Audit & Assessment

  • Home
  • Audit & Assessment

Audit & Assessment Service

NINT is a one-stop for all of your digital security administrations. Cyber Hawks provides front line results in the zones of Vulnerability Assessment and Penetration Testing administrations for Web Application Security, Mobile Application Security, Cloud Server & Cloud Applications Security, All types of Applications and IT systems. assessment and consultancy in consistence executions and reviews (ISO27001, GDPR, SOC2, PCIDSS, RED Team, SAR etc)
What is ISO 27001?

It is known as one of the International Standard that is required to be followed by the organisation while enhancing the security of information assets, financial information, employee data, other information of customers, vendors, and another third party. To keep them secured will be possible by following the ISO 27001 standards. ISO 27001 is the most efficient standard that protects risk management and multiple other services when they deal with Information Security Management System. However, this system includes a series of organised frameworks and approaches that ensured the confidential information of the organisation is kept secured using the robust ISMS.

Why ISO 27001 is Required?

An ISO 27001 ISMS (Information Security Management System) is a systematic and pro-active approach to manage risks to the security of your company’s confidential information. The ISMS helps in efficient management of sensitive corporate information and highlights vulnerabilities to ensure it is adequately protected against potential threats. It encompasses people, process and IT systems. An ISO 27001 certification is suitable for business of any size, in any given sector, which is looking to increase and enhance the company’s security of its data.

Benefits of ISO 27001

  • Increased reliability and security of systems and information

  • Improved customer and business partner confidence

  • Increased business resilience

  • Alignment with customer requirements

  • Improved management processes and integration with corporate risk strategies

 
What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  • Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  • Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

ISO27701 Compliance Audit

ISO27701 Standard set the base line standards for data protection practices and help organisations demonstrate that they have the appropriate control environment in the form of a Privacy Information Management System (PIMS) which integrates with the Information Security Management System (ISMS). It is applicable to all industries and to organisations of every size, and covers the processing of personal information for all data subjects

Benefits of ISO 27701 Compliance ?

  • •ISO 27701 Compliance provides conditions on how to manage and process data and safeguard privacy.

  •  

  • •ISO 27701 Compliance Provides the Privacy Information Management System implementation process.

  •  

  • •Protect the business reputation.

  •  

  • •Increase customer satisfaction. Acquire the necessary skills to support a business in implementing a Privacy Information Management System in compliance with the ISO/IEC 27701. Increase transparency of the business processes and procedures.

  •  

  • •Build clients’ trust. Support the continuous improvement process of the Privacy Information Management System within organisations.

  •  

  • •Provides transparency between stakeholders. Maintain the integrity of customers’ and other interested parties’ information.

SOC 2 Compliance Audit

information security is a cause for subject for all organisations, which include those that outsource key commercial enterprise operation to third-party providers (e.g., SaaS, cloud-computing providers). Rightfully so, considering the fact that mishandled data—especially by way of application and network security providers—can go away companies vulnerable to attacks, such as statistics theft, extortion and malware installation. SOC 2 is an auditing procedure that ensures your service carriers securely control your data to protect the pastimes of your organisation and the privacy of its clients. Specifically for security-minded corporations, getting compliant with SOC 2 is a least and fundamental need when taking into account a SaaS provider.

What is SOC 2?

Developed by the American Institute of CPAs (AICPA), SOC 2 defines standards for managing customer statistics based totally on five “trust carrier principles”—security, availability, processing integrity, confidentiality and privacy. Unlike PCI DSS, which has very inflexible requirements, SOC 2 reviews are unique to every organisation. In line with specific commercial enterprise practices, each designs its very own controls to comply with one or greater of the have confidence principles. These internal reports furnish you (along with regulators, business partners, suppliers, etc.) with important records about how your service provider manages data. There are two sorts of SOC reports:

  • •Type I describes a vendor’s systems and whether their format is suitable to meet applicable trust principles.

  •  

  • •Type II details the operational effectiveness of these systems.

