Information Security Management Systems
Information Security Management System (ISMS) Consulting services help an organization to design, implement and operate a coherent set of policies, standards, and procedures (PSP) to manage risks to its information assets. While ISO-27001 is the most well-known promoter of the ISMS concept, the idea of an ISMS can be found in other leading IT control frameworks including COBIT (most notably in Risk IT) and FISMA/NIST (most notably in SP 800-39). PPS’s ISMS Practice Area addresses the three key life-cycle phases of an ISMS:
- Strategize: What framework(s) should we consider? What attestation do we need to provide to which stakeholders? What standards should we align ourselves with? What will the process look like if rolling this out world-wide? What internal/external resources will we need to design it, implement it, certify it, operate it, and validate it?
- Implement: What Risk Assessment Methodology will we adopt? How do we develop the Risk Treatment Plan? How best to Gap Assess current vs. desired state? How do we leverage Security Metrics to know that we are achieving KPI’s?
- Operate: How do we evolve the scope of the ISMS to address other key systems or different locations? How do we independently/objectively validate the operation of the ISMS? How do we provide assurance/attestation to stakeholders like the Board and customers? How do we manage and learn from incidents before risk is realized?
ISO 27001: An Information Security Management Systems (ISMS) standard that is promulgated by the International Organization for Standardization (ISO). It is a formal specification for an ISMS in that it mandates a particular set of controls that need to be in place. Therefore, organizations that claim to have adopted 27001 can be formally audited and certified compliant with the standard. It is this ability to certify the operation of an ISMS that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program.
ISO 27002: (formerly ISO 17799) A “collection” of security controls (often referred to as best practices) that are often used as a “security standard”. By definition, an audit (or assessment) is comparison to a standard. While 27002 is not a standard per se – it is often used that way. Assuming that the design and/or operation of your Information Security Management Systems is “consistent with” (e.g., there are no notable gaps) it can be said that your environment is “compliant” with the standard.
FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program that establishes a standardized approach for validating that a Cloud Service Provider is “secure.” Organizations that conform to the FedRAMP requirements are deemed to be “Authorized to Operate” (ATO), which essentially means that they are a “pre-approved” vendor for federal agencies wishing to purchase their cloud services. No additional security validation is required for additional agencies to purchase these services.
Shared Assessments: Provides an assessment of an organization’s implementation of its controls using a standardized questionnaire which is based on the ISO 27002 standard, with additional input from Shared Assessments Program members. The approach is more rigidly defined (e.g., answers are Yes, No, or N/A, making the completed SIG easy to read by machine. The original idea was that service providers could complete the SIG just once, and then provide the completed SIG to multiple clients.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has significantly changed business practices and policies for all Covered Entities (CE). As with many other Regulatory issues, HIPAA is largely a call to a strong control environment, with a focus on the necessary security safeguards to ensure the security of patients. Contrary to prevailing opinion, the achievement of HIPAA Security compliance is not reliant on complex technology solutions and strategies, but rather on simpler people and process-oriented control environment issues
HITRUST: Focused on providing a prescriptive set of controls that are cross mapped and referenced to standards and regulations relevant to healthcare to simplify the process of becoming largely compliant with relevant laws and regulations and mitigating most risks that a typical hospital has to an acceptable level. An over-simplified view is that HITRUST is a set of predefined controls for an assumed set of risks and compliance requirements – with an IT-GRC like mapping. It’s a pre-customized CSF in a box. HITRUST has the advantage over ISO 27001 by being a bit “simpler” as the risks and risk treatments are largely defined.
Business Continuity Management
Business Continuity Management: At its simplest – Business Continuity Management ensures that critical business processes and resources remain available (or can be rapidly restored) in order to ensure the continued achievement of critical organizational objectives.
A logical subset of Business Continuity is Information Continuity (aka; Disaster Recovery) which is focused on ensuring that critical Information Technology resources are available. Our Business/Information Technology Continuity Practices are based on the leading standards including; ISO-27031, ISO-22301, & NIST 800-34.
Payment Card Industry (PCI)
Payment Card Industry: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit and credit cards. It was intended to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
NIST Framework: Identifies 75 existing standards that are likely to be applicable to the development of the Smart Grid. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.