SERVICES

ISO 27001 Audit and Implementation

Information Security Governance

Risk Management and Compliance

Program Design and Implementation

Specialized Services

Training and Workshops
KEY QUESTION
What are vendor partners requiring of your business in meeting their Information Security requirements?

Services

Specialized Services

Regulation/Standard Specific Compliance Support

PCI Assessment and Implementation Support
The Payment Card Industry has collectively developed a Data Security Standard (PCI-DSS) for all organizations that handle or store credit card information. PCI-DSS is a globally applicable set of requirements and is described by the PCI Security Standards Council™ as "a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures."

PCI-DSS comprises six principles and twelve core requirements with 64 key controls and 143 sub-controls or processes. Additional application security requirements have been added. The objective of these principles and controls is to ensure that organizations that handle or store credit card account data take the necessary steps to reasonably protect that data against unauthorized access, use, disclosure, modification or other account compromise.

Compliance enforcement and validation requirements for PCI-DSS are handled through the individual credit card companies. Validation requirements vary depending on the annual volume of card transactions and the specific PCI programs of respective card companies. In the Visa Cardholder Information Security Program, for example, requirements for merchant validation range from quarterly self-assessments and network scans to annual on-site information security assessments and quarterly network scans. Separate requirements exist for service providers.

Understanding and implementing their PCI-DSS compliance has been a daunting task for many organizations. Often, there has been confusion about how exactly to implement the requirements in a given organizational and business environment, and especially, how to use compensating controls to constructively meet the standard. The key to effective PCI-DSS implementation and compliance for any organization, however, lies in the following:

  • Accurately understanding and documenting the scope of PCI-DSS related information assets (people, processes, technologies, data) as appropriate to the character of the business;
  • Accurately identifying and documenting the levels of information security risk associated with those assets, and determining the required levels of management appropriate to control those risks;
  • Using the PCI Standard and, as required, other recognized control reference frameworks to develop the control set to meet the identified risk management requirements;
  • Ensuring the consistency and inclusion of PCI-DSS requirements with wider information security requirements and controls;
  • Engaging in a systematic, process-driven and documented implementation of the defined information security risk management program; and
  • Regularly monitoring program effectiveness and identifying and implementing improvements.

ISO 27001 provides an ideal framework for implementing PCI-DSS requirements as part of a comprehensive information security management system. Our team of consultants can assist your organization with assessing the level of compliance, identifying gaps, recommending compensating controls and guiding the implementation of PCI-DSS policies, processes, procedures and other controls for compliance. We will work with your organization through the implementation process, and provide support and consultation during the verification processes conducted by Qualified Security Assessor or Approved Scanning Vendors.

Ongoing Assessment and Management of GLB, HIPAA Compliance
JBW Group International offers compliance recommendations for Legislation in the United States such as the Health Insurance Portability and Accountability Act (HIPAA), which deals with protected health information and the Gramm-Leech-Bliley Act (GLBA), which addresses the handling of personally-identifiable financial information. In fact, if your organization conforms to ISO27001 then it is also in compliance with HIPAA and GLBA regulations which borrow heavily from international requirements. ISO27001 is also a defensible solution to Section 404 of Sarbanes-Oxley (SOX) requirements as well as several international laws.

Implementation of preventative measures and incident response requirements under State Security Breach Notification Laws

EU Transborder Data Flow Compliance, including implementation of the Safe Harbor Framework, and information security assurance for model contracts and binding corporate rules

Compliance strategies and implementation for other international data protection law and regulation, including APEC, PIPEDA and Provincial Data Protection Law, specific EU member state law and regulation, and other jurisdictions.
 

Tel: +1.877.97.27001
E-mail: info@jbwgroup.com
About Us | Services | News | About Information Assurance | Contact Us
Copyright © 2002 - 2009 JBW International. All Rights Reserved. | Privacy Policy | Site Map