Professional Documents
Culture Documents
Q.3 A Merchant Processes Only Small Numbers of
Q.3 A Merchant Processes Only Small Numbers of
PCI DSS was developed to enhance cardholder data security and facilitate broad adoption of
consistent data security measures globally
Provides a baseline technical and operational requirements designed to protect account data
It is applied to any entity that stores, processes and/or transmits cardholder data (CHD) and/or
sensitive authentication data (SAD).
Compliance Requirement
QSA Onsite
Review - Not required
Network Security
Scan - Recommended (annually)
Makes sure that IT Objectives are aligned with the Business Objectives producing measurable
Business Value essential for the growth of the organization.
Brings in accountability within the enterprise due to shared responsibility of both the directors
and shareholders.
Governance ensures that stakeholders needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction through
prioritisation and decision making; and monitoring performance and compliance against agreed-
on direction and objectives (EDM).
IT Governance:
Acts as an execution body which functions as per the directions and goals set forward by the
board.
Objective: to align information security management with business compliance and risk
reduction objectives
Focuses on the availability, confidentiality and integrity of organisational information; and only
on those risks
relevant to the business justified financially & commercially through a risk assessment
ISO 27001 is a management standard not a technical standard; a key pillar of corporate
governance & best
practice
ISO 27001 is the standard for ISMS (Information Security Management System) and helps
identify, manage and
reduce the range of risks to which information is regularly subjected
Leading International Standard for ISMS. Specifies the requirements for establishing,
implementing,
maintaining, monitoring, reviewing and continually improving the ISMS within the context of the
organization.
Includes assessment and treatment of InfoSec risks.
Does not focus on information technology alone, but also other important business assets,
resources, and
processes in the organization.
Benefits:
SOA:
An SoA summarises your organisation’s position on each of the 114 information security
controls outlined in Annex A of ISO 27001.
7 enablers:
Enablers :
1. Processes—Describe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all information
produced and used by the enterprise. Information is required for keeping the organisation
running and well governed, but at the operational level, information is very often the key
product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services
7. People, skills and competencies—Are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions
• The management will also monitor operations on behalf of the governing body.
• The governing body will report back to owners and stakeholders about the
performance.
• Example, buildings, enterprises and best practices systems, such as ITIL (read as I-T-
I-L), COBIT or software applications
• Standards
• Standards are agreed levels of quality. They are used as the norm and have to be met
for the fulfillment of organizational goals and objectives.
• Acts
• A regulation is a Government document that lays down the characteristics or related
processes and methods, including the applicable administrative provisions
COBIT 5 aligns with the latest relevant other standards and frameworks
used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,
PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator.
HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005.
OCR became responsible for enforcing the Security Rule on July 27, 2009.
As a law enforcement agency, OCR does not generally release information to the public on current
or potential investigations.
3) performing education and outreach to foster compliance with the Rules' requirements.
4) OCR also works in conjunction with the Department of Justice (DOJ) to refer possible
criminal violations of HIPAA.
OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and
164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate
complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities
are in compliance, and OCR performs education and outreach to foster compliance with
requirements of the Privacy and Security Rules.
OCR may only take action on certain complaints. If OCR accepts a complaint for investigation, OCR
will notify the person who filed the complaint and the covered entity named in it. Then the
complainant and the covered entity are asked to present information about the incident or problem
described in the complaint. OCR may request specific information from each to get an understanding
of the facts. Covered entities are required by law to cooperate with complaint investigations.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42
U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation. OCR
reviews the information, or evidence, that it gathers in each case. In some cases, it may determine
that the covered entity did not violate the requirements of the Privacy or Security Rule. If the
evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the
case with the covered entity by obtaining:
1) Voluntary compliance;
3) Resolution agreement.
Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through
these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in
writing of the resolution result. If the covered entity does not take action to resolve the matter in a
way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered
entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS
administrative law judge decides if the penalties are supported by the evidence in the case.
Complainants do not receive a portion of CMPs collected from covered entities; the penalties are
deposited in the U.S. Treasury.
Examples:
A hospital employee did not observe minimum necessary requirements when she left a telephone
message with the daughter of a patient that detailed both her medical condition and treatment plan.
An OCR investigation also indicated that the confidential communications requirements were not
followed, as the employee left the message at the patient’s home telephone number, despite the
patient’s instructions to contact her through her work number. To resolve the issues in this case, the
hospital developed and implemented several new procedures. One addressed the issue of
minimum necessary information in telephone message content. Employees were trained to provide
only the minimum necessary information in messages, and were given specific direction as to what
information could be left in a message. Employees also were trained to review registration
information for patient contact directives regarding leaving messages. The new procedures were
incorporated into the standard staff privacy training, both as part of a refresher series and mandatory
yearly compliance training.
2. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-
Based Fees
Issue: Access
A patient alleged that a covered entity failed to provide him access to his medical records. After
OCR notified the entity of the allegation, the entity released the complainant’s medical records but
also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule
permits the imposition of a reasonable cost-based fee that includes only the cost of copying and
postage and preparing an explanation or summary if agreed to by the individual. To resolve this
matter, the covered entity refunded the $100.00 “records review fee.”
============================================================================
Q. Explain with help of a diagram PDCA cycle for ISO 27001. List
down various activities which form part of following categories
Establish the ISMS Implement and Operate the ISMS Monitor and
Review the ISMS Maintain and Improve the ISMS
There are many different stages when implementing a system like ISO 27001 – Information
Security Management System.
