Q.3 A merchant processes only small numbers of………….

PCIDSS is the most appropriate standard in this case

The Payment Card Industry Data Security Standard (PCI DSS) is an information security
standard for organizations that handle branded credit cards from the major card schemes.

PCI DSS was developed to enhance cardholder data security and facilitate broad adoption of
consistent data security measures globally

Provides a baseline technical and operational requirements designed to protect account data

It is applied to any entity that stores, processes and/or transmits cardholder data (CHD) and/or
sensitive authentication data (SAD).

The 6 Major Principles of PCI DSS

1. Build and maintain a secure network:
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy.

Build and maintain a secure network:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other
security parameters

Protect cardholder data:

3.Protect stored cardholder dataProtect Cardholder Data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program:

5. Protect all systems against malware and regularly update anti-virus
software or programs

Implement Strong Access Control Measures:

6. Develop and maintain secure systems and applications
7.Restrict access to cardholder data by business need to know
8.Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks:

10. Track and monitor all access to network resources and cardholder data
Networks
11. Regularly test security systems and processes

Maintain an Information Security Policy:

12. Maintain a policy that addresses information security for all personnel

Compliance Requirement
QSA Onsite
Review - Not required

SAQ - Recommended (annually)

Network Security
Scan - Recommended (annually)

Q.4 IT management vs IT Governance

IT Management :
Directly used by the Board Members or Directors who function on behalf of stakeholders /
shareholders who have invested their money in the organization.

Makes sure that IT Objectives are aligned with the Business Objectives producing measurable
Business Value essential for the growth of the organization.

Brings in accountability within the enterprise due to shared responsibility of both the directors
and shareholders.

Governance ensures that stakeholders needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction through
prioritisation and decision making; and monitoring performance and compliance against agreed-
on direction and objectives (EDM).

IT Governance:
Acts as an execution body which functions as per the directions and goals set forward by the
board.

Involved in implementation such as budgeting, staffing, organizing and controlling IT Operations

and assets. It is also involved in other aspects such as Change Mgt., Software Design, N/W
Planning Tech. Support etc.

Focuses on managing IT Assets in accordance with business needs and Priorities.

Management plans, builds, runs and monitors activities in alignment with the direction set by the
governance body to achieve the enterprise objectives (PBRM)
====================================================================

Q5 WHY ISO 27001 as ISMS and what is SOA ?

Objective: to align information security management with business compliance and risk
reduction objectives

Focuses on the availability, confidentiality and integrity of organisational information; and only
on those risks
relevant to the business justified financially & commercially through a risk assessment

ISO 27001 is a management standard not a technical standard; a key pillar of corporate
governance & best
practice

ISO 27001 is the standard for ISMS (Information Security Management System) and helps
identify, manage and
reduce the range of risks to which information is regularly subjected

Leading International Standard for ISMS. Specifies the requirements for establishing,
implementing,
maintaining, monitoring, reviewing and continually improving the ISMS within the context of the
organization.
Includes assessment and treatment of InfoSec risks.

Best framework for complying with information security legislation.

Not a technical standard that describes the ISMS in technical detail.

Does not focus on information technology alone, but also other important business assets,
resources, and
processes in the organization.

Benefits:

Providing a framework for resolving security issues; focusing only on those

relevant to your specific organisation

Enhancing the confidence and perception of your clients, stakeholders and

partners

Increasingly become a differentiator in contract tenders

Breeding internal and external confidence in the management of risk
within your organisation

Increasing security awareness throughout the business via staff training

and involvement

Helping develop best practice

Helping adherence to the Standard proving business continuity is managed

professionally and vigilantly in the event of a catastrophe

SOA:
An SoA summarises your organisation’s position on each of the 114 information security
controls outlined in Annex A of ISO 27001.

