Digital Security

ISO 27001 ISMS consulting advisory: ISO 27001 certification is a globally recognized and accepted Information Security Standard established by the international organization for standardization (ISO), in partnership with the international electrotechnical commission (IEC). ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. It is a robust framework that enables organizations to demonstrate their high-level security and risk management approach which are industry best practices. The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of business information or data, which may include customer data, employee details, financial information, intellectual property, or information entrusted by third parties.

Pratomate’ approach for ISO 27001 ISMS consulting advisory:

• Initial Study: to understand the business environment
• Scope Definition: to understand your business operations, controls, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
• Gap Analysis: Study the requirements of ISO 27001 ISMS Standard and actual compliances against the same in the organization
• Awareness Training: to create awareness about key concepts of ISO 27001 ISMS Standard among the organization teams
• Asset Classification: Identify critical information assets and classify accordingly
• Risk Assessment and Risk Treatment: Conduct thorough study of risks to identify weak areas and loopholes that could impact the business-critical assets of the organization. Rank the risks identified and accordingly help strategize appropriate risk treatment measures
• Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 27001 ISMS Standard
• Documentation Rollout: Releasing ISMS documentation (Policies and Procedures). Help teams understand policies and procedures
• Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO27001 ISMS Standard
• Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

ISO 22301 BCMS Consulting Advisory: Business Continuity Management System involves developing a strategy to prevent and recover from an unforeseen event of incidents like fire, flood, or cyber-attack. The process involves drawing out detailed procedures and instructions for organizations to follow in an event of disasters. This will involve determining all the possible risks that could impact business operations. It is meant to help organizations continue with their operations even in the case of a major event or disaster. Business Continuity Plan is often interchangeably used with the Disaster Recovery Plan. However, it is important to note that they are different from a Disaster Recovery Plan which focuses on the recovery of a company’s IT system after a crisis.

Pratomate’ approach for ISO 22301 BCMS Consulting:

• Initial Study: to understand the business environment
• Scope Definition: to understand your business operations, controls, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
• Gap Analysis: Study the requirements of ISO 22301 BCMS Standard and actual compliances against the same in the organization
• Awareness Training: to create awareness about key concept of ISO 22301 BCMS Standard among the organization teams
• Asset Classification: Identify critical information assets and classify accordingly
• Business Impact Analysis (BIA): Conduct thorough Business Impact Analysis (BIA) to identify your critical services, cost of downtime, and interdependencies. It is in this phase that the RPO/RTO are identified. RPO refers to the maximum acceptable amount of data loss an application can undergo before causing measurable harm to the business. Recovery Time Objective = Downtime. RTO states how much downtime an application experiences before there is a measurable business loss
• Risks and Threat Analysis: Conduct thorough study of risks and threats to identify single point of failure and related critical dependencies
• Preparing BCM Strategy: Based on the findings of the risk and threat analysis, prepare a suitable BCM strategy which shall be implemented at various levels in your organization
• Deciding Response Strategy: Response Strategy preparation includes developing and implementing Business Continuity Management (BCM) response based on the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
• Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 22301 BCMS Standard
• Documentation Rollout: Releasing ISO 22301 BCMS Documentation (Policies, Procedures, BCMP). Help teams understand policies and procedures
• Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 22301 BCMS Standard
• Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

PCI DSS Audit & Certification: The Payment Card Industry Data Security Standard (PCI DSS) is a set of Information Security Standards formed in 2004 by major credit card companies including Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the Standard aims to secure the process of credit card and debit card transactions against theft/fraud. Although, the set Standard is not a legal obligation, but is a requirement to safeguard cardholder data and Debit/Credit card transactions. So, all organizations that accept and process Debit/Credit card payments are expected to undertake an annual PCI DSS Audit. This would typically include an audit of security controls and processes, covering data security such as retention, encryption, physical security, authentication, and access management.

Pratomate approach for PCI DSS Consulting:

• Initial Study: Conduct initial study to understand card processes, the technical environment and accordingly decide PCI scope.
• Scope Definition: Identify the systems that fall under the PCI DSS scope and formulate the scope statement
• Gap Analysis: Identify gaps in organization’s security control systems and environment against PCI DSS standard’s requirements
• Data Leakage Assessment: Conduct thorough data leakage assessment of systems and application and identify remediation
• Awareness Training: Conduct awareness sessions for IT Team and personnel involved in the card data processing, on key requirements of PCI DSS
• Data and Asset Classification: Identify critical information assets, data assets and classify them
• Risk Assessment and Risk Treatment: Conduct thorough study of risks analysis to identify impact the risks to business-critical assets of the organization. Prepare detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture
• Documentation Support: We help in preparing appropriate of policies and procedures as required by PCI DSS Standard
• Documentation Rollout: Releasing PCI DSS Documentation (Policies, Procedures, BCMP). Help teams understand policies and procedures
• Training Internal Assessment Teams: Identify the suitable team structure who can conduct internal assessment
• Pre-assessment, Audit and Attestation support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets successfully assessed

ISO 20000-1 ITSM Consulting Advisory: ISO 20000-1 ITSM Standard is implemented to continually improve Information Technology Service Management System (ITSM). Compliance to ISO 20000-1 ITSM framework shall help deliver effective IT services.

