Compliance Assistance

Compliance Requirements Often Drive IT Security Planning

• Do you want to be ISO 27001 or 27002 certified? Are you ready?
• What regulations govern your business?
• What are the penalties for being “out of compliance?”

Most businesses are required to be compliant for one reason or another. Are you striving for ISO 27001 or ISO 27002 certification? Do you accept credit cards? Are there specific industry-related certifications needed to qualify for desired projects? Whatever the reason, compliance with the requirements can be a daunting and time-consuming task.

At Enet 1 Group, we’ve assisted many companies in mobilizing their organizations to achieve these various requirements. For decades we have made security our primary focus. We realize that without security standards in place, businesses are vulnerable to attack which can result in costly downtime and potential loss of reputation. This risk is especially true in today’s world with a proliferation of mobile devices, increased use of cloud and third party services, and vulnerability of critical information systems such as SCADA networks.

Below is an overview of the more common directives encountered from entities that impose regulations on businesses:

ISO 27001 and ISO 27002 Compliance

The standards for these certifications contain 11 security-related areas:

1. Security policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations security
7. Access control
8. Information systems acquisitions, development & maintenance
9. Information security incident management
10. Business continuity management
11. Compliance with information security policies, standards, laws, and regulations

 

PCI DDS Compliance

What businesses need to comply with these standards? Any business or service provider that stores, processes, or transmits cardholder data must comply before VISA, MasterCard, AMEX, or any credit card company will work with them. These standards literally cover millions of businesses in the U.S.

The 12 Requirements for the PCI Data Security Standard (PCI DSS)

Following is a condensed version. To view all, go to the PCI Data Security Council site:

1. Build and maintain a secure network. Includes installation and maintenance of a firewall and router configuration.
2. Always replace default passwords before installation of software and use unique, high-security passwords.
3. Protect cardholder data. Whenever possible, do not store cardholder data — never store sensitive data on the magnetic stripe or chip.
4. Encrypt any data passed across open, public networks, including your shopping cart and Web-hosting providers.
5. Maintain a vulnerability management program. Systematically and continuously find weaknesses in an entity’s payment card infrastructure system.
6. Develop and maintain secure systems and applications. Install vendor-provided security patches and utilize the most recently released software patches to prevent exploitation.
7. Restrict access to cardholder data by business need-to-know. Establish an access control system for systems components and set to “deny all” unless specifically allowed.
8. Assign a unique ID to each person with computer access. This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
9. Restrict physical access to cardholder data. Use appropriate facility entry controls and a means to easily distinguish between onsite personnel and visitors.
10. Track and monitor all access to networks and cardholder data.
11. Regularly test security systems and processes: firewalls, patches, and anti-virus.
12. Maintain an information security policy that addresses information security for all personnel.

What are the penalties and fines associated with a PCI DSS security breach? The penalties and fines for failure to comply with requirements, or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in any area under you control, you will be responsible for the cost of the required forensic investigations, fraudulent purchases, plus the cost of re-issuing cards. It’s possible your company will lose credit card acceptance privileges.

Added to ISO 20001, ISO 20002, and PCI-DSS are many additional groups that have security requirements depending on your company’s industry. A few are:

• Sarbanes-Oxley (SOX)
• Gramm Leach-Bliley Act (GLBA)
• Healthcare Insurance Portability and Accountability Act (HIPPA)
• Security Breach Notification Act (SB 1386)
• Federal Information Security Management Act (FISMA)
• Fair Credit Reporting Act (FCRA)
• European Union Data Protection Directive (EUDPD)
• Federal Trade Commission Red Flags
• COSO
• ITGI
• CoBIT
• ITIL
• Basil II
• FFIEC Handbooks
• ISO 17799
• NERC/FERC
• NIST 800-53
• CIS Win2K Benchmarks
• Rainbow Series Books

How We Can Help

The Enet 1 Group excels in Compliance & Privacy Planning, Assessments, Awareness Training, and Compliance Programs for the most complex security regulations facing businesses today. We will map Regulations to Frameworks, Policies, and Standards that address your organization’s specific business and technical IT security requirements. We will conduct compliance reviews, as well as assist with strategic planning and cost reduction associated with compliance efforts. Compliance & Privacy Services helps organizations address industry and legal requirements to avoid severe penalties.

If your organization is facing a compliancy audit, realizes a need to update your current practices, or is initiating a certification plan for the first time; we have the experience and positive track record to help.

Give us a call or send us an email — let’s discuss how we can help.