European law dictates that companies, financial corporations and government agencies are required to secure their sensitive personal data. Although every sector has their own security regulations they all work in similar way: software and hardware must comply to strict and detailed rules and procedures. The organisations have to prove their continuous efforts to comply to these regulations, failures to comply are heavily fined. Every organisation is responsible for their own security, meaning that risk assessments are essential. In this article Infosecurity Magazine asked SRC Secure Solutions about their field experiences with independent risk assessments.
SRC Secure Solutions, a Dutch company, has proven independent risk assessments for diverse operating systems. The company believes in the automation of security compliance and support independent risk assessments to regulate compliance.
They offer risk assessments for IBM systems: IBM System z (mainframe), IBM System i (AS/400), And IBM System p as well as Unix and various Linux environments. Each system has its own characteristics and therefor needs specialised risk assessments plans, these plans (technical risk assessments) are run independent of the management organisation. This is important because many applications run on legacy platforms which are often outsourced to specialised companies. There is still a lot of development taking place on these legacy systems and they often get integrated with other systems (web and mobile systems).
Every company and organisation has to comply to regulations concerning security, no matter what system or software is in use. An American listed company has to deal with SOX, a company who deals with credit card details for payment on their systems have to comply with PCI, a Dutch financial organisation with Basel III and the regulations set by the Nederlandsche Bank and AFM, an insurance company with Solvency II. There are many more such regulations.
These regulations for security compliance are becoming stricter, many regulations are governed by criminal law. An example is the ‘Wet Bescherming Privacygegevens’ dating from 2001 will be replaced by the much more detailed European law for the protection of personal data (GDPR). Violations are punished and there are additional regulations like the ‘Wet Meldplicht Datalekken’ the Dutch law controlling the disclosure of data leaks. These regulations dictate that organisations have to prove that they actively work with specialised security software, have additional procedures and educate their employees to adhere to strict security compliance. Management must prove that they are compliant, through reports complied by the independent risk assessments and any shortcomings must be immediately remediated.
BIR-regulations for Dutch government organisations.
Dutch government agencies must observe the ‘Baseline Informatiebeveiliging Rijksdienst” (baseline information security government service) BIR, and the NEN/ISO 27001 and NEN/ISO 27002 standards. These regulations mandate the technical configurations of their systems and the procedures to be followed. All involved parties must invest time and knowledge to translate these laws and regulations into their systems, software and procedures. And this holds true for their modern and legacy systems, outsourced systems and systems running in the ‘cloud’. Security compliance requirements do not discriminate which systems are used and hold the organisation responsible for all their systems. An independent risk assessment in the most secure and watertight way to adhere to -and implement the strict regulations.
SRC Secure Solutions have performed, security risk assessments for banks, government organisations, wholesale, retail, manufacturing and many other organisations.