Information Security Сonsulting Services
Information security (IS) audit allows to solve the following tasks:
- enhancement of the corporate information resource security level;
- harmonization of information security management processes with requirements of state and industry standards;
- monitoring of security level for the information system being implemented.
In the scope of IS audit and consulting the CJSC RNT specialists provide the following services:
1. Survey and creation forma descriptions for:
- business processes;
- banking processes;
- information flows;
- network infrastructure;
- automated systems;
- information security tools.
2. Information security audit (GAP analysis, conformity assessment) and harmonization with the following requirements:
- Russian Central Bank Standards for Information Security of Bank System Organizations;
- FZ-161 and National Payment System;
- FZ-152 and personal data protection;
- ISO 27001;
- ISO 22301;
- COBIT
- comprehensive audit for several areas at once.
3. Security analysis and intrusion testing (also according to the PCI DSS Standard)
4. Evaluation of IS and information classification violation impact on business
5. Evaluation of IS risks and development of threat model:
- IS threat list determination;
- identification of asset vulnerabilities and formalization of possible attack vectors;
- calculation of residual risk values;
- development of the plan to process risks;
- description of ways to identify threats and to monitor IS risks.
6. Determination and formalization of policies and strategies (concepts):
- analysis of the requirements for internal and external related parties;
- formalization of business goals;
- decomposition of business goals into information security goals;
- determination and formalization of impact factors necessary to get the information security goals, including:
- principles and approaches;
- processes;
- organization structure, personnel and competence;
- information and infrastructure;
- corporate culture;
- development of (correction of a previously developed) document “IS Concept” based on carried out analysis.
7. Preparation of technical specifications to develop and implement technical security tools and organizational security measures.
8. Development of technical design and operational documents for technical security tools:
- Design Notes;
- Hardware specification;
- Program and methods of testing;
- User guide;
- Logbook.
9. Implementation of information security management system (ISCS) and preparation to its certification in accordance with the international standard ISO 27001.
10. Implementation of information security management system (ISMS) in accordance with the industry Russian Central Bank Standards for Information Security of Bank System Organizations.
11. Implementation of some IS processes (training of customer employees, demonstration, monitoring and management for implementation) and related documents for governance and management in accordance with the following requirements:
- COBIT5;
- ISO27001;
- Russian Central Bank Standards for Information Security of Bank System Organizations.
12. Implementation of some processes and related documents (regulations, instructions) in terms of information security assurance (depending on applied technical security tools):
- inventory and information asset configuration management;
- IS vulnerability management;
- IS event and incident management (information security incident management system implementation to provide in accordance with ISO 27035 requirements, preparation to implement SEM/SIEM systems, event correlation rule development, etc.);
- access control;
- awareness level enhancement;
- computer fraud counteraction;
- backup and restore.
13. Work delivery for business continuity management:
- Audit of business continuity management system for compliance with ISO22301:2012;
- Implementation of business continuity management system in accordance with ISO22301:2012 and preparation to its certification;
- Development of plans to ensure continuity and restore activities in accordance with requirements of the Russian Central Bank;
- Automation of business continuity management processes.