Risk Management Compliance& Governance
To facilitate the expert end to end service delivery of all RM&G Services, Locked Stack has developed a unique service capability using NIST maturity framework. Utilising a combination of highly skilled consulting expertise in various Risk Management and Compliance frameworks as well as industry accepted standard, NIST, for measuring Information and Technology maturity, Locked Stack takes pride in our bespoke five pillar approach for service and solution delivery excellence.
ASSESS
Identify Current Security Posture
Identify Critical Assets
Define Scope
Understand Risks and Threats
Assess Business Impact
DEFINE
Cyber Security Strategy
Identify Risk Appetite
Define Roles & Responsibilities
Formalise Security Policy
Agree and Devliver ISMS
DESIGN & BUILD
Architecture Design
Security Procedures
Disseminate Documentation
Validate Systems& Processes
Formalise Procedures
MANAGE & TEST
Manage the Risk
Test the Controls
Remediate Vulnerabilities
Provide Assurance
Validate BAU Controls
MEASURE & IMPROVE
Meet Compliance Objectives
Utilise Metrics to Improve Security Posture
Ensure Security is Paramount
ASSESS
Identify Current Security Posture
Identify Critical Assets
Define Scope
Understand Risks and Threats
Assess Business Impact
DEFINE
Cyber Security Strategy
Identify Risk Appetite
Define Roles & Responsibilities
Formalise Security Policy
Agree and Devliver ISMS
DESIGN & BUILD
Architecture Design
Security Procedures
Disseminate Documentation
Validate Systems& Processes
Formalise Procedures
MANAGE & TEST
Manage the Risk
Test the Controls
Remediate Vulnerabilities
Provide Assurance
Validate BAU Controls
MEASURE & IMPROVE
Meet Compliance Objectives
Utilise Metrics to Improve Security Posture
Ensure Security is Paramount
“One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks.” – Stephane Nappo
NIST CONSULTING
SCOPE ANALYSIS
Accurate identification of the in scope people, processes, technologies, locations and third parties.
The report defines the Cardholder Data Environment (CDE) reporting requirements, merchant level and provides CHD flow diagrams and options for de-scoping.
GAP ANALYSIS
Analysis of the gaps against the current version of PCI DSS for a defined CDE.
The report identifies the gaps and provides prioritised recommendations and a roadmap to compliance.
REMEDIATION
A higher level review of a larger organisation’s PCI DSS scope and gaps against the current version.
The report provides insight into how an organisation can become compliant including quick wins, organisational and process changes through strategic initiatives.
REPORT ON COMPLIANCE
A formal written Report on Compliance with a QSA signed Attestation of Compliance after completion of a formal assessment.
The output from this engagement aims to provide both merchants and service providers of all levels, 1-4 with the formal validation of their compliance on annual basis.
“One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks.” – Stephane Nappo
NIST CONSULTING
SCOPE ANALYSIS
Accurate identification of the in scope people, processes, technologies, locations and third parties.
The report defines the Cardholder Data Environment (CDE) reporting requirements, merchant level and provides CHD flow diagrams and options for de-scoping.
GAP ANALYSIS
Analysis of the gaps against the current version of PCI DSS for a defined CDE.
The report identifies the gaps and provides prioritised recommendations and a roadmap to compliance.
REMEDIATION
A higher level review of a larger organisation’s PCI DSS scope and gaps against the current version.
The report provides insight into how an organisation can become compliant including quick wins, organisational and process changes through strategic initiatives.
REPORT ON COMPLIANCE
A formal written Report on Compliance with a QSA signed Attestation of Compliance after completion of a formal assessment.
The output from this engagement aims to provide both merchants and service providers of all levels, 1-4 with the formal validation of their compliance on annual basis.
“Privacy is not something that we’re merely entitled to, it’s an absolute prerequisite.”- Marlon Brando
GDPR CONSULTING
GDPR HEALTH CHECK
A comprehensive review of an organisations compliance using our developed security framework.
The report identifies the gaps, big issues and challenges and provides prioritised recommendations and a roadmap to deploying appropriate security controls in accordance with Principle 6 of the GDPR (confidentiality and integrity).
DATA PRIVACY IMPACT ASSESSMENT
The Data Protection Impact Assessment (DPIA) helps an organisation identify and reduce the privacy risks of a project.
It is a mandated article within the GDPR and all organisations must undertake a DPIA for new high risk projects.
GDPR POLICIES
Developing the set of policies and procedures required for a GDPR-compliant privacy framework
GDPR BUSINESS PROCESS MAPPING
We will perform stakeholder interviews to gather the relevant information needed to complete a process map. Information usually required is:
– Applications used to process
– Data storage locations and media e.g. file share, database etc.
– Retention Period
– Types of data involved in the process
– Names of records or forms with stored data
– Third party names with whom data is shared
– Knowledge of internal and external data transfers
The output is in PDF format and will include an embedded data flow diagram, inventory of assets as well as data types identified during the interviews.
“An investment in knowledge pays the best interest.”- Benjamin Franklin
ISO27001 CONSULTING
GDPR HEALTH CHECK
A comprehensive review of an organisations compliance using our developed security framework.
The report identifies the gaps, big issues and challenges and provides prioritised recommendations and a roadmap to deploying appropriate security controls in accordance with Principle 6 of the GDPR (confidentiality and integrity).
DATA PRIVACY IMPACT ASSESSMENT
The Data Protection Impact Assessment (DPIA) helps an organisation identify and reduce the privacy risks of a project.
It is a mandated article within the GDPR and all organisations must undertake a DPIA for new high risk projects.
GDPR POLICIES
Developing the set of policies and procedures required for a GDPR-compliant privacy framework
GDPR BUSINESS PROCESS MAPPING
We will perform stakeholder interviews to gather the relevant information needed to complete a process map. Information usually required is:
– Applications used to process
– Data storage locations and media e.g. file share, database etc.
– Retention Period
– Types of data involved in the process
– Names of records or forms with stored data
– Third party names with whom data is shared
– Knowledge of internal and external data transfers
The output is in PDF format and will include an embedded data flow diagram, inventory of assets as well as data types identified during the interviews.