Clause 6.1.3 of the Standard states an SoA must:

Identify which controls an organisation has selected to tackle identified risks;

Explain why these have been selected;
State whether or not the organisation has implemented the controls; and
Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the
SoA should link to relevant documentation about its implementation.
=======================================================================

The five COBIT 5 principles:

1.Meeting Stakeholder Needs
2.Covering the Enterprise End-to-end
3.Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5.Separating Governance From Management

7 enablers:
Enablers :
1. Processes—Describe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all information
produced and used by the enterprise. Information is required for keeping the organisation
running and well governed, but at the operational level, information is very often the key
product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services
7. People, skills and competencies—Are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions

Principle 1. Meeting Stakeholder Needs:

Enterprises have many stakeholders, and ‘creating value’ means different—
and sometimes conflicting—things to each of them.
Governance is about negotiating and deciding amongst different
stakeholders’ value interests.
The governance system should consider all stakeholders when making
benefit, resource and risk assessment decisions.

Principle 2: Covering the Enterprise End-to-End

• It means that COBIT® 5:
• integrates the governance of enterprise IT with enterprise governance;
• covers all functions and processes required to govern and manage enterprise
information and related technologies wherever that information is processed
and
• addresses all relevant internal and external IT services as well as external and
internal business processes.
Key roles, activities and relationships
• The key generic roles are handled by the owners and stakeholders, governing
body, management and operations team. The key responsibilities of those who
are involved in the governance process and the process flow are as follows.
• The owners and stakeholders are accountable for the governance process.
However, they delegate the responsibility of the process to a governing body.
• The governing body sets the direction of the process to the management.
• The management instructs and aligns the operations team with the direction set
by the governing body.
• The operations team executes the instructions and re ports back to the
Management.

• The management will also monitor operations on behalf of the governing body.
• The governing body will report back to owners and stakeholders about the
performance.

Principle 3 Applying a Single Integrated Framework

• The following are some important information about frameworks, models
and standards.
• Frameworks
• Frameworks are a system of rules, ideas or beliefs used to plan and build or even
provide a support structure to build something.

• Example, buildings, enterprises and best practices systems, such as ITIL (read as I-T-
I-L), COBIT or software applications

• Standards
• Standards are agreed levels of quality. They are used as the norm and have to be met
for the fulfillment of organizational goals and objectives.

• Acts
• A regulation is a Government document that lays down the characteristics or related
processes and methods, including the applicable administrative provisions

COBIT 5 aligns with the latest relevant other standards and frameworks
used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,
PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator.

Principle 4 : Enabling a Holistic Approach

Systemic governance and management through interconnected

enablers—To achieve the main objectives of the enterprise, it must
always consider an interconnected set of enablers, i.e., each enabler:
Needs the input of other enablers to be fully effective, e.g., processes
need information, organisational structures need skills and behaviour
Delivers output to the benefit of other enablers, e.g., processes deliver
information, skills and behaviour make processes efficient
This is a KEY principle emerging from the ISACA development work
around the Business Model for Information Security (BMIS).

Principle 5 Separating Governance From Management

The COBIT 5 framework makes a clear distinction between

governance and management.
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most enterprises, governance is the responsibility of
the board of directors under the leadership of the chairperson.
Management—In most enterprises, management is the responsibility
of the executive management under the leadership of the CEO.

• Governance ensures that stakeholders needs, conditions and options

are evaluated to determine balanced, agreed-on enterprise objectives
to be achieved; setting direction through prioritisation and decision
making; and monitoring performance and compliance against
agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to achieve
the enterprise objectives (PBRM).
========================================================================

Q. Elaborate HIPAA enforcement process with help of a process flow

diagram and explain it in short with suitable examples
HIPAA Enforcement:
HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement
of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR's
enforcement activities have obtained significant results that have improved the privacy practices of
covered entities. The corrective actions obtained by OCR from covered entities have resulted in
systemic change that has improved the privacy protection of health information for all individuals
they serve.

HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005.
OCR became responsible for enforcing the Security Rule on July 27, 2009.