  •  

SOC 2 Certification

SOC 2 certification is issued with the aid of external auditors. They assess the extent to which a supplier complies with one or extra of the 5 trust standards based totally on the structures and processes in place.

  • •Security The protection principle refers to safety of system sources towards unauthorised access. Access controls help prevent potential system abuse, theft or unauthorised elimination of data, misuse of software, and improper alteration or disclosure of information. IT protection equipment such as network and internet application firewalls (WAFs), two thing authentication and intrusion detection are useful in preventing protection breaches that can lead to unauthorised get entry to of structures and data.

  •  

  • •Processing Integrity The processing integrity precept addresses whether or not a system achieves its cause (i.e., delivers the proper data at the right fee at the right time). Accordingly, data processing need to be complete, valid, accurate, timely and authorized. However, processing integrity does not always imply information integrity. If information contains errors prior to being input into the system, detecting them is now not typically the accountability of the processing entity. Monitoring of data processing, coupled with first-class assurance procedures, can assist make sure processing integrity.

  •  

  • •Privacy The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of non-public records in conformity with an organisation’s privacy notice, as properly as with standards set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) (like, Gender, name, address, Social Security number). Some private information related to health, race, sexuality and religion is additionally regarded sensitive and commonly requires a more level of protection. Controls ought to be put in place to protect all PII from unauthorised access

  • .

  • •Availability The availability principle refers to the accessibility of the system, products or services as stipulated through a contract or service level agreement (SLA). As such, the minimum acceptable overall performance stage for system availability is set by using both parties. This precept does now not address system functionality and usability, however does contain security-related standards that can also affect availability. Monitoring network performance and availability, website failover and safety incident handling are essential in this context.

  •  

  • •Confidentiality Data is considered exclusive if its access and disclosure is confined to a specific set of persons or organisations. Examples may also encompass information meant solely for corporation personnel, as nicely as enterprise plans, mental property, inner charge lists and different types of touchy monetary information. Encryption is an necessary control for defending confidentiality all through transmission. Network and application firewalls, collectively with rigorous access controls, can be used to protect facts being processed or saved on computer systems.

 

The Importance of SOC 2 Compliance

While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its function in securing your data cannot be overstated. Imperva undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application security, DDoS protection, content delivery through our CDN, load balancing and Attack Analytics.

 

•What We Deliver

 

•What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

GDPR COMPLIANCE AUDIT

The General Data Protection Regulation (GDPR) is a data privacy regulation that primarily safeguards EU citizens data no matter where its stored in the world and by whom.This indicates that being a company (or organisation), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

What is “Personal Data”
 

The concept of “personal data” has been defined in GDPR to refer to any information relating to an identified or identifiable natural person (i.e. “Data Subject”). An identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and therefore all such information is considered as ‘personal data’ under the GDPR. For Indian companies dealing with such ‘personal data’ of EU residents, it then becomes imperative to implement the data protection requirements stipulated in GDPR within their systems. The GDPR is compulsory for organisations as it helps to put governance and measures to manage and process personal data. Non-compliance with the GDPR can result in fines of up to 4% of an organisation’s annual global turnover. Data subjects are also afforded the right to compensation.

 

Awareness

 This indicates that being a company (or organisation), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

 

  • •Now there should be no area to be handled solely by just one person taking on the full responsibility. So, the complete support and engagement of Board and Senior Management Team is essential.

  •  

  •  

  • •Keep in consideration all resources and procedural implications of setting up an effective and robust governance team (data) for any organisation.

  •  

  • •GDPR needs to be added into organisation’s risk register as now corporate risk management incorporates both privacy as well as data security.

 

Consent

This feature is regarded as important so as to make sure that individuals have better control and have proper understanding of data processing methods to be employed. This provides a means of giving individual’s stronger rights on the basis of processing.

  • •The consent to be obtained must be very specific, unambiguous, given freely and well informed.

  •  

  • •There must exist an agreement indicating positive indication with data controllers having enough evidence to know that consent is already given.

  •  

  • •Consent can be taken by providing a checkbox on an internet website which is not ticked by default.

