Development of technical solutions
Installation and implementation of the solution are the phases of operative and technical execution of everything conceived in the design phase and defined in the project plan. Installation refers to the physical setting up of the equipment and software on the place and in the form defined in the project plan. Implementation refers to making the equipment and software functional as foreseen by their characteristics and the project plan i.e. to making it do what it was meant to do. It is in this phase important to say that due to the general increase in IT industry maturity level, there are relatively few companies in which we would have a chance to build the IT system from scratch, which is why the term “integration” is becoming ever more popular. The term integration has more meanings, and here it is used in its both IT industry-relevant meanings:
- Integration as the procedure of bringing various technologies together to make them fulfil requested functions in a harmonized way and
- Integration as the incorporation of new systems or elements into existing IT systems and bringing together and expanding their functions.
All components in this phase are crucial for obtaining the desired result. Their implementation is thus strictly monitored. Monitoring is defined by project methodology, which covers all the phases up to the consignment of the finished functional solution. ECS uses PMI project methodology (adapted to IT to a certain extent) and partly MSF. In brief, it is necessary to take the following steps into account:
- Implementation plan – defines deadlines and operative elements of the implementation. It is necessary to coordinate the resources of both the service provider and the customer, the representatives of whom must be project team members.
- Testing – the extent to which testing is carried out and its scope guarantee that the solution will perform what it was designed to perform and how it was designed from the moment of consignment.
- Delivery – the document in which both sides, the provider and the customer, state that the job was performed according to the contracted parameters, regarding both quantity and function.
- Documentation of the performed job – the documentation customers can use throughout the lifespan of the solution in order to control its functions, but also as the basis for future changes and upgrades.
- Operating manual – the documentation assisting in operating and monitoring of the system.
GDPR - Consulting and analysis
The purpose of the GDPR Regulation is to protect the data of EU citizens no matter of where their data is processed and stored or whether it is within or outside the EU. The rules that are prescribed include any company that in any way collect or process personal data – in practice it means that organizations need to improve their own information security mechanisms and incorporate them into their business-as-usual concept. In other words some of the principles of information security that have been understood to date as a recommendation or good practice since that date will become a legal obligation.
The General Data Protection Regulation (GDPR) enters into force on May 25, 2018. ECS experts with long-standing experience in information security, PCI DSS compliance projects, information security implementation projects (ISO / IEC 27001: 2013), project implementation management systems information security (ISO / IEC 27001: 2013) and projects comply with the General Regulation on the Protection of Personal Data provides services to companies to make their business comply with the new regulations and safety standards.
To achieve full customer satisfaction it is frequently not sufficient to develop an IT system or its component well and in time, because high complexity of contemporary IT systems might cause problems during usage if users and administrators are not sufficiently educated to use, monitor and operate them. ECS therefore offers services of education, as a component of IT system development. Education commonly occurs at the end, after system development completion, and it can contribute to labelling a project successful, unlike projects that are successfully implemented but show deficiencies during use, precisely due to inadequate knowledge and skills of users.
In addition to operating manuals that come as integral part of project delivery, it is often necessary to educate both system administrators and end users to use complex IT systems efficiently. Accordingly, ECS can offer several forms of education to its clients:
- The most frequent form is individual education, suitable for focused topics that an individual needs in order to work efficiently, usually carried out at user’s location, in his environment and on his system.
- Group education in the form of workshops, also at user’s location, because this is the most efficient method for specific topics.
- Formalized education in topics that can be of interest to a greater number of attendants, at either ECS’s location or user’s place if adequate space and equipment are available.
ECS basically does not provide education according to established and predefined programmes, but it negotiates topics and realization form with the clients, which is why ECS’s educational programmes are a reply to actual users’ needs and present maximum adaptation to them.
VISA, MasterCard, American Express, Diners, Discover Card and JCB have together created the industrial data security standard in order to protect their users. Payment Card Industry Data Security Standard (PCI DSS) binds all subjects in credit card business (salespersons, banks and service providers) to protect card owners’ data.
All banks and service providers must be certified by qualified security assessors (QSA) and approved scanning vendors (ASV), in order to retain the right to process card payments.
Global payment systems have given their responsibility to banks and service providers to assure their compatibility with the PCI DSS. The names of certified providers are listed on VISA and PCI Council official web sites to show their clients that their systems are safe. Incompatibility with the standard entails financial penalties and the possibility of complete exclusion from the credit card business.