Pratomate’ approach for ISO 20000-1 ITSM Consulting:

• Initial Study: to understand the business environment
• Scope Definition: to understand your business operations, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
• Gap Analysis: Study the requirements of ISO 20000-1 ITMS Standard and actual compliances against the same in the organization
• Awareness Training: to create awareness about key concept of ISO 20000-1 ITMS Standard among the organization teams
• Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 20000-1 ITMS Standard
• Documentation Rollout: Releasing ISMS Documentation (Policies and Procedures). Help teams understand policies and procedures
• Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 20000-1 ITMS Standard
• Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

ISO 27001 ISMS consulting advisory: ISO 27001 certification is a globally recognized and accepted Information Security Standard established by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. It is a robust framework that enables organizations to demonstrate their high-level security and risk management approach which are industry best practices. The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of business information or data, which may include customer data, employee details, financial information, intellectual property, or information entrusted by third parties.

Typical steps for ISO 27001 ISMS consulting advisory:

• Initial study:To understand the business environment
• Scope definition:To understand your business operations, controls, and systems to define the scope (people, process, operations, technology, and geographical locations)
• Gap analysis:Study the requirements of ISO 27001 ISMS Standard and actual compliances against the same in the organization
• Awareness training:To create awareness about key concept of ISO 27001 ISMS standard among the organization teams
• Asset classification:Identify critical information assets and classify accordingly
• Risk assessment and risk treatment: Conduct thorough study of risks to identify weak areas and loopholes that could impact the business-critical assets of the organization. Rank the risks identified and accordingly help strategize appropriate risk treatment measures
• Documentation support: We help in preparing appropriate of policies and procedures as required by ISO 27001 ISMS standard
• Documentation rollout: Releasing ISMS documentation (policies and procedures). Help teams understand policies and procedures
• Training internal auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO27001 ISMS standard
• Pre-assessment and certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

ISO 22301 BCMS consulting advisory: Business continuity management system involves developing a strategy to prevent and recover from an unforeseen event of incidents like fire, flood, or cyber-attack. The process involves drawing out detailed procedures and instructions for organizations to follow in an event of disasters. This will involve determining all the possible risks that could impact business operations. It is meant to help organizations continue with their operations even in the case of a major event or disaster. Business continuity plan is often interchangeably used with the disaster recovery plan. However, it is important to note that they are different from a disaster recovery plan which focuses on the recovery of a company’s IT system after a crisis.

Typical steps for ISO 22301 BCMS consulting advisory:

• Initial study: To understand the business environment
• Scope definition: To understand your business operations, controls, and systems to define the scope (people, process, operations, technology, and geographical locations)
• Gap Analysis: Study the requirements of ISO 22301 BCMS standard and actual compliances against the same in the organization
• Awareness training: To create awareness about key concept of ISO 22301 BCMS standard among the organization teams
• Asset classification: Identify critical information assets and classify accordingly
• Business Impact Analysis (BIA): Conduct thorough business impact analysis (BIA) to identify your critical services, cost of downtime, and interdependencies. It is in this phase that the RPO/RTO are identified. RPO refers to the maximum acceptable amount of data loss an application can undergo before causing measurable harm to the business. Recovery Time Objective = Downtime. RTO states how much downtime an application experiences before there is a measurable business loss
• Risks and threat analysis: Conduct thorough study of risks and threats to identify single point of failure and related critical dependencies
• Preparing BCM strategy: Based on the findings of the risk and threat analysis, prepare a suitable BCM strategy which shall be implemented at various levels in your organization
• Deciding response strategy: Response strategy preparation includes developing and implementing Business Continuity Management (BCM) response based on the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
• Documentation support: We help in preparing appropriate of policies and procedures as required by ISO 22301 BCMS Standard
• Documentation rollout: Releasing ISO 22301 BCMS documentation (Policies, Procedures, BCMP). Help teams understand policies and procedures
• Training internal auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 22301 BCMS Standard
• Pre-assessment and certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

PCI DSS audit & certification: The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards formed in 2004 by major credit card companies including Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the standard aims to secure the process of credit card and debit card transactions against theft/fraud. Although, the set Standard is not a legal obligation, but is a requirement to safeguard cardholder data and debit/credit card transactions. So, all organizations that accept and process debit/credit card payments are expected to undertake an annual PCI DSS Audit. This would typically include an audit of security controls and processes, covering data security such as retention, encryption, physical security, authentication, and access management.