 

Date Subject

A data subject is a living, identifiable individual to whom particular personal data relates. If you process their data, the GDPR requires you to meet certain obligations towards Under the GDPR, individuals can exercise:

  • •The Right to be Informed : Individuals have the right to be informed about the collection and use of their personal data.

  •  

  • •The Right of Access : Under the GDPR, data subjects have the right of access to personal data

  •  

  • •The Right to Rectification: Data subjects can ask data controllers to erase or rectify inaccurate or incomplete data.

  •  

  • •The Right to Erasure: Under the GDPR, individuals have to right to ask you to delete their personal data under certain rules and circumstances

  •  

  • •The Right to Restrict Processing: Individuals can ask you to restrict processing their personal data under certain rules and circumstances

  •  

  • •The Right to Object to Processing: if you rely on lawful bases of public interest or legitimate interests for processing, individuals may have a right to object to such processing.

  •  

  • •The right to not be Evaluated Based on Automated Processing: Under the GDPR, individuals have the right not to be subject to a decision that is based solely on automated processing and which significantly affects them (eg profiling for jobs, insurance premiums etc).

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

PCI DSS Compliance Audit

Any employer that performs a function in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data. Xiarch can assist corporations working with cardholder facts comply with a number of elements of PCI DSS compliance and auditing, including: Protecting saved cardholder data. Encryption of information in transmission. Restricting access to cardholder data. Identifying and authenticating access to network components. Tracking and monitoring all get right of entry to data.

What is a PCI Audit on Compliance?

A PCI DSS Report on Compliance (ROC) is required with the aid of firms with massive transaction volumes and ought to be carried out through a QSA who will present a formal document to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your corporation is in full compliance. A PCI DSS audit is a specified review of an organisation’s cardholder data environment (CDE) the usage of a widespread methodology and reporting layout that outcomes in an RoC. PCI DSS compliance as established through a RoC offers corporations a competitive gain with the aid of supporting them invulnerable infrastructure and expand their overall trading credibility. Maintaining PCI DSS compliance helps guard credit card data and helps patron confidence. Our Qualified Security Assessors are equipped to assist identify the exceptional and most value effective approach to assessing your payment strategies and systems, and affirm they meet the standards set by way of the PCI Security Standards Council (PCI SSC).

Our Engagement Process

The service generally includes a number of days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key group of workers involved in network administration and cardholder systems; and the people accountable for organisation methods and policies.

  • •Scoping: An engagement initiates with a pre-assessment of your scope and compliance requirements.

  •  

  • •Pre-Assessment Information Gathering: During this step, our PCI DSS QSA will start a pre-assessment, which consists of an evaluation of the network design, safety coverage evaluation and on-site visit preparation.

  •  

  • •QSA PCI DSS Audit: We will perform a entire overview of your cardholder facts environment against the 12 PCI DSS requirements, and accumulate proof that your controls are in vicinity and working effectively Completed PCI DSS AoC: With completion of all the remediation items, we will then put up the executed RoC to our inner QA process, before getting ready the AoC prepared for formal submission, certifying your organisation as compliant.

 

Our Approach

 

Benefits of a PCI DSS Audit By conducting a PCI DSS threat assessment, you can assist your business enterprise to:

  • •Identify the presence of cardholder information that is no longer required for your commercial enterprise to operate optimally.

  •  

  • •Determine how to phase environments to isolate confidential networks (CDE) from non-sensitive networks.

  •  

  • •Provide your enterprise with the perception into altering environments and ongoing discovery of rising threats and vulnerabilities.

  •  

  • •Assist it to become aware of where mitigation controls required to tighten. Do you Need to Conduct a PCI Audit?

  •  

  • •You would possibly need a formal evaluation if any of the following apply:

  •  

  • •You are a Level 1 service provider processing massive volumes of transactions yearly (more than six million) with Mastercard or Visa. You are a service provider processing giant volumes of transactions yearly (more than one million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff.

  •  

  • •You are a service provider that has been breached in the past or otherwise deemed to characterize notable risk. You are a service provider to merchants that can have an effect on the security of their payment transactions and you have access to giant volumes of transactions annually.