As a law enforcement agency, OCR does not generally release information to the public on current
or potential investigations.

OCR enforces the Privacy and Security Rules in several ways:

1) by investigating complaints filed with it,

2) conducting compliance reviews to determine if covered entities are in compliance, and

3) performing education and outreach to foster compliance with the Rules' requirements.
 4) OCR also works in conjunction with the Department of Justice (DOJ) to refer possible
criminal violations of HIPAA.

OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and
164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate
complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities
are in compliance, and OCR performs education and outreach to foster compliance with
requirements of the Privacy and Security Rules.

OCR may only take action on certain complaints. If OCR accepts a complaint for investigation, OCR
will notify the person who filed the complaint and the covered entity named in it. Then the
complainant and the covered entity are asked to present information about the incident or problem
described in the complaint. OCR may request specific information from each to get an understanding
of the facts. Covered entities are required by law to cooperate with complaint investigations.

If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42
U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation. OCR
reviews the information, or evidence, that it gathers in each case. In some cases, it may determine
that the covered entity did not violate the requirements of the Privacy or Security Rule. If the
evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the
case with the covered entity by obtaining:

1) Voluntary compliance;

2) Corrective action; and/or

3) Resolution agreement.

Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through
these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in
writing of the resolution result. If the covered entity does not take action to resolve the matter in a
way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered
entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS
administrative law judge decides if the penalties are supported by the evidence in the case.
Complainants do not receive a portion of CMPs collected from covered entities; the penalties are
deposited in the U.S. Treasury.

Examples:

Hospital Implements New Minimum Necessary Polices for Telephone Messages

Covered Entity: General Hospital

Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone
message with the daughter of a patient that detailed both her medical condition and treatment plan.
An OCR investigation also indicated that the confidential communications requirements were not
followed, as the employee left the message at the patient’s home telephone number, despite the
patient’s instructions to contact her through her work number. To resolve the issues in this case, the
hospital developed and implemented several new procedures. One addressed the issue of
minimum necessary information in telephone message content. Employees were trained to provide
only the minimum necessary information in messages, and were given specific direction as to what
information could be left in a message. Employees also were trained to review registration
information for patient contact directives regarding leaving messages. The new procedures were
incorporated into the standard staff privacy training, both as part of a refresher series and mandatory
yearly compliance training.

2. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-
Based Fees

Covered Entity: Private Practice

Issue: Access

A patient alleged that a covered entity failed to provide him access to his medical records. After
OCR notified the entity of the allegation, the entity released the complainant’s medical records but
also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule
permits the imposition of a reasonable cost-based fee that includes only the cost of copying and
postage and preparing an explanation or summary if agreed to by the individual. To resolve this
matter, the covered entity refunded the $100.00 “records review fee.”

============================================================================

Q. Explain with help of a diagram PDCA cycle for ISO 27001. List
down various activities which form part of following categories
Establish the ISMS Implement and Operate the ISMS Monitor and
Review the ISMS Maintain and Improve the ISMS

There are many different stages when implementing a system like ISO 27001 – Information
Security Management System.

The Plan-Do-Check-Act (PDCA) process originates from quality assurance and now a
requirement in the ISMS standard ISO 27001 (ISMS – Information Security Management
System). PDCA is also known as an internal audit check that could be conducted before
understanding the requirement processes of ISO 27001.

ISO 27001, if analyzed by a PDCA cycle, will give you a better vision of implementing
governance and alignment with improved business objectives. The ISO 27001 framework
has rapidly grown worldwide, where you don’t need to find anyone locally. Best practice
allows you to achieve your certification virtually and globally.

STAGES OF ISO 27001: As per clauses from 4 to 10 of the ISO 27001 standard,
before you plan to implement ISO 27001 to your organization systems, you need
to run an internal audit, including PDCA – PLAN, DO, CHECK, and ACT Cycle.
What is this PDCA? This cycle will help you recognize internal and external
issues, where you have a gap between them, and how you can fill this?

