Link to home
Start Free TrialLog in
Avatar of Goraps
GorapsFlag for Canada

asked on

Control assessment for a small / medium company

I've been asked to source the below for a small / medium business.  Any help with this would be great... Templates and or explanation on what is required.

  • A written information security program to protect the confidentiality, integrity and availability of our information.  Professional certification such as ISO27001, PCI-DSS AOC, SOC Type II

  • Not sure what they are asking for here...... Do you have established controls for assessing and ongoing oversight of the adequacy of your own partners / suppliers IT Security postures?

  • Corporate incident response policy and a formalized breach notification process

Thanks!
Avatar of Hemil Aquino
Hemil Aquino
Flag of United States of America image

Hi there,

Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).

These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.

In short terms they want you to have documentation to show the company how are you protecting its data.

For example

1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?

This can give you an Idea.

Cheers.
Avatar of Goraps

ASKER

Are there any templates I can follow to get this going?
I have some template but I don't have it in my office. When I get home I'll be happy to send it to you.
In the meantime what you need is a risk assessment. Use this link, they have many samples:https://www.sampletemplates.com/business-templates/analysis/hipaa-security-risk-analysis-template.html

They're more HIPAA - but it's related to the one above it.

Cheers,
Avatar of Goraps

ASKER

Awesome thanks alot!
Avatar of David Favor
Aside: Since you mentioned PCI Compliance. This is generally... wow, I almost said scam... maybe say PCI Compliance is a game.

Each company selling their scanner services has a completely different set of tests, so if your management chooses some PCI Compliance company, you'll just have to go through all their problem reports + clear them all... which consists of a few real action items... and many other games to clear false positives.

So regards PCI Compliance, this is scanner based rather than some fixed set of actions you can take.
@David,

Like Don King, said when he robbed Mike Tyson, "this is America babe" that's what the compliance is all about money. It is also being enforced by the government - idk if its a way to create jobs or scam people.
Avatar of Goraps

ASKER

@hemil  Where you able to get those templates from home?
ASKER CERTIFIED SOLUTION
Avatar of Hemil Aquino
Hemil Aquino
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of madunix
madunix

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs.

An important aspect of ensuring compliance with the information security program is the education and awareness of the organization regarding the importance of the program.

Also commitment from senior management provides the basis to achieve success in implementing an information security program.


https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html

https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html

https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html



Avatar of Goraps

ASKER

Is there a cerification geared towards Small / Medium businesses that I can look at?  If so... What would the name of that cert / certs be?
Hey dude, I can't find my old files so I owe you that

Now, base upon your last comment, there is lots of certification you can look for

1- ITIL Expert
2- CGEIT
3- CGRC
4- CRISC

You can buy some online training to help you expand your knowledge.