Governance, Risk and Compliance Services

Control Assurance Services

Information Security and data privacy risks are at the forefront of organizations’ business issues as they consider their risk posture and potential exposure. Increasing scrutiny from regulators and clients also mean that organizations have to be proactive in managing these risks.

Organizations’ effective and secure interaction with business partners, vendors, and service organizations are critical to the efficient operation of business processes. This has led to implementation of specific programs to manage information security and privacy.
A critical requirement for any such management program is verifying the effectiveness of established controls.
Our Controls Assurance Services primarily focus on the below areas:

Conduct assessments against organization’s security policy and standards, or an independent control framework
Determine whether cybersecurity/privacy controls are suitably designed to meet the security objective
Assess the efficacy of the controls and alignment with the organization’s risk assessment
CyRAACS can assess and develop Information Security Compliance frameworks based on control requirements of:
Standards (ISO 27001, PCI DSS, SOC 2, ISO 27017, ISO 27018, CSA STAR, ISO 27701 etc.)
Frameworks (NIST 800-53, NIST CSF, HITRUST CSF, NIST 800-171 etc.)
Regulatory Requirements (GDPR, CCPA, NYDFS Cyber Security Regulations, HIPAA)

Third Party Risk Management Services

Organizations across the world rely on third parties – for products, services, outsourced operations etc. To ensure faster production outcomes, meet tight delivery timelines, and lower costs. With the rapid change in frequency and scale of third-party use, there is a consequential increase in the regulatory focus on how organizations are managing third parties to address the risk exposed due to third party.

Risk and compliance objectives are no longer limited to traditional organizational boundaries, organizations are now responsible for the actions of their third parties. Third party risk management is the process of analysing, controlling, and monitoring the risks presented to an organization by a third-party vendor.

Minimize the organization’s exposure to third-party risks, leveraging our Third-Party Risk Management (TPRM) practice. We can manage an organisation specific entire TPRM lifecycle from risk analysis, due-diligence, assessments, and periodic monitoring and improvement to termination.

Policy Management Services

Policies are the vehicle deployed by the Board and the Executive Management to set the risk appetite for the organization. These policies also need to incorporate requirements from legal and regulations, client contracts and standards/frameworks. A comprehensive set of policies for Information Security forms the baseline for implementing the various security controls. Policies need to be updated periodically to align with the evolving threat landscape and increasing regulatory scrutiny.

We can manage the complete lifecycle for Policy Management from Risk Assessment, Policy Management Structure, Policy Writing and Approval, Publishing and Dissemination, Training, Review and Updates.

Data Flow Analysis

Organizations across the world are looking at increasing amount of data to deal with every day, this could be through e-mails, files, transactions etc. Additionally, for each of this, there are activities like save, copy, archive, stream, upload, download, and transfer numbers of files. This is done with the velocity of modern networks, using wired or mobile devices, in a rapidly evolving technical environment.

Today, organizations are in the era of sharing large amount of information among different places, it brings about data security risks. For today’s way of data treatment, it is an easy target to expose. Hence organizations urgently need to understand what their sensitive data is and where they are, so that they can deploy appropriate controls to protect it.Data Flow Analysis (DFA) is the first step towards identifying sensitive data and implementing appropriate security controls for data protection. Our DFA framework covers all the stages of the data lifecycle right from data acquisition to retirement. This helps to capture an accurate picture of the data flow at various stages within the organisation.The output from DFA can act as key inputs to a Digital Rights Management (DRM) or Data Leakage Prevention (DLP) tool implementation, should an organisation wish to implement those tools.

PCI DSS Compliance Services

PCI DSS consists of around 250+ technical and operational requirements which apply to both IT environment as well as core business areas. Many of these requirements comprise constant review and periodic activities in order to achieve annual certification.

CyRAACS can manage these requirements as a Managed Service to ensure the organisation compliance to PCI DSS. We bring in a culture of continuous compliance so that remediations are implemented in a timely manner and audits are stress-free.

Phishing Assessment

A phishing assessment is where deceptive or malicious emails are sent to members of staff, within an organization, in an attempt to coerce staff members to follow provided links, open file attachments or provide access to sensitive information or systems. This assessment checks the awareness that the members of the staff has regarding the information security.

Phishing scams typically employ social engineering tactics to steal information from users , Fundamentally the hackers are trying to lure your organization and employees by creating a trust and then steal your valuable information
According to FAU researchers, 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway.
Due inadequate security measures, organisations are facing an increased risk of phishing attacks and ransomware soon.