Compliance Security Continuity

Transcription

1 Compliance Security Continuity

2 About Us Information Security Put the necessary processes, policies and procedures in place, identify your company s most valuable assets and implement and test controls to ensure they are protected HELPING YOU SECURE YOUR FUTURE, TODAY With experience in multiple business sectors including financial services, telecoms and service industries, CS Risk Management have the in depth understanding of business and IT systems necessary to translate standards such as the Data Protection Act, PCI Data Security Standards, ISO27001 security management and ISO22301 business continuity into practical, effective measures to meet your compliance requirements. At CS Risk Management it is essential that we are well informed on all the latest developments in the IT industry and that we have the knowledge to deliver exceptional service. Continuous professional development is essential to our consultants, which is why we have obtained many industry recognised qualifications such as CISSP, CISM, CBCI, CISA and CLAS. We are proud of our customer relationships and are honoured and delighted that they choose to return to us as trusted advisors. Payment Card Security Providing expert advice in the development of security measures to address payment card security issues and PCI:DSS compliance gaps Business Continuity Assess the impact of disruption to your business, implement plans to manage the disruption, exercise the plans and perform employee awareness training Data Protection Compliance Assess your policies, procedures, working practices and IT systems to ensure data is managed in compliance with the Data Protection Act

3 Information Security ISO27001 Information Security Management Put the necessary policies, processes and procedures in place in preparation for ISO27001 compliance assessments DO YOU KNOW WHO HAS ACCESS TO YOUR COMPANY S SENSITIVE INFORMATION? If you possess information that is crucial to the survival of your business, necessary actions should be taken to protect it. However protecting information in a technically complex and fast evolving world is enormously challenging and can often be a frustrating and time consuming process. ISO:27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls. This helps you to protect your information assets and give confidence to any interested parties, especially your customers. The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving your ISMS. Benefits of implementing ISO27001 include: Improved information security and reduced risk Compliance with (or certification for) an international standard can be used to demonstrate due diligence The standard is often used as a measure of status within a peer community. Compliance can provide a benchmark for both the current position and future progress Adherence to the standard is often used as a beneficial differentiator in the commercial market place Asset Identification Identify your business s most important information assets Security Risk & Impact Assessment Determine how exposed your business is to the risk of information asset theft, loss or corruption Impact Assessment Evaluate what impact the loss, theft or corruption of information assets could have on your business Security Design Put sustainable, cost-effective measures in place to keep your information assets safe

4 Payment Card Security Payment Card Security Assessment Identify payment card security vulnerabilities and assess your level of compliance with PCI:DSS Compliance Planning Develop your strategy and plan for achieving PCI:DSS compliance ACHIEVING COMPLIANCE WITH PAYMENT CARD SECURITY STANDARDS Credit and debit card fraud cost UK consumers and banks 356 million* in To help combat card fraud, the Payment Card Industry: Data Security Standard (PCI:DSS) was developed to enhance cardholder data security and facilitate the global adoption of consistent data security measures. The standard sets out requirements for: Building and maintaining secure data networks Protecting card-holder data during storage or transmission Maintaining a vulnerability management programme Implementing strong access control measures where card data is stored, processed or transmitted Continuously monitoring and testing networks for new vulnerabilities Maintaining an appropriate information security policy If you are a merchant taking card payments from customers, you are required to comply with the PCI:DSS standard. Non-compliant companies who maintain a relationship with one or more of the card brands like VISA, MasterCard or American Express, either directly or through an acquirer, risk losing their ability to process credit card payments, being audited or fined. Compliance is verified via an annual assessment by a Qualified Security Assessor (QSA) or through completion of self-assessment questionnaire (SAQ). Solution Design Provide expert advice in the development of security measures to address payment card security issues and PCI:DSS compliance gaps Project Management Provide project management expertise to help you achieve PCI:DSS compliance Training Develop targeted PCI:DSS compliance training for management and staff to help you remain PCI:DSS compliant Compliance Audits Find a Qualified Security Assessor and manage the end-to -end compliance audit process on your behalf * Financial Fraud Action UK

5 Business Continuity ISO22301 Business Continuity Management Put all necessary policies, processes and procedures in place in preparation for BS25999 compliance assessments PLAN FOR IT, MANAGE IT SURVIVE IT Fire, flood, snow, system failures, power cuts, vandalism, theft. Two out of five businesses that experience a major disaster go out of business within five years of the event, industry analysts reveal. Would your business cope if your offices are inaccessible, or if a disaster strikes infrastructure that is critical to your operations? Could your business continue to operate and generate the revenue that is so crucial to your survival? Business Continuity Planning (BCP) is an essential part of running any modern organisation that takes its business and clients seriously. With many potential business disasters that can befall an organisation, it is sensible to take actions to prepare for and try to prevent the devastating impact of such catastrophes. Putting business continuity plans into practice now can prepare your business for most potential disasters, ensure that you will be able to maintain continuity of your business practices and reduce, or even possibly remove, the effect a disaster could have on your organisation. BCP also has pre-disaster business benefits. It will help you understand your business better, and may help identify areas of your business that can be simplified or streamlined. Business Impact Assessments Identify business-critical activities, the level of disruption these activities can withstand, continuity and recovery requirements for these activities Business Continuity Response Planning Develop a coherent business continuity response, including an incident management plan, business continuity plans and activity recovery plans Business Continuity Exercising Support for your business continuity exercises Business Continuity Awareness and Training Develop targeted business continuity awareness sessions for management and staff ISO22301 Business Continuity certification also gives you an advantage when competing for business within large companies and the public sector.

6 Data Protection Compliance Principles, Policies & Processes Determine whether the required business principles, policies and processes are in place in relation to data protection PROTECTING PERSONAL DATA IS NOT ONLY LAW, IT IS GOOD BUSINESS SENSE The Data Protection Act (DPA) is the main piece of legislation that governs the protection of personal data in the UK. Businesses are legally obliged to protect personal information about customers and employees in line with the principles of the Data Protection Act. The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which ensure that information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with an individual s rights Secure Not transferred to other countries without adequate protection The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and paper records. Penalties for failing to comply with DPA could include unannounced assessments by the Information Commissioner s Office, enforcement notices, fines of up to 500,000, stop now orders for the company and prosecution for those who commit criminal offences under the Act. Business Process Reviews Assess your business practices and processes to identify and resolve data protection compliance issues in your business operations IT Systems Reviews Assess your IT systems and IT operations to identify and resolve technical data protection compliance issues, e.g. issues relating to data security, data retention and data integrity Compliance Solution Design Provide solution design, implementation and project management expertise for meeting your DPA compliance needs Training Develop targeted data protection compliance training for management and staff to help you remain DPA compliant

7 Contact Us +44 (0) Unit 4 Brooklands Farm, Bottle Lane Binfield, Berkshire RG42 5QX

8