Governance and Compliance Services
Organizations’ effective and secure interaction with business partners, vendors, and service organizations are critical to the efficient operation of business processes. This has led to implementation of specific programs to manage information security and privacy.
A critical requirement for any such management program is verifying the effectiveness of established controls.
Our Controls Assurance Services primarily focus on the below areas:
- Conduct assessments against organization’s security policy and standards, or an independent control framework
- Determine whether cybersecurity/privacy controls are suitably designed to meet the security objective
- Assess the efficacy of the controls and alignment with the organization’s risk assessment
CyRAACS can assess and develop Information Security Compliance frameworks based on control requirements of:
- Standards (ISO 27001, PCI DSS, SOC 2, ISO 27017, ISO 27018, CSA STAR, ISO 27701 etc.)
- Frameworks (NIST 800-53, NIST CSF, HITRUST CSF, NIST 800-171 etc.)
- Regulatory Requirements (GDPR, CCPA, NYDFS Cyber Security Regulations, HIPAA)
PCI DSS is relevant to all merchants that store, process or transmit cardholder data, regardless of revenue and credit card transaction volumes. The most recent version is PCI DSS 3.2. Version 3.2 was introduced in April 2016 and officially replaced version 3.1 on February 1, 2018.
Our QSA services are tailored for an organisation specific size and compliance needs, we work closely with clients and provide guidance through entire PCI DSS compliance process.
Risk and compliance objectives are no longer limited to traditional organizational boundaries, organizations are now responsible for the actions of their third parties. Third party risk management is the process of analysing, controlling, and monitoring the risks presented to an organization by a third-party vendor.
Minimize the organization’s exposure to third-party risks, leveraging our Third-Party Risk Management (TPRM) practice. We can manage an organisation specific entire TPRM lifecycle from risk analysis, due-diligence, assessments, and periodic monitoring and improvement to termination.
Policies are the vehicle deployed by the Board and the Executive Management to set the risk appetite for the organization. These policies also need to incorporate requirements from legal and regulations, client contracts and standards/frameworks. A comprehensive set of policies for Information Security forms the baseline for implementing the various security controls. Policies need to be updated periodically to align with the evolving threat landscape and increasing regulatory scrutiny.
We can manage the complete lifecycle for Policy Management from Risk Assessment, Policy Management Structure, Policy Writing and Approval, Publishing and Dissemination, Training, Review and Updates.