IT governance also called IT Administration reflects more extensively corporate governance standards. Corporate governance affairs involve the structures and processes with stakeholders such as board of directors, top and business management, employees, and customers. And for these structures and processes to guarantee accountability and improve organizational performance, as corporate governance goal is to align actions and choices of managers with the interests of stakeholders and the interests of stakeholders with the actions and choices of IT managers.
Its objectives is to outline structures, processes, and mechanisms to explain decision making rights and responsibility about main IT issues, to control and monitor the effectiveness of such decisions, and to mitigate IT-related risks to achieve organization’s objectives. It is established by organisations’ top management to:
- align IT and organisation’s strategies and objectives
- define decision making rights and responsibilities about IT issues
- control and monitor the effectiveness of such decisions
- mitigate risks associated with IT
- contribute to design of and to achieve the organization performance.
These structures, processes, and mechanisms are design from Standard specified by government and industrial bodies. Organisation are expected to comply to standards specified by the government and those set of standards specified by the regulatory bodies of the sector of the economy they operate in. These Standard are also called Framework.
We help the management board to decide and improve the framework the organisation is should operate with. We help to implement framework that meets the organisation’s business requirements. We have team of specialists to implement the following framework such as ISO27001, PCI DSS, and GDPR.
Our team of qualified cyber security expects will help identify the standard and regulation that affects your organisation, also deliver value-added advice and manage the complete process of assessing information risk by:
- Identifying the assets that require protection
- Identifying relevant threats and weaknesses
- Identifying exploitable vulnerabilities
- Assessing the level of threat posed by threat agents
- Determining the business impacts of risks being realised
- Producing a security risk assessment
- Advising on a risk acceptance threshold or level of acceptance
- Advising on appropriate governing regulatory standard to comply with
- Advising on suitable control implementation
ISO 27001 (previously known as ISO/IEC 27001:2005) is one of the specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures, it incorporates all legal, physical and technical controls involved in an organisation’s information risk management processes. The specification contains specifics documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. For the standard to be effective, requires cooperation among all sections of an organisation. We help to integrate an effective cybersecurity solution into organisation business process, to ensure that management exercise their due-diligence and due-care responsibility and accountability, and to avoid security breaches and compromise by identifying those vulnerabilities can be exploited and costing the risk from the identified threat.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is the worldwide Payment Card Industry Data Security Standard for organisation that capture credit card payments such as visa, master card, and other form eCommerce payments. It was established to help businesses process card payments securely, to prevent card fraud, and to build trust in electronic payment transactions. It is accomplished through imposing tight controls with intention to protect sensitive cardholder’s data by dictating specific controls and procedures of the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
We help organisation implement and continuous testing to ensure effective compliance of the 12 compulsory requirements specified in the standard which are:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation setup by the European Parliament, the Council of the European Union and the European Commission with aim to strengthen and unify data protection for all individuals within the European Union (EU). Also, it addresses the transfer of personal data outside the EU. The GDPR main objectives is to give control of personal data back to the citizens and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (Directive 95/46/EC) of 1995. It becomes enforceable from 25 May 2018.
There are two fines imposed by GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are decided based on the company’s level of compliance with the regulation by demonstrating that they have:
- Integrated data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
GDPR CONSULTANCY SERVICES
We help to interpret the GDPR to organisation by reviewing their business process, dataflow and the interaction between the technology and business process. We also help to train staff on GDPR and create a continuous awareness program for them to understand their responsibilities.