Avatar of Goraps
Goraps
Flag for Canada asked on

Control assessment for a small / medium company

I've been asked to source the below for a small / medium business.  Any help with this would be great... Templates and or explanation on what is required.

  • A written information security program to protect the confidentiality, integrity and availability of our information.  Professional certification such as ISO27001, PCI-DSS AOC, SOC Type II

  • Not sure what they are asking for here...... Do you have established controls for assessing and ongoing oversight of the adequacy of your own partners / suppliers IT Security postures?

  • Corporate incident response policy and a formalized breach notification process

Thanks!
* iso27001* pci complianceSecurity

Avatar of undefined
Last Comment
Hemil Aquino

8/22/2022 - Mon
Hemil Aquino

Hi there,

Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).

These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.

In short terms they want you to have documentation to show the company how are you protecting its data.

For example

1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?

This can give you an Idea.

Cheers.
Goraps

ASKER
Are there any templates I can follow to get this going?
Hemil Aquino

I have some template but I don't have it in my office. When I get home I'll be happy to send it to you.
In the meantime what you need is a risk assessment. Use this link, they have many samples:https://www.sampletemplates.com/business-templates/analysis/hipaa-security-risk-analysis-template.html

They're more HIPAA - but it's related to the one above it.

Cheers,
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Goraps

ASKER
Awesome thanks alot!
David Favor

Aside: Since you mentioned PCI Compliance. This is generally... wow, I almost said scam... maybe say PCI Compliance is a game.

Each company selling their scanner services has a completely different set of tests, so if your management chooses some PCI Compliance company, you'll just have to go through all their problem reports + clear them all... which consists of a few real action items... and many other games to clear false positives.

So regards PCI Compliance, this is scanner based rather than some fixed set of actions you can take.
Hemil Aquino

@David,

Like Don King, said when he robbed Mike Tyson, "this is America babe" that's what the compliance is all about money. It is also being enforced by the government - idk if its a way to create jobs or scam people.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Goraps

ASKER
@hemil  Where you able to get those templates from home?
ASKER CERTIFIED SOLUTION
Hemil Aquino

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
madunix

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs.

An important aspect of ensuring compliance with the information security program is the education and awareness of the organization regarding the importance of the program.

Also commitment from senior management provides the basis to achieve success in implementing an information security program.


https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html

https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html

https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html



Goraps

ASKER
Is there a cerification geared towards Small / Medium businesses that I can look at?  If so... What would the name of that cert / certs be?
Your help has saved me hundreds of hours of internet surfing.
fblack61
Hemil Aquino

Hey dude, I can't find my old files so I owe you that

Now, base upon your last comment, there is lots of certification you can look for

1- ITIL Expert
2- CGEIT
3- CGRC
4- CRISC

You can buy some online training to help you expand your knowledge.