INFORMATION SECURITY MANAGEMENT SYSTEMS

ISO/IEC 27001 Information Security Management Systems standard ensures that your organization keeps information assets safe and secure, by building an information security infrastructure against the risks of loss, damage or any other threat.

Benefits of ISO/IEC 27001 certification to your organization:

> Provides physical and environmental security across all management processes.

> Provides you with a competitive advantage.

> Reduces costs due to incident and threat minimization.

> Demonstrates compliance with customer, regulatory and/or other requirements.

> Sets out areas of responsibility across the organization.

> Communicates a positive message to staff, customers, suppliers and stakeholders.

> Integration between business operations and information security.

> Alignment of information security with the organization’s objectives.

> Puts forward true value through enhancement of marketing opportunities.

We help organizations to show commitment and competence with internationally recognized standards by providing this assurance through the education, evaluation and certification against rigorous, internationally recognized competence requirements. With a global coverage of more than 900 partners in over 150 countries worldwide, our mission is to provide our clients comprehensive services that inspire trust, continual improvement, demonstrate recognition, and benefit society as a whole.

About PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
PCI DSS provides a baseline of technical and operational requirements designed to protect account data (cardholder data and / or sensitive authentication data). The standard applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and / or sensitive authentication data.
PCI DSS consists of 12 sections of requirements and more than 200 controls that are focused on the security of the data of credit cards. Appropriate policies and procedures, technical measures, administrative efforts, and physical security should supplement each other in the organization in order to ensure continuous compliance with PCI DSS Requirements.
Failure to comply with PCI DSS may result in fines, loss of reputation, and inability to accept major credit cards.

PCI Requirements:

> PROTECT WITH FIREWALLS

> USE ADEQUATE CONFIGURATION STANDARDS

> SECURE CARDHOLDER DATA

> SECURE DATA OVER OPEN AND PUBLIC NETWORKS

> PROTECT SYSTEMS WITH ANTIVIRUS

> UPDATE YOUR SYSTEMS

> RESTRICT ACCESS

> USE UNIQUE ID CREDENTIALS

> ENSURE PHYSICAL SECURITY IMPLEMENT LOGGING AND LOG MONITORING

> CONDUCT VULNERABILITY SCANS AND PENETRATION TESTING

> START DOCUMENTATION AND RISK ASSESSMENTS

About the GDPR

The General Data Protection Regulation (GDPR) is a legal act of the European Parliament and the Council (Regulation (EU) 2016/679) that was adopted in April 2016 and comes into force on May 25, 2018. The GDPR primarily seeks to provide unified and clear rules on stronger data protection that are fit for the digital age, give individuals more control of their personal information processed by companies, and ease law enforcement.

The GDPR will repeal the current legal act (Directive 95/46/EC) enacted in 1995, which has been inconsistently interpreted by the various European Union member states. In addition to harmonizing data protection law across the E.U., the new regulation will also affect non-European companies that offer goods or services to, or monitor the behavior of, European Union residents, and therefore process any of their personal data. This refers to the extraterritorial application of the law. In other words, organizations of all types from across all industries that are established outside the European Union but that conduct business within it will be subject to GDPR compliance starting May 25, 2018.

The extended jurisdiction of the GDPR is arguably the biggest change to the 1995 Directive. The other important principles laid down in the GDPR are the following:

> Extended rights of data subjects — These, among others, include the right of access, the right to data portability and the right to data erasure.

> 72-hour data breach notification — In the case of a personal data breach, an organization must notify the supervisory authority not later than 72 hours after having become aware of it.

> Privacy by design — Organizations must ensure that, both in the planning phase of processing activities and in the implementation phase of any new product or service, GDPR data protection principles and appropriate safeguards are addressed and implemented.

> Accountability — An organization must ensure and demonstrate compliance with the data protection principles of the GDPR.

Fines for non-compliance with the GDPR depend on the infraction. In the case of a personal data breach (defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed), the fine is up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher. For other infringements of GDPR provisions, the fine is up to 2% of annual worldwide turnover or €10 million, whichever is higher.