Phases in PDCA
PLAN
1. Phase 1—Identify Business Objectives.
2. Phase 2—Obtain Management Support.
3. Phase 3—Select the Proper Scope of Implementation.
4. Phase 4—Define a Method of Risk Assessment.
5. Phase 5—Prepare an Inventory of Information Assets to Protect, and Rank Assets According
to Risk and Classification Based on Risk Assessment.

DO

6. Phase 6—Manage the Risks, and Create a Risk Treatment Plan.

7. Phase 7—Set Up Policies and Procedures to Control Risks.
8. Phase 8—Allocate Resources, and Train the Staff.

CHECK

9. Phase 9—Monitor the Implementation of the ISMS.

10. Phase 10—Prepare for the Certification Audit.

ACT

11. Phase 11—Conduct Periodic Reassessment Audits

Activites:

PLAN: ESTABLISHING THE ISMS

This phase of the ISO 27001 helps an organization to establish the scope of ISMS
objectives and controls. A lot of companies around the world are going into the clinches
of cyberattacks. In the ISO 27001 standard, clause 4.2 determines the context of the
organization. While implementing the planning phase, you must analyze the external
and internal issues of the company. The identification of these issues could really help
your organization to implement the ISO 27001 ISMS procedures and eliminate the
obstacles.

External issues are the list of threats that could be the organization’s outer part, such as
the legal, economic, and political requirements. The internal issues are the internal part,
such as organizational structure, values, cultures, ICT infrastructure, available
resources, etc.

DO: IMPLEMENTING THE ISMS

This phase is where an organization implements and exploits the ISMS policy, controls,
process, and procedures. In the DO phase, an organization creates a risk assessment
and evaluates the reasons behind it’s each structure. They must prepare a series of
procedures indicating the risks and their treatment. They must ensure that the
procedure and policy documents are available and adequately protected, distributed,
and stored in the managed system. The documents of external origin must cover under
the scope of ISMS 27001. That’s how the Do phase will be accomplished.

CHECK: MONITORING AND REVIEW OF THE ISMS

This phase covers monitoring, measuring, analysis, and evaluation checks within the
organization. The responsible persons must measure the processes’ performances
against the policies, objectives, and practical experience in a documented procedure
established in the earlier phase. Responsible leader s must submit any outcome
followed by the implementation of these policy results. It is the best way to check where
the issues have been identified, treated, eliminated, and required to revise and improve.

ACT: UPDATES & IMPROVEMENTS TO THE ISMS

An organization must undertake corrective and preventive actions based on the ISMS
internal audit and management review results. A Chief Information Officer can be
appointed who will be responsible for monitoring and measuring information security.
The CIO must act on any finding that relates to the breach of information security.
Continual improvement is an integral part of ISO 27001. The standard requires that
organizations must be continually improving to eliminate further threats. Now we have
recognized the PDCA elements and their applicability to the ISO 27001 ISMS. It also
communicates that everyone who is responsible needs to be a part while implementing
ISO 27001. All the improvements require updating and documentation, respectively.

=================================================================

SOX

Sarbanes-Oxley Act
• The Sarbanes –Oxley Act or more popularly known as the SOX act was passed in 2002 in the
wake of a number of notable corporate accounting scandals including Enron and Worldcom.

• It is also known as the 'Public Company Accounting Reform and Investor Protection Act and
'Corporate and Auditing Accountability and Responsibility Act

• This law set new or enhanced standards for all U.S. public company boards, management and
public accounting firms.

• The main intent of this law is for the top management must now individually certify the accuracy of
financial information.

Purpose – to protect investors or stakeholders interest by improving the accuracy and reliability of
corporate and financial disclosures.

• Applicability – All publicly traded companies in the US as well as foreign companies that are
publicly traded and do business in the US.

