Compliance And Certifications

Payment Card Industry Data Security Standard–(PCI DSS) is a global Data Security Standard developed to protect debit and credit card data. This standard applies to all types of industries that deal with card payment transactions. If the business stores, processes and transmits credit and debit card data then it is required to satisfy the PCI DSS requirements in order to prevent payment card fraud.

PCI DSS is the result of collaboration between major card brands (American Express, Discover, JCB, Mastercard and Visa), with transaction processes closely monitored by the Payment Card Industry Security Standards Council (PCI SSC).

We are a Qualified Security Assessor company licensed by the PCI Security Standard Council. We deliver a broader range of PCI services to our clients in order to assist them in fully complying with the PCI DSS.

PCI DSS Standard consists of the 6 goals and 12 requirements that are mandatory in order to comply with the standard. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data. In order to become PCI compliant, the business must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

Our highly qualified and well-experienced team helps organisations to fully comply with all the PCI DSS requirements and achieve its certification successfully.

Our PCI DSS Experts team assists organisations not only to prevent payment data breaches and payment card fraud but also provide their professional services with respect to the PCI DSS compliance level of the organizations. However, same requirements don’t apply universally. In fact, there are four PCI compliance levels, which are determined by the number of transactions the organization handles each year.

Benefits of Achieving PCI DSS Certification

•   Increases customer confidence
•   Helps avoid additional costs
•   Lowers security breaches and risks
•   Aligns with other industry standards

ISO/IEC 27001 is a leading international Information Security Standard that is jointly published by the International Organization for Standardisation, and the International Electrotechnical Commission. Information security guidelines and requirements are defined in the Standard to protect an enterprise’s information assets from loss and/or unauthorized access and recognized means of demonstrating their commitment to information security management through certification.

ISO 27001 focuses mainly on safeguarding critical and sensitive information of the organization by developing and implementing ISMS and a risk-based approach while demonstrating satisfaction, trust and confidence with business partners, clients and stakeholders.

ISO 27001 affords a framework for Information Security Management System (ISMS) not only to achieve legal compliance but also to realize the Confidentiality, Integrity and Availability of Information. CIA are the three principles of the ISO27001Standards.

• Confidentiality:
  Confidentiality has to do with keeping an organization’s data private. It means that only authorized users should be able to access or modify data.
• Integrity:
  Integrity means that data should be maintained in a correct state, so that it can not be tampered with, and should be authentic, and reliable.
• Availability:
  it is significant that unauthorized users are kept out of an organization’s data, it should be available to authorized users whenever they require it. This means keeping systems, networks, and devices up and running.

ISO certification plays a pivotal role to protect the vital assets of the organisation such as client information, employee data, brand image, credibility and trust and other confidential information.

Lyxes Solution has assisted a multitude of organizations in implementing ISO 27001 effectively and efficiently. Our Professional consultants perform the following activities amidst the ISO 27001 lifecycle in order to acquire the anticipated results.

•   Performing Gap analysis against ISO 27001
•   Conducting Risk Assessment
•   Developing Policies and Procedures Documents
•   ISMS Framework development
•   Performing Remediation Planning
•   Policy Documentation and Support
•   Training the Staff against ISO 27001
•   Performing Internal Audit
•   Management Review
•   Assured Successful audit
•   Affording ISO 27001 Certification Facilitation

The Action Plan:

The ISO 27001 Lifecycle will be implemented in the order as described in the Diagram below.

Benefits of ISO270001 Implementation:

•   Build Trust and Credibility in the market to help you enhance your business.
•   Reduces the Likelihood of fines and/or prosecution.
•   Reduces the Likelihood of Staff-related information security breaches.
•   Helps you safeguard the information to continue business and minimize the disruption.
•   Ensures information is protected, available and accessible.
•   Improve the reputation of the organisation and stockholder confidence.
•   Applies to all types and sizes of organisations.
•   Saves Costs by minimizing incidents.

SO/IEC 27017:2015 is an information security code of practice for cloud services. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls for cloud service providers and for cloud service customers. An organization implementing the standard would select the relevant controls for their circumstances.

