Arete Software (P) Ltd can assist you in streamlining your processes to required global standards.
International Organization for Standardization 27001 Compliance : The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).The ISO 27001 standards were published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for ISMS, an Information Security Management System.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards.
The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage audit process:
- Stage 1 is a "table top" review of the existence and completeness of key documentation such as the organization's security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
- Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the information security controls stated in the SoA and RTP, as well as their supporting documentation.
- Stage 3 is a follow-up reassessment audit to confirm that a previously-certified organization remains in compliance with the standard. Certification maintenance involves periodic reviews and re-assessments to confirm that the ISMS continue to operate as specified and intended.
Payment Card Industry Data Security Standard : The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.
Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
- Vulnerability Management Program
- Implement Strong Access Control
- Measures Regularly Monitor and Test Networks
- Maintain an Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain Information Security Policy
World Wide Web Consortium :
The World Wide Web Consortium (W3C) develops interoperable technologies (specifications, guidelines, software, and tools) to lead the Web to its full potential. W3C is a forum for information, commerce, communication, and collective understanding
W3C primarily pursues its mission through the creation of Web standards and guidelines. Since 1994, W3C has published more than 110 such standards, called W3C Recommendations. W3C also engages in education and outreach, develops software, and serves as an open forum for discussion about the Web. In order for the Web to reach its full potential, the most fundamental Web technologies must be compatible with one another and allow any hardware and software used to access the Web to work together. W3C refers to this goal as “Web interoperability.” By publishing open (non-proprietary) standards for Web languages and protocols, W3C seeks to avoid market fragmentation and thus Web fragmentation.
Health Insurance Portability and Accountability Act Compliance : HIPAA Compliance are designed to provide safe & protected electronic health records and a national healthcare network for transmitting patient information throughout the healthcare industry to provide countless benefits to healthcare professionals and especially to patients.
HIPAA Security rule was enacted in 2003 by the U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) executed formal measures to help protect sensitive health information. The security of electronic protected health information applies to —the Health Insurance Portability and Accountability Act (HIPAA)—to be implemented by health plans, healthcare clearinghouses, and certain healthcare providers. HIPAA title II defines Privacy & Security rule.
The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications
Sarbanes-Oxley Act : The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called Sarbanes-Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 is designed to protect investors by improving the accuracy and reliability of corporate disclosures made in accordance with securities laws. SOX standards must be followed or strict penalties for noncompliance can result. The federal government continues to refine SOX mandates, and in 2007, the U.S. Securities and Exchange Commission (SEC) approved a new auditing standard for internal controls. The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). The assessment must also be reviewed and judged by an outside auditing firm. The impact of section 404 is substantial in that a large amount of resources are needed for compliance. A comprehensive review of all internals controls related to financial reporting is a daunting task. The issue is modern financial reporting systems are heavily dependent on technology and associated controls. Any review of internal controls would not be complete without addressing control around information security. An insecure system would not be considered a source of reliable financial information because of the possibility of unauthorized transactions or manipulations of numbers.
This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.
This new standard requires going beyond monitoring security events from the network level. Now you should monitor and secure compliance-related data and applications throughout your enterprise by monitoring at both the application level and network activity level. Monitoring user activity is particularly important for maintaining separation of duties, and most important of all, for adopting a true policy-driven security program.
Control Objectives for Information and related Technology :
COBIT provides good across a domain & process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT enabled
Investment, ensure service delivery and provide a measure against which to judge when things do go wrong.
The COBIT control framework contributes to these needs by:
- Making a link to the business requirements.
- Organizing IT activities into a generally accepted process model.
- Identifying the major IT resources to be leveraged.
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.
Gramm-Leach-Bliley Act Compliance : The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. It requires financial institutions to develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of customer records.
There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:
- Denoting at least one employee to manage the safeguards,
- Constructing a thorough [risk management] on each department handling the nonpublic information,
- Develop, monitor, and test a program to secure the information, and
- Change the safeguards as needed with the changes in how information is collected, stored, and used.
This rule is intended to do what most businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.
Banking regulators now require financial institutions to evolve beyond point-security products. You now must employ an integrated security strategy that establishes perimeter security as well as security inside the network and among all databases, applications, and end-point devices such as laptops, PCs, wired and wireless devices, PDAs, and more. All devices on your network must:
- Collaborate to ensure proactive security is working effectively
- Adapt in real-time to your institution’s changing risk profile and new security threat events as they occur
Your financial institutions can’t achieve this proactive security culture without the help of automated security compliance management solutions that are integrated throughout your users, databases, applications, and network to enable real-time monitoring of all activity. You must have a logging, monitoring, and incident response capability that will allow you to prevent, detect, and respond rapidly in real-time to internal and external threats.
Security Compliance Management for GLBA
With the continuous updates to the GLBA information security mandates, your financial institution must adopt a risk management and security compliance strategy with the right technology solutions that will help you:
- Establish best practice controls
- Continuously manage your risk
- Know when material events occur
- Lower your compliance cost
- Enable security compliance
- Build accountability and trust
- Protect customer data
- Provide an ongoing and detailed audit and forensic trail
Whether you’re beginning to explore the importance of collecting and analyzing log data, enhancing your security practices to protect your applications and databases from insider threats, or need real-time actionable security and GLBA compliance information throughout your enterprise, net-Forensics can help you meet all your security compliance management challenges.