Security Compliance Advisoring (Service)

The Security Compliace Advisoring service were developed to furnish an evaluation for clients about dissimilarity present on processes and platforms towards one or more concern legislation that become specific object of the same service legislations. The evaluation is based on the actual state compliance definition towards specific dictates (forward defined as controls), the dissimilarity characterization towards the re-entry plan already active or suggested relating to the corporate concern and least the Gap Analysis formalization on re-entry plan structured this way.

The Gap Analysis is usually build on assessment results compared with a likely situation that could be achieved once eventual countermeasures and controls are implemented able to mitigate the dissimilarity found. Based on law requirement expressed by the concern legislation for service is build a contextualized assessment process, structured on a series of controls (checks) collected inside one or more checklist. The following schema show the process implemented from Retis in order to obtain the final result:

img 1

img 1

.

Once data collecting is completed for every process/platform component, can be processed an integrated result through assigning a score for every control, under a methodology inspired to CMM(Capability Maturity Model), useful to transform the qualitative reviews in a quantitative and overall assessment. Starting from AS-IS is possible to define the feasible TO-BE scenario, even in collaboration with any activity running or provided inside existing company strategies.

Follow a short, non-exhaustive list about the regulations concern feasible to address the compliance evaluation:

  • Privacy Code - Dlgs. 196/2003, Code teme about personal data protection, Attachment B “Disciplinare tecnico in materia di misure minime di sicurezza”
  • Legislation December 15 2005 – “Nuove misure di sicurezza presso i gestori per le intercettazioni”
  • Legislation January 17 2008 – “Sicurezza dei dati di traffico telefonico e telematico” (G.U. n. 30 del 5 febbraio 2008)
  • Legislation November 27 2008 – “Misure e accorgimenti prescritti ai titolari dei trattamenti effettuati con strumenti elettronici relativamente alle attribuzioni delle funzioni di amministratore di sistema”.
  • PCI-DSS – Payment Card Industry Data Security Standard, reference legislation for any merchants that manage payment by payment Card