•   The shared roles and responsibilities between the cloud service providers and customers
•   Removal and return of cloud service customers assets when a contract has been terminated
•   Segregation in virtual computing environments
•   Secure hardening of virtual machines
•   Documenting critical operational procedures
•   Allowing cloud service customers to be able to monitor relevant activities within the cloud
•   The alignment of security management for both virtual and physical networks

Benefits of ISO 27017 Certification

External assurance to customers

Provides external assurance to customers that information processed in the cloud by their cloud service provider is secure.

Reduce
risk

It helps reduce the risk of a security breach and other risks, this will increase stakeholders trust.

Extends and enhances certification

It extends and enhances a clients ISO 27001 certification.

Framework for cloud services customers

Provides a comprehensive information security management framework for cloud services customers and in so doing it holds their providers to account.

Framework for cloud services customers

Provides a comprehensive information security management framework for cloud services customers and in so doing it holds their providers to account.

Why implement ISO 27017?

Making clients feel safe about their data being stored in the cloud is vital. Having ISO/IEC 27017 standard allows an internationally standardised framework that can help reduce the risk of data breaches and build customer trust by showing your commitment to information security. The standard also gives guidance to cloud service customers on what they should want from their cloud service hosts.

The standard covers a range of topics such as asset ownership, removal and return of assets when a customer contract has been terminated, protection and separation of a customer’s virtual environment and more. With a growing risk of cloud data breaches now more than ever is important to know you and your organisation are doing the most to try and reduce these risks as a cloud service provider and/or a cloud service customer.

As ISO 27017 is built from the foundations of ISO 27001 and ISO 27002 framework, the certification shows compliance internationally and helps your organization for both the cloud service providers and cloud service customers against risks within the cloud.

Financial services organizations have long been a target for malicious actors. In November 2020, the Australian Prudential Regulation Authority (APRA) announced that it would be strengthening its enforcement of Cross-Industry Prudential Standard (CPS) 234. Although CPS 234 has been around since 2018, the regulatory body has remained lenient in its enforcement. However, with more stringent enforcement on the horizon, understanding the APRA CPS 234 becomes more important for organizations that need to prove compliance.

What is APRA CPS 234?

APRA is the regulatory authority for Australia’s financial services industry. CPS 234 sets out a series of guidelines for financial services organizations so that they can maintain cybersecurity resiliency and continue to protect sensitive data.

CPS 234 has four key requirements:

•   Define information security-related roles and responsibilities
•   Maintain a risk-based security posture that enables business continuity in response to cybersecurity incidents
•   Performing Remediation Planning
•   Implement security controls aligned with data asset criticality and sensitivity
•   Notify APRA of information security incidents

Who does the APRA Prudential Standard apply to?

At a high level, CPS 234 applies to any APRA-regulated entity. The standard falls under sections of the following laws:

•   The Banking Act of 1959 (Banking Act)
•   The Insurance Act of 1973 (Insurance Act)
•   The Life Insurance Act of 1995 (Life Insurance Act)
•   The Private Health Insurance (Prudential Supervision) Act of 2015 (PHIPS Act)
•   The Superannuation Industry (Supervision) Act of 1993 (SIS Act)

On a more detailed level, CPS 234 specifically references the following:

• Banks:
  •   Authorized deposit-taking institutions (ADIs).
  •   Non-operating holding companies authorized under the Banking Act (authorized banking NOHCs).
• General and Life Insurers:
  •   General insurers.
  •   Non-operating holding companies authorized under the Insurance Act (authorized insurance NOHCs).
  •   Parent entities of Level 2 insurance groups.
  •   Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs).
  •   Non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).
  •   Private health insurers registered under the PHIPS Act.
  •   RSE licensees under the SIS Act.

What are the primary requirements for complying with the APRA Prudential Standard CPS?

CPS 234 consists of thirty-six paragraphs, twenty-four of which discuss how the governing body expects covered organizations to mature their security programs. Within those twenty-four paragraphs, nine basic requirements outline how APRA expects covered organizations can better secure data.

Roles and responsibilities

Under this standard, organizations need to assign cybersecurity responsibilities across all leadership and departments. This includes:

•   Assurance by Board of Directors that organization maintains appropriate risk-based information security program.
•   Clearly defining information security-related roles and responsibilities across Board of Directors, senior management, governing bodies, and other decision-making stakeholders.

