Yunis Salayev
Technology Risk and Advisory provides advice on the risks surrounding the use and deployment of technology within organisations. Our specialist teams provide a number of services, which can broadly be classified under the following headings:
- Information Security – helping organisations identify risks and assess the controls they have in place to safeguard and secure information.
- PCI DSS – BDO is a QSA company offering a range of services to help clients with their compliance.
- Service Organisation Control Reports – independent verification of the design and operating effectiveness of controls.
- Data Analytics – using advanced data interrogation software to help with data management and getting true value from data.
- Data Privacy – assisting in understanding and assessing the appropriateness of data privacy policies and procedures.
- IT Internal Audit (including internal Sarbanes Oxley Section 404 testing) – we provide IT internal audit services to clients who may not have the specialist resource internally.
- Project Risk Management – assessing the appropriateness and effectiveness project management methodologies at a corporate level and on a project by project basis.
- Business Continuity – encompasses a range of services from assisting in the assessment of the suitability of plans to the development of plans from scratch.
We work with a number of clients who either need to demonstrate that they have strong systems controls in place, or have chosen to carry out control related reviews. Risk and Advisory Services has recently engaged with a number of clients in providing service organisation control report services.
CLOUD SECURITY RISK ASSESSMENT
Many definitions exist of cloud computing. In simple terms, it is the outsourcing of your business data (possibly confidential and sensitive), applications and/or elements of your IT infrastructure to third parties, over the internet, or ‘the cloud’, to benefit from economies of scale.
With cloud computing, part of your IT infrastructure and your trust boundary moves to a third-party service provider. A cloud computing risk assessment should be carried out before moving IT systems to a cloud provider to allow management to adequately understand and address the risks related to cloud computing.
Our cloud security risk assessment looks at a number of areas including:
- IT strategy
- Governance
- Certifications and independent attestation
- Data protection legislation
- Data location
- IT security
- User Access Management
- Privileged user access
- Availability and resilience
FINANCIAL SERVICES DATA SECURITY DIAGNOSTIC
Our Financial Services Data Security Diagnostic reviews data security controls against industry good practice findings provided by the leading regulators.
Using our diagnostic tool, we will work with key stakeholders to review your data security controls and identify any gaps. Our clear and concise report provides an overall data security score, further broken down by key areas, that can be used for benchmarking purposes.
INFORMATION SECURITY
Having access to accurate information on demand is crucial and increasingly organisations are realising the significant benefit to be gained from integrating their business systems with suppliers, clients, employees and partners. However, the more complex and integrated systems become, the greater the IT security risks the business may face. IT security breaches, such as theft of sensitive data and disruption of service to customers, can have serious long-term effects, including:
- Loss of business resulting from damage to reputation
- Regulators levying heavy fines for breaches of data security
- Potential costs from legal claims
IT security management is the process by which security risks are identified and addressed, allowing companies to control and secure their information and systems.
Our services are designed to help ensure that your approach to IT security is appropriate. This involves understanding your risk appetite, the threats that you face and the controls you require. We provide a one-stop IT security service. Our range of services includes:
- IT Security Risk Assessments
- Penetration Tests and Vulnerability Assessments
- Cloud Security Risk Assessment
- ISO 27001
- Financial Services Data Security Diagnostic
- PCI DSS
ISO 27001 CONTROLS REVIEW
ISO 27001 is an internationally recognised, broad-based IT security good practice framework that encompasses both technical and management aspects of IT security. We can benchmark your IT security controls against the ISO 27001 IT security standard. If you are seeking certification against the standard, or simply looking to improve their IT security approach, we can help you develop an ISO 27001 Information Security Management System (ISMS) and prepare you for certification.
IT SECURITY RISK ASSESSMENT
IT security is an area often clouded by technical terminology and can be difficult to understand. Most organisations find it hard to assess and quantify IT security risks. As a result there is often a focus on technology without sufficient consideration of the wider business impact.
Our approach focuses on a risk workshop. This is a flexible exploration of your specific IT security risks, structured around areas of the ISO 27001 IT security standard. Using our BDO Risk Assessment Tool, we facilitate an IT risk workshop in which we debate and agree key IT security risks facing your business, identifying any gaps in your security controls.
Subjects covered in the workshop will depend on your specific needs, but typical areas include:
- IT security management
- Physical and environmental security
- Security incident management
- Human resources security
- IT asset management
- Business continuity
- Access control
- Compliance
- Information systems acquisition, development and maintenance
- Communications and operations management
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
BDO is accredited as a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV). We offer a complete PCI service offering helping our clients meet their PCI DSS compliance requirements.
