PREPARATION FOR COMPLIANCE
Our practice provides IT compliance readiness services to align business systems and operations with information security standards like ISO 27001, SOC2, PCI DSS, SOX and others. Standards compliance readiness is aimed at helping businesses in the development and implementation of effective IT policies, procedures and business process controls for quality business conduct and a secure information processing environment.
Our compliance readiness service includes a business wide asset enumeration and evaluation in terms of confidentiality, integrity and availability followed by a threat and impact analysis. The risk assessment is then evaluated based on the vulnerabilities and business impact over each company asset and presented in a quantitative manner that the management can acknowledge and control.
The risk assessment of any business consists of the following steps:
- Asset Evaluation - Each physical and digital asset of the company is assigned a value for its confidentiality, integrity and availability. A general range of 1-3 is used where 1-Low, 2-Medium and 3-High for each of the 3 areas of security. This gives each asset a value of 3-9 depending on its value to the business.
- Vulnerability Assessment - The vulnerability rating is defined for each asset using various network and vulnerability scanners that allow us to determine the vulnerabilities in the network protocols, systems and applications in use. This assessment is done both from external and internal perspective to cover the various attack scenarios.
- Impact & Probability - Following simulation scenarios for the various threats on each of the assets, an impact rating is assigned showing the severity of the effects on the business. The probability rating can be based on the statistical business history and future market trends and predictions.
- Risk - Through a quantitative risk based approach we can now calculate the risk value for each of the business assets. This is done by defining risk as:
Once the risks have been calculated, the company has to define an acceptable risk value and see where controls / mitigation procedures are needed to reduce the risk to acceptable levels across the board. This risk assessment process is a long, in-depth analysis that takes around 2 months for an average sized organization. The deliverables include a complete asset register, vulnerability assessment report and a business-wide risk assessment matrix.
After completing the risk assessment it is important to implement quality policies and procedures for a controlled business environment. The policies and procedures are the design of security controls in an organization and are much more important than they seem at first glance. The simplest way to create quality policies and procedures is to take an ISO 27001 Information Security Policy template and perform a gap analysis of which controls are currently operational in the business and which have to be designed and implemented.
The policy has to cover the 11 areas defined in the ISO27001 standard and to address the supporting business controls and procedures for a secure business processing:
- Security Policy
- Organization of information security
- Asset Management
- Human resources security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business Continuity Management
Compliance with the policies has to be monitored at all times and the controls should be regularly amended to cover any newly spotted risks.
It is important to realize that security is a process and not a product so the Plan - Do - Check - Act (PDCA) model has to always be incorporated in the business environment with regular security auditing, vulnerability assessments, updating/patching of the IT systems and updating of the supporting policies and procedures.