 

We at Cyber Hawks,

provide end to end support and guidance on getting compliant with these laid guidelines, primarily in below mentioned seven areas: –

  • •Information Security: Well defined framework to focus exclusively on Information and cyber security and Risk management.

  •  

  • •Information Security Audit: Audit on the IS process adopted by the firm and ensure that they provide unbiased and objective view of the extent to which the risk are managed. This focuses on Role and responsibilities of IS audit stakeholders and planning and execution.

  •  

  • •Business Continuity Planning: Policy and procedures to ensure continuity, resumption and recovery of critical business processes. Assistance in performing Disaster recovery drills to ensure readiness in an event of disaster.

  •  

  • •Cyber Fraud: Fraud management, suspicious transaction management, reporting to regulatory body and implementation of various fraud detection techniques. IT Governance: RBI guidelines mandates to have

  •  

  • IT governance framework in place. Focus on creating organisational framework and process to make sure IT security sustains and objectives are met.

  •  

  • •Customer Grievance: Policy and procedure to ensure all the customer grievances are met and steps are taken to resolve the issues in stipulated period of time. Complete assistance on areas of Authentication, Authorisation, Logging and monitoring of transaction and activities, Implementation of Maker checker concept in key operational Areas, Customised and service-oriented architecture, secure operational environment, KYC and customer consent management.

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.•

RBI Information Security Audit

The General Data Protection Regulation (GDPR) is a data privacy regulation that primarily safeguards EU citizens data no matter where its stored in the world and by whom.This indicates that being a company (or organisation), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

What is “Personal Data”
 

The concept of “personal data” has been defined in GDPR to refer to any information relating to an identified or identifiable natural person (i.e. “Data Subject”). An identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and therefore all such information is considered as ‘personal data’ under the GDPR. For Indian companies dealing with such ‘personal data’ of EU residents, it then becomes imperative to implement the data protection requirements stipulated in GDPR within their systems. The GDPR is compulsory for organisations as it helps to put governance and measures to manage and process personal data. Non-compliance with the GDPR can result in fines of up to 4% of an organisation’s annual global turnover. Data subjects are also afforded the right to compensation.

 

Awareness

 This indicates that being a company (or organisation), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

 

  • •Now there should be no area to be handled solely by just one person taking on the full responsibility. So, the complete support and engagement of Board and Senior Management Team is essential.

  •  

  •  

  • •Keep in consideration all resources and procedural implications of setting up an effective and robust governance team (data) for any organisation.

  •  

  • •GDPR needs to be added into organisation’s risk register as now corporate risk management incorporates both privacy as well as data security.

 

Consent

This feature is regarded as important so as to make sure that individuals have better control and have proper understanding of data processing methods to be employed. This provides a means of giving individual’s stronger rights on the basis of processing.

  • •The consent to be obtained must be very specific, unambiguous, given freely and well informed.

  •  

  • •There must exist an agreement indicating positive indication with data controllers having enough evidence to know that consent is already given.

  •  

  • •Consent can be taken by providing a checkbox on an internet website which is not ticked by default.

 

Date Subject

A data subject is a living, identifiable individual to whom particular personal data relates. If you process their data, the GDPR requires you to meet certain obligations towards Under the GDPR, individuals can exercise:

  • •The Right to be Informed : Individuals have the right to be informed about the collection and use of their personal data.

  •  

  • •The Right of Access : Under the GDPR, data subjects have the right of access to personal data

  •  

  • •The Right to Rectification: Data subjects can ask data controllers to erase or rectify inaccurate or incomplete data.

  •  

  • •The Right to Erasure: Under the GDPR, individuals have to right to ask you to delete their personal data under certain rules and circumstances

  •  

  • •The Right to Restrict Processing: Individuals can ask you to restrict processing their personal data under certain rules and circumstances

  •  

  • •The Right to Object to Processing: if you rely on lawful bases of public interest or legitimate interests for processing, individuals may have a right to object to such processing.

