Once you decide "YES we want to be more secure"
The way forward is to get serious about Governance, Risk and Compliance (GRC)
Governance means making Risk Assessments of Data that you have. Also means setting the Agenda: Security to be improved continually and requires 3 topics to be fulfilled.
- Leadership (company and IT)
- Risk Assessments
- Compliance and controls
Risk assessments mean develop paperwork or a paper trail of all of your IT assets. Compliance starts with an inventory of all of your assets, both hardware and software. And now it is paramount that you make a comprehensive list... Why?
Because you need to know what you have so that you can set up a patch list. Patch means to upgrade software and hardware (including IoTs - Internet Of Things).
So interesting to note, but PCI compliance requires inventory management (a list of your devices).
For PCI compliance it is required to keep the PCI machines free from viruses and attacks. But what if the attackers come in from elsewhere? This is the weakness of PCI compliance. But do not forget compliance equals "controls", which are various preventive systems such as NGFW (Next Gen firewall), Anti-Virus, and Log management, as well as any other customized development within your network to ensure security as high as possible within your budget, and Risk as low as possible.
As I have mentioned in my blogpost: Risk Management has failed us. You can review the blogpost for more information, risk management must be carefully managed so as to not allow hackers a way into your environment
But this is _why_ we are here. We have a CISA Certification which allows us the audit framework to review your environment systematically to give you information so that you can run your business and not deal with unforeseen events.
CISA Certified Information Systems Auditor uses the ITAF(Information Technology Assurance Framework) to review IT environments.
Contact us to discuss your Governance - Risk - Compliance needs.