Compliance Services

Wherever sensitive corporate or personal information is divulged, stored or distributed, security regulations rightfully abound. Compliance with the complex regulatory requirements enacted by both the public and private sectors is no easy task. While the "why" of most regulations involve privacy issues, the "how" regarding the assessment and implementation of security measures can vary significantly from one industry to the next.

Experts in security compliance services

NESECO's security expertise stretches across a broad range of services that can be provided for through a variety of methods such as security consultants, managed security services, cloud based security services and physical security services. This broad range of security services offers NESECO clients flexibility in choosing the delivery methods that best fit their organizations financial and compliance needs.

Professional Security Services

Security Check offering will define and document gaps found in administrative, technical and/or security controls across the entire enterprise by comparing to a best practices model (eg. ISO 27001/27002) or an industry standard (eg. PCI). NESECO security consultants are specially trained and certified in the regulations that affect your business. Our security consultants will assess your existing security processes and make recommendations to help your organization prepare for, and pass, periodic security audits.

NESECO security consultants follow a five-step process to help you meet and exceed regulatory compliance requirements. These five steps include:

  • Assessment
  • Design
  • Deployment
  • Management
  • Education

This methodical approach to information security helps your organization meet the security best practices that keep you in compliance with the regulatory requirements of your industry.

PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction.

What is PCI DSS?

PCI DSS is the Payment Card Industry Data Security Standard, and this is a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.

There are 12 high level requirements, and they fall into the six categories below:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data (use encryption)
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses Information Security

How we can help

As a experienced company, NESECO strives to deliver the best service possible to our clients through our specialised, practical, well-supported and comprehensive set of PCI DSS compliance services. Our PCI DSS Services are delivered by a PCI-experienced, focussed and highly skilled team of consultants who have worked with many of the acquiring banks, payment service providers, application providers, hosting providers and merchants since the inception of the PCI security standards. Our experience in the PCI arena has enabled us to develop a successful methodology for helping our clients to manage their risk and achieve PCI DSS Compliance.

We aim to build a lasting relationship with our clients and our services and attitude reflect this approach.

Compliance services

Our main services include:

Pre-Compliance/Gap Analysis - an onsite review and gap-analysis providing a structured framework and guidance to establish a baseline level of compliance and to address areas of non-compliance. This essential service forms the basis of a successful compliance program.

Network Vulnerability Scans - identify and prioritise network vulnerabilities ensuring up to date protection from the latest threats and meeting annual PCI DSS compliance requirements.

Penetration Testing - penetration test services (both internal and external) provide a comprehensive and thorough analysis of a network and application's security and thus offer protection against potential compromise. Any issues identified are always explained thoroughly in easy to absorb language and remediation advice is provided.

Onsite Assessments - PCI DSS Compliance for Level 1 and 2 merchants, Payment Service Providers and Hosting Providers requires an annual onsite assessment. A structured methodology ensures that this process is as straightforward as possible.

Consultancy - assistance with information security policies and procedures; secure network architecture design; gap analysis and remediation guidance.

Remediation Services - ensure that all deviations from the PCI DSS requirements are either remediated or compensating controls are used in mitigating the risk.

ISO Compliance

ISO 27001/27002 are International Code of Practice for information security management systems and offers standards to meet certification. Organizations certified to these standards have demonstrated that their ISMS is recognized globally to be following best practice procedures. NESECO provides network security services to assist organizations become certified.

ISO 27001

ISO 27001 regulations established by the International Organization for Standardization was recently updated after being first released in 2005, is a specification for an information security management system (ISMS). The standard lays out mandatory requirements that are able to be audited and certified. It contains a cycle of four phases that must continually be implemented. This cycle is known as "Plan-Do-Check-Act" (PDCA). PDCA is incorporated into an information security management system in the following ways:

  • Plan: The planning stage of ISO27001 compliance involves establishing the processes and procedures that will minimize risks to your network security.
  • Do: In this stage, the established processes are implemented and integrated into the regular maintenance schedule of the network.
  • Check: ISO 27001 standards require measurable controls to be put into place and monitored regularly for compliance.
  • Act: Corrective and preventive actions are required, both in response to security events and as part of a continuous improvement cycle.

ISO 27002

ISO 27002 provide best-practice recommendations on information security management. Importantly, ISO 27002 controls offer guidance for those who are responsible for initiating, implementing, and maintaining information security management systems, in an effort to:

  • Prevent unauthorized users from gaining access to business systems and confidential company data.
  • Safeguard the accuracy and completeness of information and processing methods.
  • Ensure that authorized users have necessary access to information and associated assets.

To establish an appropriate code of practice for information security management—in alignment with the ISO 27002 standard—you must implement many security controls across your IT infrastructure. For compliance to Communications and Operations Management and Information Security Incident Management, you must monitor and analyze data throughout your network, systems, applications, and databases. To do it affordably and reliably, you need the right automated security solutions that offer end-to-end data correlation, in-depth analysis, and detailed reporting relevant to ISO 27002 compliance mandates.

 

NESECO Solutions

The advanced monitoring and reporting tools available through our logging/SIEM appliances and security-as-a-service products make it easy to meet ISO regulations.

Diligent monitoring of security threats and other incidences is provided by an audit trail that demonstrates to your customers that their internal compliance needs are being met.

The stringent requirements for ISO 27001/27002 compliance call for adopting a security compliance management strategy that employs both security information management and log management solutions. NESECO offers both, with the capabilities for collecting and analyzing log data, enhancing your security practices to protect your applications and databases from insider threats, and delivering real-time actionable security and ISO 27001/27002 compliance information throughout your enterprise. NESECO SIEM and log management solutions can empower you to continuously manage risk while leveraging recognized security best practices—including ISO 27001/27002 best practices. In addition, we offer solutions for midsize organizations on limited budgets and larger organizations with distributed environments.