Security compliance is a legal concern for organizations in many industries today. Regulatory standards like PCI DSS, HIPAA, and ISO 27001 prescribe recommendations for protecting data and improving info security management in the enterprise.
ISO 27001 is a structured set of guidelines and specifications for assisting organizations in developing their own information security framework. The standard assists organizations in developing their own information security framework.
ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single 'reference point for identifying the range of controls needed for most situations where information systems are used'.
We adopt a five-step methodology to manage the ISO 27001 implementation
The purpose of this phase is to provide the initial planning and preparation for the assignment.
The purpose of this phase is to collect all relevant data pertaining to the scoped area. This is probably the most crucial phase, since it involves meeting the stakeholders and understanding their concerns.
Tensecure’s Risk assessment methodology is a multi-fold activity comprising assigning values to the identified critical information assets, threat assessment, Vulnerability Assessment & Penetration Testing exercise and Gap Analysis.
The purpose of this stage is to develop detailed and functional IT security policies and procedures for the client in line with ISO 27001.
The main purpose of this stage is to provide the client with a Security Improvement Program which would help the client to have a continuous improvement as well as to get ISO 27001 certification.
The PCI DSS version 3.2.1 is comprised of six control objectives that contain one or more requirements. In all there are 12 specific requirements under these control objectives. The verification and reporting process may vary depending on the level of merchants and service providers. An organization is also expected to identify its category or type for identifying what requirements are applicable to it.
Tensecure helps organizations meet all the requirements with the help of its robust consulting methodology. We ensure that these requirements are met through these 6 steps:
Installing, configuring, and providing guidance on maintaining firewalls, intrusion detection and prevention systems, anti-virus and anti-spyware solutions.
Identifying the storage, transit channel, transit method, archival and retrieval of credit card data and securing the same. Identifying and implementing the appropriate controls at each data interface and data container.
Conduct regular vulnerability identification, assessment and reporting exercises with fix implementation.
Identify all logical and physical access points and ensure the access controls are present as per the requirement of the standard.
Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes
Draft and maintain a well-defined information security policy that addresses all the pre-requisites of the standard.