// Cunsulting

ISO 27001 -Information Security Management

The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). Indio provides assistance in the implementation of ISO 27001 framework. With a team of experienced information security professionals who are also ISO 27001 certified Lead Implementers and Auditors, we have an in depth understanding of the standard. Our implementation strategy is based on a phased approach:

Indio’s security professionals will conduct an analysis of gaps in your current system against the requirements of ISO 27001 including a physical security review. The observations will be compiled into a report defining your level of compliance and will be used to consolidate the risk treatment plan for the compilation of the Control Implementation Strategy.

This is the most crucial phase of the implementation, wherein an asset register containing all the information assets of the organization is built. This involves meetings and discussions with the key stake holders of your organization. A comprehensive risk assessment is then conducted on the critical information assets, based on which appropriate controls to mitigate the identified risks are selected.

During this phase indio will formulate a strategy for the implementation of the controls selected in the previous phase. Also during this phase all the documentation pertaining to the ISMS will be developed. This will include the formulation of Information Security Policies & various procedures supporting the policies. The policies and procedures address the risks identified during the risk assessment phase.

The implementation roadmap, which is the outcome of the previous phase will guide your organization’s team in the implementation of the identified controls. During this phase Indio consultants will advise and guide the implementation team.

ISMS Readiness Review — This phase will review the readiness of the client to achieve ISO 27001 certification. Indio will guide and prepare the client’s audit team to conduct internal audits. The audit results will be evaluated and gaps, if found will be closed by your implementation team with guidance from Indio consultants.

finally, you will face the certification body’s team of auditors. Indio consultants will hand hold your team during the audit. We will assist you in the closure of any Non Conformities or observations noted by the external auditors and help you in achieving the ISO 27001 certification.

// consulting

HIPAA

The Health Insurance Portbility And Accountability Act (HIPAA) was signed into law in the year 1996, by President Bill Clinton. It is a legislation which provides security provisions and data privacy, in order to keep patients’ medical information safe. The act contains five titles.

Our HIPAA Consulting Services are designed to make this task really easy for you. Whether you are a provider or a Business Associate, our experienced team of HIPAA consultants and healthcare domain experts will make sure that you are 100% compliant with all the rules and regulations enforced by HIPAA.

Most of our HIPAA-HITECH regulatory compliance consulting services are focused around HIPAA Security (Physical, Administrative and Technical Safeguards), HIPAA Privacy, HIPAA Transactions and the Omnibus Rule. Our services include-

  • HIPAA regulatory compliance consulting
  • Privacy and Data Breach Notification, Remediation and Management
  • Meaningful Use Risk Assessment
  • Security Auditing and Testing
  • Privacy Auditing and Testing
  • Gap Analysis
  • Risk Analysis
  • HIPAA policy and procedures implementation
  • Organizational HIPAA Training
// consulting

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controlsPCI Qualified Security Assessors developed by an aggregated body of experts from the major card brands. The standard covers the fundamental aspects of information security and extends through the people, processes and technologies involved in payment card processing systems.

PCI DSS is a complex and granular standard that is mandatory for all entities which store, process or transmit payment card data, as well as organizations that may impact the security of a credit card processing environment.

If your organization just wishes to meet the standards outlined in PCI DSS without the need for certification, we offer consultancy services to assist you to reach the high PCI standards.

Our Qualified Security Assessors (QSA) will lead you through the PCI journey from initial review to full alignment with the standard in the most efficient and least intrusive manner possible. This will ensure your business can continue to operate while maintaining a secure payment processing environment.

Our PCI DSS consultancy services includes:

  • PCI DSS scope determination and scope reduction services
  • PCI DSS gap analysis and prioritized action planning
  • PCI Self-Assessment Questionnaire (SAQ)
  • PCI DSS Report on Compliance (ROC) audit
  • P2PE implementation assessments
  • Penetration testing and vulnerability scanning services
  • Security Information and Event Management (SIEM) services
// consulting

SOC 2 Consulting
Services

System and Organization Controls (SOC 2) refers Internal Control over Security, Availability, Processing Integrity, Confidentiality and Privacy .

The System and Organization Controls (SOC) 2 (SOC 2 in short) aims to protect the interest of the user entity while receiving services from the service organization. This is assured by the attestation provided by Certified Public Accountant (CPA) in issuing a Type 1 report or a Type 2 report. Type 1 is an attestation of control testing for a point in time, whereas Type 2 report as a result of testing controls over a period of time.

We have a well-defined 6-phase Methodology, to help an organization achieve successful SOC 2 compliance.

SOC 2 has the following 5 principles, listed below are the principles and their objectives.

Common Criteria Security

The system is protected, both logically and physically, against unauthorized access.

Availability

The system is available for operation and use as committed or agreed to.

Processing Integrity

System processing is complete, accurate, timely, and authorized.

Confidentiality

Information that is designated ‘confidential’ is protected as committed or agreed.

Privacy

Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants, and the Canadian Institute of Chartered Public Accountants (CICA).

We have a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 2 attestation. Our approach ensures that the service organization has adequate ‘internal controls’ over applicable security criteria, to assure any Certified Public Accountant (CPA) for issuance of SOC 2 reports.

PHASE I - Determination of Objectives

This phase involves determining objectives, from user entity, as well as of the service organisation.

PHASE II -Gap Analysis

This phase involves performing gap analysis of the above listed objectives on one hand, and the applicable SOC 2 controls and risks, on the other. We provide solution for all identified gaps.

PHASE III - Control Design and documentation

This phase involves our methodology that involves distribution of risk, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk officer – who will drive the ongoing compliance.

PHASE IV -Tracking
We help ambitious businesses like yours generate more profits by building awareness, driving web traffic, connecting with customers, and growing overall sales. Give us a call.
PHASE V -Performance Tracking

This phase involves showcasing client with changes in a given period by providing change specific score of compliance between 0 -100%. This gives the organisation an evidence of a measurable framework of demonstrating internal controls.

PHASE VI - Internal Audit

Internal audit followed by a formal review of the program gives organisation an independent perspective, and enables them to be ready for final attestation.

At this stage the client has implemented the governance system in completeness. Generally upon completion of one month of this, the organisation can achieve SOC 2 – Type 1 attestation, and upon completion of 6 months, the client can achieve Type 2 attestation. Here the assumption that all risks are under control that will give adequate assurance to the user entity.