  •  

  • •The right to not be Evaluated Based on Automated Processing: Under the GDPR, individuals have the right not to be subject to a decision that is based solely on automated processing and which significantly affects them (eg profiling for jobs, insurance premiums etc).

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

RBI Co-Operative Bank IS Audit

Get an in-depth analysis of the RBI Cyber Security Framework for Cooperative Banks and learn more about how Cyber Hawks can help you meet the RBI Cyber Security Guidelines. RBI Cyber Security Framework here includes security of networks, databases, servers, applications and end-user systems among others.

Overview
Why RBI Co-Operative Bank IS Audit Required? Besides, the RBI IT Framework should be security compliant. The framework here includes networks, databases, servers, applications and end-user systems among others. Periodic reviews of the security of the bank’s infrastructure and assets are a must to find out vulnerabilities and security loopholes. Appropriate actions need to be taken by the Co-Operative Bank’s to fill the security loopholes and get rid of vulnerabilities. Banks are obviously a high-profile target. The data they gather about their customers – both individuals and businesses – is extremely valuable to hackers looking to carry out an easy phishing attack, for example. Because their data is so valuable, they have to be aware of the risks and ready to protect it.
 

The Three Most Common Insider Threats are as Follows::

  • •Modifying or stealing confidential or sensitive information for personal gain.

  •  

  • •Theft of trade secrets or customer identification to be used for business advantage

  •  

  • •Sabotage of an organisation’s data, systems or network.

 

Basic IT Security Assessments Checks

 

  • •Inventory Management of Business IT Assets – Maintaining an updated business and IT Asset Inventory register is a must for every Co-Operative Bank . It should have information about the details of every IT asset, its criticality and systems which contain customer information, and classify it according to the sensitivity.

  •  

  • •Preventing Access of Unauthorised Software Every Co-Operative Bank should maintain an updated and if possible a centralized inventory of the authorized soft-ware. They should also have a mechanism in place to monitor and block the installation of unauthorized software. Even the web browser settings should be up-to-date, and internet usage should be restricted.

  •  

  • •Network Management & Security Perform a regular configuration check on all the network devices and change their passwords periodically with some complexity. Wireless networks, access points, wireless client access systems should also be secured.

  •  

  • •Anti- Virus & Patch Management There should be systems in place to monitor the status of the patches of servers, OS and software which the 

  • Co-Operative Bank officials are using. Even the anti-virus management is a must and should be centralized. 

  •  

  • •Secure Mail & Messaging Systems It is important to secure email and messaging systems. Co-Operative Bank’s vendors’& partners email and the messaging system should also be secured. Even the email server specific controls should be implemented and well documented.

  •  

  • •Removable Data The use of removable devices should be prohibited in the banking domain unless authorized specifically. Even when authorized it should be scanned for malware, viruses and ensure erasure of data post use.hat We Deliver

 

What We Deliver ?

It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

RBI Data Localisation Audit

RBI System Audit Report for Data Localisation (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localisation controls for storage of payment related data.

What is RBI System Audit Report (SAR) Data Localisation Audit?

The Reserve Bank of India (RBI) issued a notification to mandate the storage of all end-to-end transaction data within India on April 8, 2018. RBI, the central banking institution, controlling monetary policies in India, requires unrestricted supervisory access to all the payment data and hence this mandate. Data Localisation can be referred to as a government policy for storing the user data collected within its jurisdiction on the servers located within the country. In today’s Data Storage Technology trend, data is generally preserved in a different location for quickly available data back up for data centers. Reserve Bank of India authorises all global and local transaction operators in India to preserve all end-to-end payment data “within the country” has been whispering in the present payment environment across the world. The authorization is relevant for every organisation handling payment data – initiating from finch firms that perform peer-to-peer payment transactions to gateway operators which are accessed globally for universal funds transactions.

 

Circular for Payment Operators Include the Major Items as Below:

  • All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/ carried/processed as part of the message/payment instruction.

  • System providers shall ensure compliance of above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018. System providers shall submit the System Audit Report (SAR) on completion of the requirement.

  • The audit should be conducted by CERT-IN Empanelled Auditors certifying completion of activity. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank.

