Tier3 Security Provides training and consultation for accreditation of The Payment Card Industry Data Security Standard (PCI Compliance) and ISO 27001 standards in Pakistan. Our experts can take your team through whole process of IMS auditing and can help in achieving bench marks as required by standard organisation.
ISO 27001 Accreditation In Pakistan
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
On publication, ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme was been introduced by various certification bodies for conversion from BS7799 certification to ISO 27001 certification.
The objective of the standard itself is to
“provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”.
Regarding its adoption, this should be a strategic decision. Further, “The design and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization”.
The 2005 version of the standard heavily employed the PDCA, Plan-Do-Check-Act model to structure the processes, and reflect the principles set out in the OECG guidelines (see oecd.org). However, the latest, 2013 version, places more emphasis on measuring and evaluating how well an organisation’s ISMS is performing. A section on outsourcing was also added with this release, and additional attention was paid to the organisational context of information security.
Some of the most common questions pertaining to the 27000 series of standards relate to the certification process for ISO27001. This page is intended to help address some of these.
In a nutshell, the following diagram explains the logical flow of the process itself:
The process starts when the organization makes the decision to embark upon the exercise. Clearly, at this point, it is also important to ensure management commitment and then assign responsibilities for the project itself.
An organizational top level policy can then be developed and published. This can, and will normally, be supported by subordinate policies. The next stage is particularly critical: scoping. This will define which part(s) of the organization will be covered by the ISMS. Typically, it will define the location, assets and technology to be included.
At this stage a risk assessment will be undertaken, to determine the organization’s risk exposure/profile, and identify the best route to address this. The document produced will be the basis for the next stage, which will be the management of those risks. A part of this process will be selection of appropriate controls with respect to those outlined in the standard (and ISO27002), with the justification for each decision recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate.
The certification process itself can then be embarked upon via a suitable accredited third party.
Tier3 Security Can provide both training and consultation for accreditation of ISO 27001 in Pakistan. Our experts can take you through process of auditing with ease.
Benefits of certification to ISO 27001…
- Reassures your customers that you are securely managing their data to a high standard
- Reduces the likelihood of a potential security breach and the costs associated with data loss
- Enhances your reputation as a trustworthy business partner and demonstrates a commitment to best practice information security management
PCI Compliance in Pakistan
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
Goal: Building and maintaining a secure network.
Install and maintain a firewall configuration to protect cardholder data. Companies must create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data. Your hosting provider should have firewalls in place to protect and create a secure, private network.
Do not use vendor-supplied defaults for system passwords and other security parameters. This means creating, maintaining and updating your system passwords with unique and secure passwords created by your company, not ones that a software vendor might already have in place when purchased.
Goal: Protect Cardholder Data.
Protect stored data.This requirement only applies to companies that store cardholder data. Specifically, companies that do not automatically store cardholder data are already avoiding a possible data security breach often targeted by identity theft.
A PCI compliant hosting provider should provide multiple layers of defense and a secure data protection model that combines physical and virtual security methods. Virtual security includes authorization, authentication, passwords, etc. Physical includes restricted access and server, storage and networking cabinet locks, according to Computerworld.com.
Encrypt transmission of cardholder data across open, public networks. Encrypted data is unreadable and unusable to a system intruder without the property cryptographic keys, according the PCI Security Standards Council. Cryptographic keys refers to the process in which plaintext, like the words seen here, are transformed into ciphertext. Ciphertext contains information unreadable to those without the cipher, or the specific algorithm that can decode the text.
As an added security measure, sensitive authentication data, including card validation codes or PIN numbers, must never be stored after authorization – even if this data is encrypted.
Goal: Maintain a Vulnerability Management Program.
Use and regularly update anti-virus software. An anti-virus software service needs to be frequently updated to protect against the most recently developed malware. If your data is being hosted on outsourced servers, a managed server provider is responsible for maintaining a safe environment, including generating audit logs.
Develop and maintain secure systems and applications. This includes discovering newly identified security vulnerabilities via alert systems. Your PCI compliant hosting provider should be monitoring and updating their systems to accommodate any security vulnerabilities.
Goal: Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know. Limiting the number of personnel that have access to cardholder data will lessen the chances of a security breach.
Assign a unique ID to each person with computer access. User accounts with access should follow best practices, including password encryption, authorization, authentication, password updates every 30 days, log-in time limits, etc.
Restrict physical access to cardholder data. If your data is hosted in an off-site data center, your data center provider should have limited personnel with access to the sensitive information. PCI compliant data centers should have full monitoring, including surveillance cameras and entry authentication to ensure a secure and PCI compliant hosting environment.
Goal: Implement Strong Access Control Measures
Track and monitor all access to network resources and cardholder data. Logging systems that track user activity and stored archives can help your hosting provider pinpoint the cause in the event of a security breach or other issue.
Regularly test security systems and processes. With regular monitoring and testing processes in place, your data hosting provider should be able to assure you that your customers’ cardholder data is safe at all times.
Goal: Maintain an Information Security Policy
Maintain a policy that addresses information security. This policy should include all acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.
Tier3 is leading cyber security service providers in Pakistan. Our team can help your business to get its PCI compliance with PCI Security Council standards or ISO27001 accreditation. Please contact us for more info.