The Plan-Do-Check-Act (PDCA) process originates from quality assurance and now a
requirement in the ISMS standard ISO 27001 (ISMS – Information Security Management
System). PDCA is also known as an internal audit check that could be conducted before
understanding the requirement processes of ISO 27001.
ISO 27001, if analyzed by a PDCA cycle, will give you a better vision of implementing
governance and alignment with improved business objectives. The ISO 27001 framework
has rapidly grown worldwide, where you don’t need to find anyone locally. Best practice
allows you to achieve your certification virtually and globally.
STAGES OF ISO 27001: As per clauses from 4 to 10 of the ISO 27001 standard,
before you plan to implement ISO 27001 to your organization systems, you need
to run an internal audit, including PDCA – PLAN, DO, CHECK, and ACT Cycle.
What is this PDCA? This cycle will help you recognize internal and external
issues, where you have a gap between them, and how you can fill this?
Phases in PDCA
PLAN
1. Phase 1—Identify Business Objectives.
2. Phase 2—Obtain Management Support.
3. Phase 3—Select the Proper Scope of Implementation.
4. Phase 4—Define a Method of Risk Assessment.
5. Phase 5—Prepare an Inventory of Information Assets to Protect, and Rank Assets According
to Risk and Classification Based on Risk Assessment.
DO
CHECK
ACT
Activites:
External issues are the list of threats that could be the organization’s outer part, such as
the legal, economic, and political requirements. The internal issues are the internal part,
such as organizational structure, values, cultures, ICT infrastructure, available
resources, etc.
This phase is where an organization implements and exploits the ISMS policy, controls,
process, and procedures. In the DO phase, an organization creates a risk assessment
and evaluates the reasons behind it’s each structure. They must prepare a series of
procedures indicating the risks and their treatment. They must ensure that the
procedure and policy documents are available and adequately protected, distributed,
and stored in the managed system. The documents of external origin must cover under
the scope of ISMS 27001. That’s how the Do phase will be accomplished.
An organization must undertake corrective and preventive actions based on the ISMS
internal audit and management review results. A Chief Information Officer can be
appointed who will be responsible for monitoring and measuring information security.
The CIO must act on any finding that relates to the breach of information security.
Continual improvement is an integral part of ISO 27001. The standard requires that
organizations must be continually improving to eliminate further threats. Now we have
recognized the PDCA elements and their applicability to the ISO 27001 ISMS. It also
communicates that everyone who is responsible needs to be a part while implementing
ISO 27001. All the improvements require updating and documentation, respectively.
=================================================================
SOX
Sarbanes-Oxley Act
• The Sarbanes –Oxley Act or more popularly known as the SOX act was passed in 2002 in the
wake of a number of notable corporate accounting scandals including Enron and Worldcom.
• It is also known as the 'Public Company Accounting Reform and Investor Protection Act and
'Corporate and Auditing Accountability and Responsibility Act
• This law set new or enhanced standards for all U.S. public company boards, management and
public accounting firms.
• The main intent of this law is for the top management must now individually certify the accuracy of
financial information.
Purpose – to protect investors or stakeholders interest by improving the accuracy and reliability of
corporate and financial disclosures.
• Applicability – All publicly traded companies in the US as well as foreign companies that are
publicly traded and do business in the US.
• Requirement – Top management (CEO and CFO) must individually certify the accuracy of
financial information on annual and quarterly reports.
The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to
criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement
rulings on requirements to comply with the law.
• SOX Section 906: Criminal Penalties for CEO/CFO financial statement certification
============================================================================
• Section 302 focuses on disclosure controls and procedures, and accountability of signing officers
(CEO and CFO), they personally attest that financial information is accurate and reliable within the
quarterly 10-Q and annual 10-K reports filed with the SEC.
• Stating that, based on their knowledge, the report does not contain false or misleading statements
or omit necessary material information
• Affirmation on accuracy of reports with respect to financial condition and results of operations for
their company during the periods covered in the report
people who have significant responsibility for financial results. These include –
• Operating officers
• Controllers
• Accounting managers
The number of individuals or survey questionnaires involved with this certification may vary from
organization to organization. The survey serves 2 main purposes:
• Determine if there have been any significant changes to the internal controls of financial reporting
that haven’t already been reported.
internal controls and procedures for financial reporting. All controls are evaluated and reported in 2
phases -
• Reviewed by management
• The company needs to report deficiencies to the Audit Committee, Board of Directors
• Material weaknesses must be disclosed in the company’s annual 10-K financial report
• SOX requirements mandate that public companies have an independent external auditor
• This act required the disclosure of all material off-balance sheet items.
• Off-balance sheet items means that the company itself does not have a direct claim to the assets
so it does not record them on the balance sheet. The items are owned or claimed by an external
source.
• Sarbanes-Oxley makes it a crime to defraud shareholders of publicly traded companies through the
filing of misleading financial reports.
1. Executives face fines of up to $1-million and 10-years imprisonment for ‘knowingly’ certifying
financial reports that don't comply with the SOX's requirements.
2. Penalties are enhanced for executives who ‘willfully’ certify noncompliant financial reports, they
face fines of up to $5 million and up to 20 years imprisonment.
3. Sarbanes-Oxley also criminalizes the ‘falsification’ and ‘destruction’ of records to impede or
influence an investigation.
IT departments are responsible for creating and maintaining an archive of corporate records. Three
rules in Section 802 of SOX affect the management of electronic records.
• First rule: This rule concerns the destruction, alteration, or falsification of records and the resulting
penalties.
• Second rule: A rule that defines the retention period for records storage
• Third rule: This rule outlines the type of business records that need to be stored, including all
business records, communications, and electronic communications.