  •  

Key Criteria for System Audit Report for Data Localisation (SAR) – Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.

  • •Payments Data Elements – The auditor should check all data elements and their classification as payments or non-payments data. It should include customer data, transaction data, payment sensitive data, and payment credentials data. Each element needs to be categorised into jurisdictions and whether or not the data has been brought back to India.

  •  

  • •Transaction/Data Flow (For all Transaction types including cross border transactions) – The report must include a detailed diagram of the transaction and data flow. The diagram should detail the steps of how a transaction flows through the different components of the application.

  •  

  • •Application Architecture – A detailed diagram of the application architecture is required in the report to show the components and modules of the application.

  •  

  • •Network Diagram – A detailed diagram of the network architecture must show the relevant equipment for primary and disaster recovery sites including CBS, if applicable.

  •  

  • •Transaction processing – The auditor should check if aspects of a transaction processing are done in India and outside India. The auditor also needs to check whether the purging process and policy is defined and in accordance with the RBI guidelines.

  •  

  • •Activities subsequent to Payment Processing – The auditor needs to identify activities that follow the payment processing such as settlements and check if these processes are carried out in India or outside India.

  •  

  • •Cross Border Transactions Database Storage and Maintenance – The auditor must verify if there is a presence of cross-border transactions, whether occurring or supported in the application.

  •  

  • •Data Backup & Restoration – The auditor must verify if the backup and restoration of the defined payment data is compliant with the guidelines.

  •  

  • •Data Security – Security controls must be verified to ensure transaction data is safeguarded. This includes standard data security controls like masking, encryption, data leakage prevention, and database access monitoring.

  •  

  • •Access Management – If data is accessed from outside of India such as for dispute resolutions, chargebacks, customer support activities, data analytics, permission levels, and access levels granted should be in accordance with the defined processes and policies.

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised gap evaluation report with legitimate remediation steps to be taken. Distinguish Weaknesses inside your Storage of Payment Data permitting you to proactively remediate any issues that emerge and improve your compliance act.

  •  

  • •Vulnerability Data – We also assured you that your assessments are executed by Qualified Experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

  •  

  • •Skilled Consultants – We will help you with the Compliance & Certification process that deals with the understanding of various documentation having the implementation verification. Cyber Hawks is worked with the wholesome approach that deals with compliance process•

UIDAI AUA/KUA Audit

Getting enrolled with UIDAI will enable organizations to provide E-KYC and Aadhaar based authentication. Becoming an Authentication User Agency (AUA) is required for any agency/institution registered in India, which is looking to use Aadhaar authentication services of UIDAI. It is also a requisite step in registering as KYC User Agency (KUA) for using the Aadhaar eKYC service, the instantaneous pre-ratified Aadhaar based KYC solution.

UIDAI Guidelines

As per UIDAI Guidelines, the client application is to be audited by the information systems auditor(s) certified by CERT-IN and compliance audit report to be submitted to UIDAI. CERT-IN (Computer Emergency Responses Team – India) is the Central Nodal Agency responsible for any Computer Security Incidents in the Indian subcontinent. The empanelled auditors will assess the information security risks and determine the effectiveness of information security controls over information resources and assets that support operations in the auditee organizations on their request. As a part of any audit, the auditors may interview key personnel, conduct vulnerability assessments & penetration testing, catalogue existing security policies and controls, and examine IT assets.

Why is UIDAI Compliance Audit Required?

AUAs / KUAs shall ensure that their operations are audited to ensure UIDAI compliance by an information systems auditor certified by a recognized body atleast annually The audit report shall be shared with UIDAI upon request. UIDAI has recently updated the AUA audit guidelines. There have been various changes including obtaining consent, transparency and purpose limitation, amongst others. AUAs/KUAs shall ensure that their operations are audited by an information systems auditor certified by a recognised body on an annual basis and on a need basis to ensure compliance with UIDAI standards and specifications. The audit report shall be shared with UIDAI upon request.

