Audits, Risk Assurance and Compliance

Information Security Audits

An information technology (IT) audit is the examination and evaluation of an organisation’s IT infrastructure, and their policies. The audit determines whether the existing IT controls protect corporate assets adequately. It ensures that data integrity aligns with the overall business goals and provides opportunities to improve.

On the other hand, an information security (IS) audit examines the maturity of information security in an organisation. IS auditing can have a broad scope. There are several types of IS audits: technical, physical, or even administrative. They all have different objectives and can require, among others, the examination of facilities and infrastructure.

With ITSEC’s expertise and proven record, organisations will successfully overcome the challenges of IS audits.

Some of the key benefits:

•  Help organisations to assess the objectives of the information security audits and their scope.
•  Help to frame a strategy, including defining the procedures to deal with audits.
•  Assistance in the identification of cybersecurity risks, including monitoring and control of organisational information assets.
•  Setting up a benchmark for delivering continuous improvements of audits.

Information Security Risk Assurance

ITSEC’s Information Security Risk Assurance service and associated workshops help enterprises identify risks and allow them to make the most of their security investments.

We determine flaws or gaps in organisations’ existing security policies, procedures, and controls in order to assist them with information security risk management. These international standards-based services for security, privacy, and continuity provide a proven basis for minimising business risks and maximising return on investments.

Transforming security and digital protection requires a measured and skilled approach. We help to protect organisations’ digital information infrastructure by mitigating risks and analysing evolving security compliance landscapes. To put the right security and privacy controls in place is crucial.

We can help enterprises define their strategy, to mature or to remediate gaps in their security systems.

Our risk assurance services can assist with:

• Risk identification, management, and mitigation.
•  Risk assessment as to whether the level of organisations’ cybersecurity investment links to their business objectives.
•  Gap analysis as to the current state of organisations’ IS program for improvement.
•  Framing a business case for security managers in order to help them get their key stakeholders’ buy-in for enforcement of IS policies.
•  An assessment whether organisations have the right controls in place.
•  Prioritisation of changes to technology and systems, review of operations, and implementation of evolving regulatory requirements.

Information Security Compliance

ITSEC’s information security compliance portfolio is a collection of services designed to create and adopt a security strategy that addresses the organisation’s key security risks. Consequently, we provide that the enterprises’ security function become adaptable to business performance drivers without an increased risk in compliance mandates.

We offer advisory and consulting services to help organisations assess their current state and implement the required changes.

We help organisations to adhere to the following compliance and regulatory frameworks:

ISO 27001 Implementation

The ISO/IEC 27000 family of standards helps organisations to keep information assets secure.

Using this family of standards will provide security of assets, such as financial information, intellectual property, employee details, or information entrusted to companies by third parties.

ISO/IEC 27001 is the best-known standard in its family, providing requirements for an information security management system (ISMS).

ITSEC has expertise in helping organisations to build robust and effective ISMS.

Peraturan Otoritas Jasa Keuangan (POJK) Compliance

Peraturan Otoritas Jasa Keuangan (POJK), or simply OJK, is the governing body of the financial services sector in the Republic of Indonesia. All financial institutions in Indonesia and their overseas entities are required by law to adhere to POJK’s compliance requirements.

ITSEC has over a decade of presence in Indonesia and is a leading service provider of information security, including security compliance. We can help organisations set up a compliance programme in accordance with the POJK regulations.

Payment Card Industry Data Security Standard (PCI DSS) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations of any size that accept credit card payments from the major card schemes.

The PCI Standard is managed by the Payment Card Industry Security Standards Council. In order to protect credit card data, it enforces security controls by mandating organisations to comply with their rules.

Some of the PCI DSS rules require organisations to provide PCISSC evidence that the standards have been met throughout the year.

ITSEC can help organisations to perform a gap analysis. We also provide consulting on, and implementation of the ever-evolving PCI DSS compliance requirements.

The key benefits of the service are:

•  Assessment of enterprises’ current state in relation to the PCI DSS requirements.
•  Gap analysis and consulting about how to continue to meet the compliance requirements.
•  Establishment of PCI DSS requirements and solution baselines for future references.
•  Secured networks, protected cardholder data, well-managed security program including IS policies.
•  Ability to remain on top of the ever-changing regulatory and compliance frameworks.

Threat and Vulnerability Risk Assessment (TVRA) Compliance

Threat and Vulnerability Risk Assessment (TVRA) is a method to identify cybersecurity threats to data centres. It explores operational weaknesses in data centres in order to determine the level and type of security that should be established to protect the facility.

In the financial services industry, the security requirements are amongst the most stringent. Various government bodies require the financial services providers to comply with local regulatory requirements. This can affect in many instances also foreign firms that are engaging in local business activities. This adds more complexities for businesses—locally and transnationally.

Financial institutions are often required to undergo TVRA assessment, such as auditing of data centres for security, evaluation of the safety controls, including hosted data centres, in order to demonstrate that their data centre assets meet the legal requirements.

The analysis of threats and vulnerabilities relating to data centres vary, depending on several factors: the criticality of a data centre, the geographic location, the tenant type, the potential impact from disasters, political environment, etc.

ITSEC can help organisations to comply with the requirements of protecting and safeguarding their technology assets with a risk-based approach TVRA. We apply the method to every asset individually depending on the elements that have to be assessed.

Our approach comprises different phases, such as the identification of perceived critical threats, a risk rating in terms of impact and probability, a detailed analysis of how such threats may impact asset directly or indirectly, and assistance in drafting a remediation plan within the constraints.

We deliver the following key services:

• Vulnerability assessment.
•  Cataloguing of organisational IT resources, including assets and capabilities.
•  Identification of sources of greatest threats by assigning a risk-based quantifiable value and importance to the resources in order to highlight which configurable items are prone to the highest levels of threat.
•  Identification of the vulnerabilities or potential threats to each endpoint.
•  Mitigation or eradication of the severest vulnerabilities for the most valuable resources.

General Data Protection Regulation (GDPR) Compliance

The General Data Protection Regulation (GDPR) is binding on organisations processing personally identifiable information (PII) of individuals inside the European Union (EU).

The regulation applies to all enterprises that are conducting business in the European Economic Area. The GDPR provides rules in connection with transferring personal data outside of the EU.

Business processes in which personal data is handled require data protection by design and by default. Personal data must be stored using encryption and the highest-possible privacy settings must be used by default. Data must not be available publicly without explicit consent.

ITSEC has the expertise to help organisations to comply with the requirements of GDPR.