Governance, Risk and Compliance

SecurBay / Governance, Risk and Compliance

RC-1: Internal Audit based on ISO 27001:2013

Ref. Code:	RC-1
Objective	To conduct Internal Audit to assess compliance against ISO 27001:2013 security standards
What we do	Understand the core and supporting business functions Understand and discuss the information security requirements of the organization in-line with the amended scope Review the network and security architecture Review the Data Center Design and perform the data center audit Review the physical and environmental security controls Perform the ISMS Internal Audit Discuss the Internal Audit Findings with the ISMS Coordinator and other personnel Assist in preparing the Audit Response Plan (Corrective and Preventive Action Reports)
Requirements	Provide Business Objectives Provide information on Critical business, IT and Quality Processes Provide the existing Quality Management System (QMS) documents Provide the existing security processes and related documentation
What you will get	Internal Audit Report Corrective and Preventive Action Reports Review report for the Security Architecture of the Network
Suggested frequency	As per the requirement.

RC-2: Development of Policies and Procedures

Ref. Code:	RC-2
Objective	To assist in preparation of policies, processes, procedures and standards for ISO 27001:2013
What we do	Assist in preparing the Information Risk Management Reports (including Risk identification, analysis, rating and working on mitigation options) Perform the Vulnerability Assessment and Penetration Testing (on selected devices, IPs, as per the mutual agreement) Drafting the necessary Information Security Policies, Processes, Procedures and Standards
Requirements	Accountability of the enforcement and compliance with the laid down policies and standards remains with the client.
What you get	Information Security Policies, Processes, Procedures and Standards
Suggested frequency	As per the requirement.

RC-3: IT Security Assurance Review

Ref. Code:	RC-3
Objective	To identify the exposures and configuration weaknesses that may make a host more susceptible to compromise on the security.
What we do	Review the maturity of information security within the organization in terms of management and technical requirements. Review the policies, procedures and standards, and advise on in its effectiveness, completeness and compliance to the accepted standards.
Requirements	Accountability of the enforcement and compliance with the laid out policies and standards remains with the client
What you get	Reports, advisory and recommendations
Suggested frequency	As per the requirement.

RC-4: ISO 27001:2013 Advisory and Consulting

Ref. Code:	RC-4
Objective	To help the organization to comply with the ISO 27001:2013 security standards
What we do	Plan Understand the core and supporting business functions Understand and discuss the information security requirements of the organization Finalize on the ISMS Scope Review the network and security architecture Review the physical and environmental security controls Review the existing documents like policies, procedures, forms etc. related to ISMS, certifications achieved by the organization like ISO9000, etc. Perform ‘As-Is’ analysis of the security schema (Current State Assessment) Execute Conduct the ISMS Implementation Training for key implementation personnel Assist in performing audits on Asset Inventory (based on Confidentiality, Integrity, Availability) Assist in preparing the Information Risk Management report (including Risk identification, analysis, rating and working on mitigation options) Perform Vulnerability Assessment and Penetration Testing (on selected devices, IPs, as per mutual agreement) Drafting necessary Information Security Policies Assist in drafting information security procedures, as required, including listing out the relevant formats Prepare the ISMS Implementation plan with ISMS Coordinator Assist in implementation of various policies and technical controls Conduct Information Security Trainings for different level of personnel in the organization (like Senior management and Business Managers, IT Teams, End-users and Auditors) Check Perform ISMS Internal Audit Discuss Internal Audit Findings with ISMS Coordinator and other personnel, as required Assist in preparing Audit Response Plan (Corrective and Preventive Action Reports) Act Assist in implementation of Audit Response Plan (Corrective and Preventive Action Reports)
Requirements	Management commitment for implementation of ISMS Hiring external certifying authority for obtaining certification
What you get	Provide the Gap Analysis Report that includes a broad roadmap for ISMS Review report for Security Architecture for Network Finalized Information Security Scope Document Information Asset Register with Risk Management Information Security Policies, Procedures, Guidelines, Templates etc. Vulnerability Assessment and Penetration Test Reports ISMS Training Material Internal Audit Report Reports that list out the Corrective and Preventive Actions
Suggested frequency	As per the requirement

RC-5: PCI-DSS Advisory & Consulting

Ref. Code:	RC-5
Objective	To help organizations to comply with PCI-DSS standards for Data Security
What we do	Business Scoping Gap Analysis Preparation of Reports Application Security Code Review Application Penetration Testing External Network-layer Penetration Tests Internal network Vulnerability Assessment
Requirements	Management would be responsible for the implementation of ISMS Hiring an external certifying authority to obtain certifications
What you get	Self-Assessment Questionnaire (Duly Filled up SAQ) As-Is or Gap Analysis Report including a broad roadmap for PCI-DSS data security standards Review report for the Security Architecture for Networks Vulnerability Assessment and Penetration Test Reports Corrective and Preventive Action Reports
Suggested frequency	As per the requirement.

Leave a reply

© 2018 SecurBay Services Pvt. Ltd.
SecurBay is a registered trademark of SecurBay Services Pvt. Ltd

Translate »