We help IT Professionals succeed at work.

Control assessment for a small / medium company

Goraps
Goraps asked
on
I've been asked to source the below for a small / medium business.  Any help with this would be great... Templates and or explanation on what is required.

  • A written information security program to protect the confidentiality, integrity and availability of our information.  Professional certification such as ISO27001, PCI-DSS AOC, SOC Type II

  • Not sure what they are asking for here...... Do you have established controls for assessing and ongoing oversight of the adequacy of your own partners / suppliers IT Security postures?

  • Corporate incident response policy and a formalized breach notification process

Thanks!
Comment
Watch Question

Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Hi there,

Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).

These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.

In short terms they want you to have documentation to show the company how are you protecting its data.

For example

1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?

This can give you an Idea.

Cheers.
GorapsI.T. Manager

Author

Commented:
Are there any templates I can follow to get this going?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
I have some template but I don't have it in my office. When I get home I'll be happy to send it to you.
In the meantime what you need is a risk assessment. Use this link, they have many samples:https://www.sampletemplates.com/business-templates/analysis/hipaa-security-risk-analysis-template.html

They're more HIPAA - but it's related to the one above it.

Cheers,
GorapsI.T. Manager

Author

Commented:
Awesome thanks alot!
David FavorFractional CTO
Distinguished Expert 2019

Commented:
Aside: Since you mentioned PCI Compliance. This is generally... wow, I almost said scam... maybe say PCI Compliance is a game.

Each company selling their scanner services has a completely different set of tests, so if your management chooses some PCI Compliance company, you'll just have to go through all their problem reports + clear them all... which consists of a few real action items... and many other games to clear false positives.

So regards PCI Compliance, this is scanner based rather than some fixed set of actions you can take.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
@David,

Like Don King, said when he robbed Mike Tyson, "this is America babe" that's what the compliance is all about money. It is also being enforced by the government - idk if its a way to create jobs or scam people.
GorapsI.T. Manager

Author

Commented:
@hemil  Where you able to get those templates from home?
Network Security Engineer
Distinguished Expert 2018
Commented:
@Goraps,

Dude, I forgot but I've found real templates on this website I bookmarked - please click on the link https://www.sans.org/security-resources/policies, you'll see everything in general at the security perspective among others.

Cheers,
madunixIT Director
Most Valuable Expert 2019

Commented:

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs.

An important aspect of ensuring compliance with the information security program is the education and awareness of the organization regarding the importance of the program.

Also commitment from senior management provides the basis to achieve success in implementing an information security program.


https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html

https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html

https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html



GorapsI.T. Manager

Author

Commented:
Is there a cerification geared towards Small / Medium businesses that I can look at?  If so... What would the name of that cert / certs be?
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Hey dude, I can't find my old files so I owe you that

Now, base upon your last comment, there is lots of certification you can look for

1- ITIL Expert
2- CGEIT
3- CGRC
4- CRISC

You can buy some online training to help you expand your knowledge.