• Requirement – Top management (CEO and CFO) must individually certify the accuracy of
financial information on annual and quarterly reports.

The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to
criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement
rulings on requirements to comply with the law.

• Title I:Public Company Accounting Oversight Board

• Title II: Auditor Independence

• Title III: Corporate Responsibility

• Title IV: Enhanced Financial Disclosures

• Title V: Analyst Conflicts Of Interest

• Title VI: Commission Resources And Authority

• Title VII: Studies & Reports

• Title VIII: Corporate and Criminal Fraud Accountability

• Title IX: White Collar Crime Penalty Enhancement

• Title X: Corporate Tax Returns

• Title XI: Corporate Fraud Accountability

KEY PROVISIONS IN SOX

• SOX Section 302: Internal control certifications

• SOX Section 401: Disclosures in periodic reports (Off-balance sheet items)

• SOX Section 404: Assessment of internal control

• SOX Section 906: Criminal Penalties for CEO/CFO financial statement certification

============================================================================

SOX -Section 302

• Section 302 focuses on disclosure controls and procedures, and accountability of signing officers
(CEO and CFO), they personally attest that financial information is accurate and reliable within the
quarterly 10-Q and annual 10-K reports filed with the SEC.

• Mainly signing-off by them signifies that they are:

• Confirming they reviewed the report

• Stating that, based on their knowledge, the report does not contain false or misleading statements
or omit necessary material information

• Affirmation on accuracy of reports with respect to financial condition and results of operations for
their company during the periods covered in the report

To prepare for quarterly certification, companies typically send a questionnaire to

people who have significant responsibility for financial results. These include –

• Operating officers

• Controllers

• Accounting managers

• Head of internal audit

The number of individuals or survey questionnaires involved with this certification may vary from
organization to organization. The survey serves 2 main purposes:

• Determine if there have been any significant changes to the internal controls of financial reporting
that haven’t already been reported.

• Inquire if the recipient is aware of any fraudulent activities.

SOX -Section 404

Section 404 requires that companies to annually assess and report on the effectiveness of their

internal controls and procedures for financial reporting. All controls are evaluated and reported in 2

phases -

• Design of internal controls

• Operating effectiveness of the controls

The results of the testing must be:

• Reviewed by management

• All control testing failures to be categorized as a deficiency, significant deficiency, or material

weakness

• The company needs to report deficiencies to the Audit Committee, Board of Directors

• Material weaknesses must be disclosed in the company’s annual 10-K financial report

• SOX requirements mandate that public companies have an independent external auditor

inspect internal controls

SOX Section 401

• Disclosures in periodic reports (Off-balance sheet items)

• This act required the disclosure of all material off-balance sheet items.

• Off-balance sheet items means that the company itself does not have a direct claim to the assets
so it does not record them on the balance sheet. The items are owned or claimed by an external
source.

• More disclosure adjustments based on full disclosure principle.

SOX Section 906 - Penalties

• Sarbanes-Oxley makes it a crime to defraud shareholders of publicly traded companies through the
filing of misleading financial reports.

1. Executives face fines of up to $1-million and 10-years imprisonment for ‘knowingly’ certifying
financial reports that don't comply with the SOX's requirements.

2. Penalties are enhanced for executives who ‘willfully’ certify noncompliant financial reports, they
face fines of up to $5 million and up to 20 years imprisonment.
3. Sarbanes-Oxley also criminalizes the ‘falsification’ and ‘destruction’ of records to impede or
influence an investigation.

SOX Section 802

IT departments are responsible for creating and maintaining an archive of corporate records. Three
rules in Section 802 of SOX affect the management of electronic records.

• First rule: This rule concerns the destruction, alteration, or falsification of records and the resulting
penalties.

• Second rule: A rule that defines the retention period for records storage

• Third rule: This rule outlines the type of business records that need to be stored, including all
business records, communications, and electronic communications.