Aadhaar AUA/KUA Audit Service Includes

  • •Study the compliance framework & business processes at client’s location

  • •Conduct AUA KUA audits for the in-scope applications

  • •Evaluate entire ecosystem including any sub-contracting agencies or any sub-AUAs 

  • •Incorporating all latest UIDAI’s policy updates Discuss the findings with management & submit the final report

Benefits OF AUA/KUA Audit?

  • •Meet regulatory compliance

  • •Data security of the information stored is increased as Security of applications and devices, networks , systems, are increased

  • •Strengthen your digital technology and processes

  • •Improve your cyber security preparedness and defence

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

SEBI Cyber Security Framework Audit

The Securities and Exchange Board of India abbreviated as SEBI, is the regulator for the securities market in India. It is owned by the Government of India.SEBI in its circular dated May 30, 2012 gave exit – guidelines for Securities.It had asked exchanges to either mandatory comply to them. SEBI has been vested with the following powers to discharge its functions efficiently Approval of by−laws of Securities exchanges. Amendment of by-laws through the Securities exchange Inspection of the books of accounts from recognised Securities exchanges. Inspection of the books of accounts of financial intermediaries. Listing of shares by certain companies in one or more Securities exchanges. Brokers and sub-brokers are registered

Benefits of Audit

  • •It builds confidence that the systems are suitable and operating securely as designed.

  •  

  • •An independent third party opinion is obtained

  •  

  • •Steer the organisation’s operations to offer better services

  •  

  • •Provide assurance to user organisations who outsource any IT systems performing critical operations that their service organisations have procedures and controls in place to provide constant and reliable services.

  •  

  • •Security of the organisation can be improved by getting the valuable suggestions and feedback from the expert team of Cyber Hawks.

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

Payment Gateway Audit

A payment gateway is an online payment solution which empowers merchants to accept payment online including credit card, debit card, direct debit, bank transfer and real-time bank transfers. Payment gateway protects sensitive customer data like credit card number & CVV, netbanking credentials etc. by encrypting the traffic to ensure that the information is passed securely between customer & merchant.

Security Concern Over Payment Gateway

Security Concerns over Payment Gateway The functionality of payment gateway is segregated across multiple levels of operations. Hence threats to its security can also be segregated based each level:

  • •Network Level: Any security risk present in underlying network infrastructure may lead to the compromise of payment gateway. Therefore ensure that the devices & servers are configured properly and network perimeter is also defended against unauthorised access.

  •  

  • •Transaction Level: The security concerns at transaction level include accepting an invalid transaction, for example – ‘0’ amount transaction, negative amount transaction and transaction with invalid details etc. Hence before accepting any transaction for processing, its validity should be checked properly.

  •  

  • •Application Level: This level is about the coding standard of payment gateway and subject to application security risks like – SQL injection, XSS, Direct URL Access, CSRF etc. Refer list of OWASP top 10 vulnerabilities for more details.

  •  

How Payment Gateway Works

Here are the steps of how payment gateway works in online shopping environment:

  • •A buyer purchases an item and enters a credit card number, buyer’s name & CVV number in the checkout page.

  •  

  • •Details about the purchase are sent from the checkout page to the payment gateway for processing.

  •  

  • •The payment gateway forwards transaction information to the merchant’s bank.

  •  

  • •The whole channel between the merchant’s website to payment gateway and payment gateway to merchant’s bank is encrypted.

  •  

  • •The merchant’s bank forwards transaction information to the bank that issued the buyer’s credit card to authorize the transaction.

  •  

  • •The bank that issued the buyer’s credit card either approves or denies the transaction and sends that information back to the merchant’s bank.

  •  

  • •If the transaction is approved, the bank will deposit funds on a merchant’s account at a scheduled time.

  •  

  • •The payment gateway sends transaction details and responses back to the merchant website.

  •  

  • •The merchant website lets the buyer know if the transaction was approved or denied.

  •  
 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.