Basic PCI DSS requirements include:
- network security,
- credit card user data protection,
- managing system vulnerabilities,
- access control,
- testing and monitoring the network,
- security policy maintenance.
The scope of the service encompasses:
- project management,
- consulting for the achievement of harmonization with PCI DSS requirements,
- services of company Trustwave, the leading QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor) in the world,
- compatibility level assessment (gap analysis),
- establishing organizational controls (policies, rulebooks etc.) for achieving compatibility with the standard,
- assistance with filling out Self-Assessment Questionnaire-a (SAQ) for salespersons.
Business continuity management is the need of every modern organization and a key process for ensuring the continuity of business processes. Depending on specificities of a business segment, business can tolerate only very short (seconds or minutes) or relatively long (days) breaks of business continuity, but every business process interruption causes direct financial and operative consequences, and the damage increases with time.
Business of organizations of today to a great extent depends on the systems based on information-communication technology, which are subject to failures and crashes. However, business also depends on elements like information, people and business space.
In order to prevent or control the consequences of continuity break in some parts of the business, it is necessary to come up with the Business Continuity Management System, BCMS. Business Continuity Plans, BCP, are developed within business continuity management, together with the framework for their refreshing, maintenance, and adjustment.
|Defining business continuity policy||Business continuity policy|
|Risk assessment||Risk assessment questionnaires|
|Business Impact Analysis, BIA||Business Impact Analysis questionnaires|
|Business Impact Analysis report|
|Catalogue of critical resources|
|Devising business continuity management strategy||Business continuity strategy|
|Devising and documenting business continuity plans||Master plan|
|Damage assessment plan|
|Critical data protection plan|
|Critical business functions/processes recovery plans|
|Testing plans||Business continuity plans testing scenarios|
|Maintaining plans||Procedures of upgrading plans|
|Updated business continuity plans|
|Education and awareness||Educational materials|
Information security is often wrongly understood to mean a set of technical measures taken with the aim to protect information systems (firewalls, antivirus solutions etc.). However, statistics show that most security incidents take place not because of technical limitations in the information system but because of the lack of quality and efficient management system that would encompass not only technical but also organizational and physical controls.
The most reliable set of recommendations and good practice examples in the field of information security management system implementation can be found in the ISO/IEC 27000 series of standards. The most relevant standards in the series are:
- ISO/IEC 27001:2005 – specifies the requirements for establishing a documented Information Security Management System (ISMS) and
- ISO/IEC 27002:2005 – establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
Generic nature of the ISO/IEC 27000 series of standards guarantees applicability to organizations of all shapes and sizes. It is precisely because of that generality that the ISO/IEC 27000 series of standards is applied in a big number of organizations that have recognized information security as a necessary precondition for realizing their business goals worldwide.
|Laying ISMS foundations||ISMS system scope|
|Risk assessment methodology definition||Risk assessment methodology|
|Information resources identification and assessment||Risk assessment report|
|Gap analysis (recording of the existing security controls)|
|Identification of vulnerability and threats|
|Risk reduction proposal compilation||Risk reduction proposal|
|Drawing up Statement of Applicability – SoA||Statement of Applicability|
|Implementation plan formulation (risk management plan)||Risk management plan|
|Establishing key processes and procedures||Processes, policies, procedures, rulebooks according to the customer’s needs|
|Compiling the documentation obligatory under ISO 27001||Document control procedure|
|Internal audit procedure|
|Preventive and corrective measures management procedure|
Companies today are faced with growing insecurity and complexity, which complicates their technical and business risks management efforts. Managing operating risks significantly influences the quality and success of project management, which is an important factor of successful market position and requires the existence of clear, measurable and iterative risk management processes.
The definition of operational risk in Basel II states that it is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events“. In simpler terms, security risk is defined as the possibility of realization of undesired event that can harm confidentiality, integrity and availability of information or information resources.
Risk management process gives answers to the following questions:
- How to harmonize business and security requirements,
- Which direction to take in the implementation of controls for raising information security level,
- How to reduce risks to acceptable levels, so that investments remain justified in the business and financial sense.
Risk assessment is the basis for connecting information security management system and business continuity management system with the company’s business strategy.
|Establishing the scope of risk management||Risk management scope|
|Establishing risk assessment methodology||Risk assessment methodology|
|Resource identification and assessment||Resources catalogue|
|Identification of threats and vulnerability||Risk assessment report|
|Compiling recommendations for risk reduction||Risk assessment proposal|
|Establishing processes/procedures for periodic risk assessment||Risk management process/procedure|