Specifically, CPS 234 requires robust governance by the covered entity’s Board of Directors.

The National Institute of Standards and Technology (NIST) has its own set of standards for penetration testing. In NIST Special Publication 800-115, “Guide to Penetration Testing”, NIST outlines the requirements for a successful penetration test.

One of the key requirements for a successful penetration test is that the tester must have a clear understanding of the organization’s network and systems. The tester must also have a thorough understanding of the organization’s security policies and procedures.

In order to gain this understanding, the penetration tester will need to perform some initial reconnaissance. This may include active or passive information gathering techniques. Once the information has been gathered, the tester will need to analyze it and identify potential vulnerabilities.

After the initial reconnaissance and analysis phases have been completed, the penetration tester can begin launching attacks. These attacks can be either automated or manual in nature. During the attack phase, it is important for the tester to remain undetected by the organization’s security systems.

Once the attack has been completed, the penetration tester will then need to analyze the results and prepare a report. This report should include a detailed description of the attacks that were performed, as well as any vulnerabilities that were identified. The report should also include recommendations for remediation.

The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”

The ISM is intended for:

•   Chief Information Security Officers (CISOs)
•   Chief Information Officers
•   Cybersecurity professionals
•   Information technology managers

The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”

Cybersecurity Principles

The first section of the ISM consists of a set of cybersecurity principles. The purpose of these principles is to “provide strategic guidance on how an organization can protect their systems and data from cyber threats”.

The ISM’s cybersecurity principles are grouped together into 4 categories: govern, protect, detect, and respond. Here’s a summary of what each principle covers:

• Govern:
  Identifying and managing security risks.
• Protect:
  Implementing security controls to reduce security risks
• Detect:
  Detecting and understanding cybersecurity events to identify cybersecurity incidents
• Respond:
  Responding to and recovering from cybersecurity incidents

Australian Information Security Manual (ISM) & Data Wiping

The second part of the ISM is a series of in-depth cybersecurity guidelines that are split up into a number of subsections and security controls. The Guidelines for Media chapter outlines security controls that cover the following 4 areas: Media usage, media sanitization, media destruction, and media disposal. The media usage and media sanitization sections, in particular, provide information on the importance of data wiping.

The ‘Media sanitization processes and procedures’ subsection of the Guidelines for Media states: “Using approved methods to sanitize media provides a level of assurance that, to the extent possible, no data will be left following sanitization. The methods described in these guidelines are designed not only to prevent common data recovery practices but also to protect from those that could emerge in the future.” In the same section, Security control ISM-0348 advises: “Media sanitization processes, and supporting media sanitization procedures, are developed and implemented.”

The Guidelines for Media chapter goes on to provide more specific advice for sanitizing volatile and non-volatile types of media. There are also recommendations for sanitizing media before first use, before it is reclassified to a lower sensitivity, and when media is transferred between 2 systems.

Australian Information Security Manual (ISM) & Encryption

Sticking with the ISM’s cybersecurity guidelines, the Guidelines for Cryptography is the chapter that offers organizations advice on using encryption. In the ‘Encrypting data at rest’ subsection, the ACSC recommends that organizations use full disk encryption as “it provides a greater level of protection than file-based encryption.” Another solution for protecting all the data on your hard drive is volume encryption, which we believe is a more secure alternative to full disk encryption.

A list of the encryption algorithms that are approved by the Australian Signals Directorate can be found in the ‘ASD-Approved Cryptographic Algorithms’ section of the Guidelines for Cryptography. The guidelines state: “The only approved symmetric encryption algorithm is Advanced Encryption Standard (AES)”. The AES is used for encrypting data at rest, and is the default encryption algorithm used by BestCrypt Volume Encryption and BestCrypt Container Encryption.

Use the Right Data Protection Software

The type of data that needs to be wiped and encrypted will help you decide what kind of software your organization should use. If you have sensitive data on a computer that’s no longer needed, then you should use software that’s able to wipe your entire hard drive. However, if you want to be prepared in the event that one of your devices gets lost or stolen, you should secure the contents of the relevant hard drive by investing in whole disk encryption.