Information Security Risk Assessment Service

Risk assessments are used to identify, estimate and prioritise risks to organisational operations and assets resulting from the operation and use of information systems. Risk assessment is primarily a business concept and it is all about money. You have to first think about how your organisation makes money, how employees and assets affect the profitability of the business, and what risks could result in large monetary losses for the company. After that, you should think about how you could enhance your IT infrastructure to reduce the risks that could lead to the largest financial losses to organisation. Basic risk assessment involves only three factors: the importance of the assets at risk, how critical the threat is, and how vulnerable the system is that threat. Using those factors, you can assess the risk—the likelihood of money loss by your Organization. Although risk assessment is about logical constructs, not numbers, it is useful to represent it as a formula:

How Can I Benefit from a Risk Assessment?
 

A risk assessment helps mitigate your potential losses due to error, fraud, inefficiency, failure to comply with statutory requirements and actions that may have a negative effect on your organization. If your organization has ever asked these questions, a risk assessment may be right for you:

  • •How do we identify and get out in front of emerging risk?

  •  

  • •Have we adequately considered down-side risk to our business objectives?

  •  

  • •What could go wrong?

  •  

  • •Where is the greatest risk that something will go wrong?

  •  

  • •If something goes wrong, what is the impact?

  •  

  • •How often could it happen? How can the risk be mitigated?

  •  

Risk = Asset X Threat X Vulnerability

Nevertheless, remember that anything times zero is zero — if, for example, if the threat factor is high and the vulnerability level is high but the asset importance is zero (in other words, it is worth no money to you), your risk of losing money will be zero. There are multiple ways to collect the information you need to assess risk. For instance, you can:

  • •Interview management, data owners and other employees

  •  

  • •Analyze your systems and infrastructure

  •  

  • •Review documentation

 

To Begin Risk Assessment, Take The Following Steps:

Find All Valuable Assets across the organization that could be harmed by threats in a way that results in a monetary loss. Here are just a few examples:

  • •Servers

  • •Website

  • •Client contact information

  • •Partner documents

  • •Trade secrets

  • •Customer credit card data

  •  

Identify Potential Consequences Determine what financial losses the organisation would suffer if a given asset were damaged. Here are some of the consequences you should care about:

  • •Data loss

  • •System or application downtime

  • •Legal consequences

  •  

Identify Threats And Their Level A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Here are some common threats:

  • •Natural disasters

  • •System failure

  • •Accidental human interference

  • •Malicious human action interference, interception or impersonation)

  •  

Identify Vulnerabilities And Assess The Likelihood of their exploitation. A vulnerability is a weakness that allows some threat to breach your security and cause harm to an asset. Think about what protects your systems from a given threat — if the threat actually occurs, what are the chances that it will actually damage your assets? Vulnerabilities can be physical (such as old equipment), problems with software design or configuration (such as excessive access permissions or unpatched workstations), or human factors (such as untrained or careless staff members).

Assess risk Risk is the potential that a given threat will exploit the vulnerabilities of the environment and cause harm to one or more assets, leading to monetary loss. Assess the risk according to the logical formula stated above and assign it a value of high, moderate or low. Then develop a solution for every high and moderate risk, along with an estimate of its cost.

Create A Risk Management Plan using the data collected.

Create a Strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off. Define Mitigation Processes You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, investigate why it happened, and try to prevent it from happening again, or at least make the consequences less harmful. For example, here is a sample mitigation process for a server failure: Event (server failure) → Response(use your disaster recovery plan or the vendor’s documentation to get the server up and running) → Analysis (determine why this server failed) → Mitigation (if the server failed due to overheating because of low-quality equipment, ask your management to buy better equipment; if they refuse, put additional monitoring in place so you can shut down the server in a controlled way)

 

What We Deliver

What We Deliver ? It’s an important practice that gives organisations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

  • •Digital Report – Our experts will furnish an itemised security evaluation report with legitimate remediation steps to be taken. Distinguish Security Weaknesses inside your Digital Asset permitting you to proactively remediate any issues that emerge and improve your security act.

  •  

  • •Vulnerability Data – Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape. Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on a Digital Report.

  •  

  • •Skilled Consultants – We also assured you that your assessments are executed by qualified experts. Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.