Regulatory compliance and audits

We offer the following regulatory audits and certifications to stay secure and be compliant !!

Compliance is an important part of a cyber security program.

Heavily regulated industries are often a bigger target for cybercriminals because of their highly valuable data, e.g., patient data in healthcare, financial data in banking, identity data in government.

Cybersecurity laws and regulations are to ensure that organizations data is safe. This applies to all regulated industries that are overseen by state, central and regulatory bodies like CERT & GDPR

While meeting compliance requirements doesn’t guarantee organization is secure, it provides a solid foundation for security practices. Noncompliance will lead to fines and other penalties.

Home Regulatory compliance and audits

1

Scoping and pre-audit survey

Risk based assessment to determine the focus of the audit, and to identify which areas are out of scope.

2

Planning and preparation

Audit workplan, in which the timing and resourcing of the audit is agreed with manage-ment.

3

Fieldwork

Audit tests performed to validate evidence as it is gathered, as well as audit work papers documenting the tests performed.

4

Analysis

The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives.

5

Reporting

Audit findings & recommenda-tion with action plan

6

Statement of Standards for Attestation Engagements (SSAE) 18

7

CERT-In Compliance

Assessment of people, process & Technology

Includes physical infrastructure supporting patient care

Management of medical data, encompassing aspects of privacy and security

Initial assessment and partner with you on maintaining ongoing compliance

Project Initiation and Governance Structure

Project ISMS Initiation with Internal Key Stakeholders

Management Framework

Building Security Criteria

Risk Management - Gap Fit & Risk Assessment

ISO 27001 Implementation

Progress - Measure, Monitor, and Review

ISO 27001 Certification

Scoping & Plan Your GDPR Compliance Project

Conduct a Data Inventory and Data Flow Audit

Undertake a Comprehensive Risk Assessment

Conduct a Detailed Gap Analysis

Develop Operational Policies, Procedures, and Processes for PII & SPII Information

Secure Personal Data Through Procedural and Technical Measure

Improve Privacy-Related Internal Procedures

Appoint a Data Protection Officer

Ensure Teams Are Trained and Competent

Monitor and Audit Compliance

Implement and Achieve GDPR Compliance

Continual Improvement, Monitoring, and Tracking

Crafting a comprehensive set of information security policies that align with the requirements of PCI DSS

Policy will encompass:

DATA SECURITY

NETWORK SECURITY

PHYSICAL SECURITY

PERSONNEL SECURITY

Security Compliance

California Consumer Protection Act 2020

We work with clients to implement following

Data inventory and mapping of in-scope personal data and instances of “selling” data

New individual rights to data access and erasure or opt-out-of data selling

Updating service-level agreements with third-party data processors

Remediation of information security gaps and system vulnerabilities

Statement of Standards for Attestation Engagements (SSAE)

SOC 1 & SOC 2 Reports

Type 1 & Type 2 reports

Work with clients on following:

Assessment readiness

Remediation services of control gaps

Authentication - accuracy about the controls

We work with clients to implement following controls:

Synchronization of all ICT system clocks to NTP

Cyber incidents shall be reported to CERT-IN within 6hrs

Assign a Point of Contact (POC) for communicating with CERT-IN

All ICT system logs shall be securely stored for a rolling period of 180 days

Transaction Logs and Records including IP Address, timestamp, and time zone Transaction ID, accounts involved shall be securely stored

Logs shall be maintained within INDIAN JURISDICTION

VPN and SPs and Cloud Service Providers shall maintain customer/subscriber details for 5 Years

Virtual Asset Service, Asset Exchange Providers shall maintain KYC data and financial transaction data for 5 Years

Recommendations to address CERT-In requirements

Activity

Internal Computer technology system clocks synchronized with NTP

Activity description

ICT Systems must connect with Network Time Protocol (NTP) server of National Informatics Centre (NIC) or National Physical Laboratory (NPL)

Recommendations to address CERT-In requirements

Ensure the enterprise pick any atomic server or synchronize with NIC or NPL

Activity

Ensuring records are maintained and having a point of contact

Activity description

Organizations ensuring all CERT-In interactions have a single point of contact (POC)

Recommendations to address CERT-In requirements

Customer must designate the point of contact for interacting with CERT-In CSIRT/IT security incident manager is mandatory

Activity

Incident reporting framework

Activity description

Ensure reporting cyber security incidents to the Indian Computer Emergency Response Team (CERT-In) as per the methods and formats published on CERT’s website

Recommendations to address CERT-In requirements

Security monitoring is essential to identify security incidents either through captive or outsourced security Operations Center (SOC) Customers are to report cyber security incidents to CERT-In within six hours

Activity

SOP to capture logs and following reporting and retention policy

Activity description

Enable logs of all ICT systems and maintain them securely for a rolling period of 180 days Essential logs FW, IPS, Web/DB/Mail/ Proxy/FTP, APP, ATM Switch, IoT, SSH, VPN logs

Recommendations to address CERT-In requirements

From the incident response and analysis perspective, both successful as well as unsuccessful events shall be recorded

Would you like to know more…