To help your organization comply with the ISM’s recommendations for media sanitization and encryption, GRC360 offers 2 types of software:

• BCWipe Total WipeOut to erase entire hard drives + BCWipe to wipe selected files and folders
• BestCrypt Volume Encryption for superior whole disk encryption + BestCrypt Container Encryption for selected files and folders

In an effort to significantly improve the cyber resilience of Australian businesses, the Australian federal government is mandating compliance across all eight cybersecurity controls of the Essential Eight framework. This is an ambitious move that may be burdensome to the many entities still struggling to comply with just the top four controls of the Essential Eight. This post clearly outlines the expectations of all eight security controls and explains how Australian businesses can achieve compliance for each of them.

What is the Essential Eight?

The Essential Eight is an Australian cybersecurity framework by the Australian Signals Directorate (ASD). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the ASD. The Essential Eight introduced 4 additional strategies to establish the eight control that aim to protect Australian businesses from cyberattacks today.

The eight strategies are divided across three primary objectives – prevent attacks, limit attack impact, and data availability

General Data Protection Regulation- (GDPR) refers to the regulation for the privacy of personally identifiable information of European citizens and residents. it is the toughest privacy and security law in the world. it was drafted and passed by the European Union (EU. The regulation came into effect on May 25, 2018. The GDPR levies stern fines and penalties against those who violate its privacy and security standards.

GDPR 7 Principles and Requirements - There are two key areas which need to be considered in order to satisfy the requirements and for becoming fully compliant with GDPR.

First of all, the seven key principles around which the specific requirements of the GDPR are based. Then there are the individual rights which ensure that data subjects are aware of how an organization handles both data privacy and data protection. Our consultant team possess extensive knowledge and vast experience in the GDPR domain and ensures that all the principles and requirements of GDPR are satisfied to be fully compliant with it.

• Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
• Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
• Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
• Accuracy — You must keep personal data accurate and up to date.
• Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
• Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
• Accountability — The data controller is responsible for being able

With the GDPR, Europe is signalling its stern stance on data privacy and security at a time when numerous people are entrusting their personal and confidential data with cloud services and security breaches are a daily occurrence. The regulation is large, and far-reaching in specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

The maximum penalty for non-compliance is 4% of annual revenue or €20 million, whichever is higher. Lower fines of up to 2% are possible for administrative breaches, such as not carrying out impact assessments or notifying the authorities or individuals in the event of a data breach.

Don’t wait until it’s too late – Contact GRC360 today to learn more about our GDPR services and how we can help you secure your business. Our consultant has extensive experience in helping clients to achieve EU GDPR Compliance.

Key Business Benefits of GDPR Compliance:

•   Improved consumer confidence
•   Reduced maintenance cost
•   Better alignment with Evolving technology
•   Greater decision making
•   Better Data Security
•   Protect and enhance enterprise brand reputations

Control Objectives for Information Technologies- (COBIT) is a best-practice IT Governance Framework developed by the ISACA in order to specifically manage IT Governance and IT management. COBIT defines the components and design factors to build and sustain a best-fit governance system. It provides a set of controls not only to implement in IT but also to organize them around the framework of information technology-related processes. It helps organizations to create optimal value from IT. Organizations regardless of their sizes and types of business can benefit from it.

It helps in organizing the objectives of IT governance and bringing in the best practices in IT processes and domains while linking business requirements.

COBIT separates the process design activity by segregating it as follows:

Governance objectives are grouped in the Evaluate, Direct, and Monitor (EDM) In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy.

Management Objectives are grouped into four domains:

• Align, Plan and Organize (APO) addresses the overall organization, strategy and supporting activities
• Build, Acquire and Implement (BAI) treats the definition, acquisition, and implementation of solutions and their integration in business processes
• Deliver, Service and Support (DSS) addresses the operational delivery and support of services, including security
• Monitor, Evaluate and Assess (MEA) addresses performance monitoring and conformance with internal performance targets, internal control objectives and external requirements

COBIT 2019 is comprised of the COBIT Core Model that contains two main domain Governance and Management. These two domains consist of 40 Objectives. Additionally, The 6 Principles and 6 process capability levels. The process capability levels are used to assess the level of the existing practices against the COBIT 40 process.