Typical steps for PCI DSS audit & certification:

• Initial study: Conduct initial study to understand card processes, the technical environment and accordingly decide PCI scope.
• Scope definition: Identify the systems that fall under the PCI DSS scope and formulate the scope statement
• Gap analysis: Identify gaps in organization’s security control systems and environment against PCI DSS standard’s requirements
• Data leakage assessment: Conduct thorough data leakage assessment of systems and application and identify remediation
• Awareness training: Conduct awareness sessions for IT Team and personnel involved in the card data processing, on key requirements of PCI DSS
• Data and asset classification: Identify critical information assets, data assets and classify them
• Risk assessment and risk treatment: Conduct thorough study of risks analysis to identify impact the risks to business-critical assets of the organization. Prepare a detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture
• Documentation support: We help in preparing appropriate of policies and procedures as required by PCI DSS Standard
• Documentation rollout: Releasing PCI DSS documentation (policies, procedures, BCMP). Help teams understand policies and procedures
• Training internal assessment teams: Identify the suitable team structure who can conduct internal assessment
• Pre-assessment, audit and attestation support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets successfully assessed

ISO 20000-1 ITSM consulting advisory:ISO 20000-1 ITSM Standard implemented to continually improve Information Technology Service Management System (ITSM). Complying with the ISO 20000-1 ITSM framework shall help deliver effective IT services.

Typical steps for ISO 20000-11 ITSM consulting advisory:

• Initial study: To understand the business environment
• Scope definition: To understand your business operations, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
• Gap analysis: Study the requirements of ISO 20000-1 ITMS Standard and actual compliances against the same in the organization
• Awareness training: To create awareness about key concept of ISO 20000-1 ITMS Standard among the organization teams
• Documentation support: We help in preparing appropriate of policies and procedures as required by ISO 20000-1 ITMS Standard
• Documentation rollout: Releasing ISMS Documentation (Policies and Procedures). Help teams understand policies and procedures
• Training internal auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 20000-1 ITMS Standard
• Pre-assessment and certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified

Information security audit:Information security management system, that includes information security policies, procedures and controls are alone not just sufficient to assure compliance and protection of critical and sensitive information. The effectiveness of the policies can only be known by performing an assessment on how they are implemented and complied. This is why periodical information security audit is important. Information security audit is a comprehensive assessment of policies implemented, examining the technical, physical and administrative controls in an organization. The information security audit is conducted to ensure the set policies and procedures are appropriately implemented and adopted by the staff across the organization. It is an on-going process to maintain the effectiveness of security controls and policies. Information security audit is the most efficient and cost effective means of evaluating the information security posture of an organization.

Our expert team use risk based approach to helps organizations to conduct comprehensive assessment of policies implemented, examining the technical, physical and administrative controls.

GDPR Compliance consulting services:The General Data Protection Regulation (GDPR) is a regulatory standard set to protect the data privacy rights of individuals of the European Union. It is a legal framework set for businesses collecting and processing the personal information of EU citizens. Under the GDPR compliance, organizations need to ensure the personal data is legally collected as per GDPR requirements and further protect it from misuse and exploitation. It calls for businesses that collect, process, and transmit personal data to respect the rights of data owners or face penalties for non-compliance. Organizations will have to face significant penalties of up to 4% of annual turnover or 20 million Euros, whichever is greater for being non-compliance

Typical steps for GDPR consulting advisory

• Initial Study: Conduct initial study to understand the organization processes, the technical environment and accordingly decide GDPR scope.
• Scope Definition: Identify the systems that fall under the GDPR and formulate the scope statement
• Gap Analysis: Identify gaps in organization’s security control systems and environment against the requirements for GDPR
• Awareness Training: Conduct an awareness training program to help your employees understand the GDPR compliance regulation and its requirements.
• Data and asset classification: Identify critical information assets, data assets and classify them
• Risk assessment and risk treatment: Conduct thorough study of risks analysis to identify impact the risks to business-critical assets of the organization. Prepare a detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture
• Documentation support: We help in preparing appropriate of policies and procedures as required by GDPR requirements such as DPIA process, privacy policy, fair use policy, etc.
• Documentation rollout: Releasing GDPR documentation (policies, procedures). Help teams understand policies and procedures
• Training internal assessment teams: Identify the suitable team structure who can conduct internal assessment
• Pre-assessment, GDPR compliance audit and attestation support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets successfully assessed for GDPR compliance

Services for implementation and audit of Reserve Bank of India (RBI) guidelines for information security for banks and urban cooperative banks: Reserve Bank of India (RBI) has released guidelines for compliance for information security for banks and urban cooperative banks. We provide the consulting service for implementation and assessment services for RBI guidelines.

Typical steps for RBI guidelines implementation consulting advisory

• Initial Study: Conduct initial study to understand the organization processes, the technical environment against RBI Guidelines.
• Scope Definition: Identify the systems that fall under the RBI Guidelines and formulate the scope statement
• Gap Analysis: Identify gaps in organization’s security control systems and environment against the requirements for RBI Guidelines
• Awareness Training: Conduct an awareness training program to help your employees understand the RBI Guidelines and compliance requirements.
• Documentation Support: We help in preparing appropriate of policies and procedures as required by RBI Guidelines.
• Documentation Rollout: Releasing Documentation (Policies, Procedures and Controls). Help teams understand policies and procedures
• Training Internal Assessment Teams: Identify the suitable team structure who can conduct internal assessment
• Pre-assessment, GDPR compliance audit and attestation support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets successfully assessed for compliance against RBI Guidelines