Compliance and GDPR
Compliance is an essential function of any organisation and a critical component of any security programme. Compliance lives by the rule that states We Trust but Verify. The concept is that we must obtain evidence of compliance with stated policies, standards, laws, regulations, etc. in order to issue the proper attestations as required.
Compliance, which is only at a point in time, is directly impacted by evolving rules and regulations which can make it challenging for businesses to ‘comply’. The continuous expansion and extension of our production environments also adds to the compliance challenges we face today. EAL provides the Compliance and GDPR service with the following regulations and frameworks:
- ISO/IEC 27001:2013;
- NIST cybersecurity framework;
- PCI DSS compliance;
- EU GDPR.
Why Would You Need This Service?
Compliance for PCI DSS has been mandatory since 2006 and EU GDPR since May 2018.
For PCI DSS any non-compliance or breach scenario, organisations may be impacted by any of the following:
- Customers can lose confidence resulting in loss of revenue;
- High cost of breaches from legal advice, fees, and issuing of new credit cards, etc.
- Being subject to PCI DSS audit for almost every PCI DSS requirement applicable to your merchant level; the ability to process card payments may be terminated.
How We Deliver This Service
A compliance assessment can be carried out as part of a broader enterprise or security compliance engagement, which involves the development of baseline and target security architectures. Compliance assessments can be undertaken on their own at the start of an engagement to explore compliance posture and level of risk.
For example, the information security department may have a specific issue with compliance or with a data breach that requires an external security specialist to undertake a compliance risk assessment. Or, the enterprise architecture function may require specific compliance architecture services to address risk or a longer-term compliance strategy and roadmap.
Phases of service delivery:
- Initiation: captures the business context along with general and specific drivers for the Compliance and GDPR assessment; also fixes the scope for the exercise;
- Preliminary Analysis: establishes the frameworks to be used and data-points to be collected; also identifies sources of information and named points-of-contact;
- Assessment/Discovery: construction of a catalogue of applications, data, technologies, processes and organisation structure, populated with multiple data points against each element;
- Analysis: interpretation and presentation of the assessment findings, typically expressed in terms of the fitness of each component, its sustainability and its contribution to the overall risk profile.
Typical compliance risk assessment deliverables are:
- An agreed compliance framework including NIST Cybersecurity Framework, ISO/IEC 27001:2013, PCI DSS, EU GDPR);
- Compliance security control pattern(s) chosen to provide a baseline against which the assessment is made;
- A compliance risk assessment of the baseline controls and their effectiveness in terms of impact to the regulations;
- A compliance risk assessment report including gap analysis and full assessment of risks, impacts and likelihood and recommendations for control improvement and risk mitigation;
- A roadmap of control improvements prioritised by risk, impact and likelihood.
- An understanding of the strengths and weakness of your organisation’s compliance posture prioritised by business impact;
- A holistic view of compliance posture and the understanding of compliance risks that need to be mitigated;
- The information required to start to close the gaps between current and target compliance posture.
Contact Us to Get Started
We will come back to you to discuss your situation as soon as possible