- Powershell
- Linux
- Operating Systems
- Security
Control assessment for a small / medium company
I've been asked to source the below for a small / medium business. Any help with this would be great... Templates and or explanation on what is required.
Thanks!
- A written information security program to protect the confidentiality, integrity and availability of our information. Professional certification such as ISO27001, PCI-DSS AOC, SOC Type II
- Not sure what they are asking for here...... Do you have established controls for assessing and ongoing oversight of the adequacy of your own partners / suppliers IT Security postures?
- Corporate incident response policy and a formalized breach notification process
Thanks!
Hi there,
Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).
These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.
In short terms they want you to have documentation to show the company how are you protecting its data.
For example
1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?
This can give you an Idea.
Cheers.
Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).
These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.
In short terms they want you to have documentation to show the company how are you protecting its data.
For example
1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?
This can give you an Idea.
Cheers.
I have some template but I don't have it in my office. When I get home I'll be happy to send it to you.
In the meantime what you need is a risk assessment. Use this link, they have many samples:https://www.sampletemplates.com/business-templates/analysis/hipaa-security-risk-analysis-template.html
They're more HIPAA - but it's related to the one above it.
Cheers,
In the meantime what you need is a risk assessment. Use this link, they have many samples:https://www.sampletemplates.com/business-templates/analysis/hipaa-security-risk-analysis-template.html
They're more HIPAA - but it's related to the one above it.
Cheers,
Aside: Since you mentioned PCI Compliance. This is generally... wow, I almost said scam... maybe say PCI Compliance is a game.
Each company selling their scanner services has a completely different set of tests, so if your management chooses some PCI Compliance company, you'll just have to go through all their problem reports + clear them all... which consists of a few real action items... and many other games to clear false positives.
So regards PCI Compliance, this is scanner based rather than some fixed set of actions you can take.
Each company selling their scanner services has a completely different set of tests, so if your management chooses some PCI Compliance company, you'll just have to go through all their problem reports + clear them all... which consists of a few real action items... and many other games to clear false positives.
So regards PCI Compliance, this is scanner based rather than some fixed set of actions you can take.
@David,
Like Don King, said when he robbed Mike Tyson, "this is America babe" that's what the compliance is all about money. It is also being enforced by the government - idk if its a way to create jobs or scam people.
Like Don King, said when he robbed Mike Tyson, "this is America babe" that's what the compliance is all about money. It is also being enforced by the government - idk if its a way to create jobs or scam people.
@Goraps,
Dude, I forgot but I've found real templates on this website I bookmarked - please click on the link https://www.sans.org/security-resources/policies, you'll see everything in general at the security perspective among others.
Cheers,
Dude, I forgot but I've found real templates on this website I bookmarked - please click on the link https://www.sans.org/security-resources/policies, you'll see everything in general at the security perspective among others.
Cheers,
The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs.
An important aspect of ensuring compliance with the information security program is the education and awareness of the organization regarding the importance of the program.
Also commitment from senior management provides the basis to achieve success in implementing an information security program.
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html
-
![]()
SolutionAccessing external WLAN captive portals when a company proxy is set -
![]()
ArticleWhat Is Cybersecurity Compliance Assessments & How to Use It? -
![]()
VideoHow to password-protect a PDF with free software - PDF-XChange Editor -
![]()
Cloud Class®Certification: IS20 Information Systems 20 Controls - Security Controls
Premium Content
You need an Expert Office subscription to comment.Start Free Trial