PCI DSS was written as an industry standard to increase security around payment card details, protect the consumer and reduce card fraud. The standard is written around six security goals, as follows:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
All organisations that store, process or transmit payment card details must comply with the standard. Complying with the PCI DSS can appear to be a daunting task, however it does not need to be. Our Qualified Security Assessors (QSA) can help guide you to understanding your risks and achieving PCI DSS compliance in a manageable and cost effective way.
BDO's trained QSAs can provide help in the following ways:
- Scope reduction
- Data discovery
- Gap analysis
- Assist with completion of the Self Assessment Questionnaire (SAQ)
- Completion of a Report on Compliance (ROC)
- Consulting, advice and guidance
QUARTERLY VULNERABILITY SCANS
BDO has been accredited as an Approved Scanning Vendor (ASV). This allows us to perform the quarterly external vulnerability scans required to reach and maintain PCI DSS compliance.
As well as performing the scans, we can offer expert help in remediating any significant findings and perform rescans to verify issues have been resolved.
PENETRATION TESTS AND VULNERABILITY ASSESSMENTS
There is a constant and continually evolving threat of attack against your information and systems. New exploits are created on a daily basis to take advantage of both existing and newly discovered vulnerabilities.
Sophisticated attacks can target one or more of your:
- Network
- Web infrastructure
- Customers
- Employees
Attacks include theft of sensitive data and disruption of service to customers. Security breaches can have a range of serious implications for your business, including:
- Loss of business resulting from damage to your reputation
- Regulators levying heavy fines for breaches of data security
- Potential costs from legal claims
- Damage to your share price
Periodic testing provides confidence that your systems remain protected on an ongoing basis.
We provide both “external” and “internal” penetration tests and vulnerability assessments to help you assess your vulnerability to attacks originating from outside and within your private network. Our testing covers threats to both your network and web infrastructure.
SERVICE ORGANISATION CONTROL REPORTS
Typically engagements to report on controls at a service organisation were performed under AAF 01/06 and SAS 70 or another local standard. From 15 June 2011 it is expected many will either be performed under ISAE 3402 or SSAE 16 or start to transition to these standards. Service organisation control reports are typically used as auditor to auditor communications with the auditors of the service organisations customers. The readers of these reports use it to gain an understanding of the controls in place at the service organisation and, in certain instances, to determine whether controls at the service organisation are effective.
There are two types of service organisation control reports that a service auditor may issue. In a Type 1 report, the auditor reports on whether controls at the service organisation were fairly presented and whether they were suitably designed and implemented to meet the control objectives. In a Type 2 report, which is more common, in addition to reporting on the fair presentation, design, and implementation of controls, the auditor also reports on whether the controls operated effectively throughout a specified period. This is typically one year, but can be for varying periods although generally not less than six months.
BDO can help make the process as smooth as possible. We have an experienced team that has worked with many clients to establish the criteria, identify the systems and controls in order to be able to complete these reports successfully.
We spend time to get to know you and how your organisation operates. This means we can then have sensible discussions with you about the options available and which is the best and most efficient way of achieving your goals.
During the initial phases of the project we can help ensure your control objectives are aligned with the standard and cover all of the necessary areas. By taking the time to get the basics in place at the start, this gives you comfort that everything has been considered at the early stages and leads to efficiencies later on in the project.
Your controls need to be independently reviewed and concluded upon by experienced auditors. To this end we can test your controls in order to provide the independent assurance that your clients demand.
As a service organisation you have a number of options. The main factor to consider when deciding which option is best for you depends on the requirements of your customers. If your customers are US based only and you have no plans to expand into international markets then it will best to apply the standards of SSAE 16.
If however you service customers internationally but these are not US based then the ISAE 3402 report will lend itself best to your needs. Where there are customers based in both the US and internationally we can discuss with you the best options available as you may wish to have a report under each set of standards to satisfy your wide customer base.
Our qualified Risk and Advisory team members have extensive experience of guiding clients through this process successfully. We help clients identify and efficiently mitigate their key operational risks by aligning both processes and the underlying information systems to meet business and regulatory requirements including ISAE 3402, SSAE 16, AAF 01/06, SAS 70, SOX 404, ITIL and COBIT. Our approach is based on in-depth knowledge of business and IT risk assurance and advisory.