Regulatory compliance and audits

We offer the following regulatory audits and certifications to stay secure and be compliant !!

Compliance is an important part of a cyber security program.

Heavily regulated industries are often a bigger target for cybercriminals because of their highly valuable data, e.g., patient data in healthcare, financial data in banking, identity data in government.

Cybersecurity laws and regulations are to ensure that organizations data is safe. This applies to all regulated industries that are overseen by state, central and regulatory bodies like CERT & GDPR

While meeting compliance requirements doesn’t guarantee organization is secure, it provides a solid foundation for security practices. Noncompliance will lead to fines and other penalties.

Home Regulatory compliance and audits

ISO/IEC 27001 Approach

  • ISO/IEC 27001 covers Information security, cybersecurity and privacy protection as part of the Information security management systems (ISMS)
  • The internal audit team needs to be skilled in ISO/IEC 27001 and needs to be independent from the implementation team
  • The five stages of a successful ISO 27001 audit
  • Internal audit on the effectiveness of the ISMS and the relevant controls are required as a pre-requisite

1

Scoping and pre-audit survey

Risk based assessment to determine the focus of the audit, and to identify which areas are out of scope.

2

Planning and preparation

Audit workplan, in which the timing and resourcing of the audit is agreed with manage-ment.

3

Fieldwork

Audit tests performed to validate evidence as it is gathered, as well as audit work papers documenting the tests performed.

4

Analysis

The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives.

5

Reporting

Audit findings & recommenda-tion with action plan

Recommendations to address CERT-In requirements

Activity

Internal Computer technology system clocks synchronized with NTP

Activity description

ICT Systems must connect with Network Time Protocol (NTP) server of National Informatics Centre (NIC) or National Physical Laboratory (NPL)

Recommendations to address CERT-In requirements

Ensure the enterprise pick any atomic server or synchronize with NIC or NPL

Activity

Ensuring records are maintained and having a point of contact

Activity description

Organizations ensuring all CERT-In interactions have a single point of contact (POC)

Recommendations to address CERT-In requirements

Customer must designate the point of contact for interacting with CERT-In CSIRT/IT security incident manager is mandatory

Activity

Incident reporting framework

Activity description

Ensure reporting cyber security incidents to the Indian Computer Emergency Response Team (CERT-In) as per the methods and formats published on CERT’s website

Recommendations to address CERT-In requirements

Security monitoring is essential to identify security incidents either through captive or outsourced security Operations Center (SOC) Customers are to report cyber security incidents to CERT-In within six hours

Activity

SOP to capture logs and following reporting and retention policy

Activity description

Enable logs of all ICT systems and maintain them securely for a rolling period of 180 days Essential logs FW, IPS, Web/DB/Mail/ Proxy/FTP, APP, ATM Switch, IoT, SSH, VPN logs

Recommendations to address CERT-In requirements

From the incident response and analysis perspective, both successful as well as unsuccessful events shall be recorded

Would you like to know more…

This website uses cookies to enhance your user experience and to store certain information about you. By continuing to use this website, you consent to the use of cookies in accordance with this Cookie Policy.