ISO 27001
Internationally recognized standard on Information Security. By complying with them, organizations achieve best practices for keeping information protected and in a secure environment.
Advantages:
- Reduces the risk of information loss, theft, and corruption in its handling within organizations.
- Continuous review and periodic controls of the risks to which customers are exposed. Risks are identified according to ISO standards.
- A methodology is established thanks to which information security can be managed in a clear and concise manner.
- Security measures are implemented so that customers, employees and suppliers can access information in a secure and controlled manner.
- It obliges external audits to be carried out periodically. This allows the identification of any incidents that may occur in the Information Security Management System, thus promoting continuous improvement in the organization on a regular basis. The company is a living being that evolves, and therefore, year after year, information systems, technologies, people, and all types of assets are updated to adapt to the current and future needs of the company.
- Having an ISMS gives the organization a guarantee to customers, strategic partners, and suppliers since it shows the company as an organization concerned about the confidentiality, integrity, and security of the information that is deposited and managed in it.
- Provides continuity of operation and service as normal or as soon as possible in the event of major problems such as ransomware attacks, phishing, exploits, etc. So that the company can resume operations without loss of information or with the minimum possible and acceptable losses.
- It can be integrated jointly with other Standard Management Systems such as ISO 9001, ISO 14001, and ISO 45001, among others.
- Ensures that the organization complies with current legislation on the processing of personal data and information and intellectual property.
- It optimizes the operation of information processes and, therefore, its compliance implies a reduction in costs.
- It generates optimal processes and procedures, offering guarantees about what should be done, how it should be done, and who interacts in each situation.
- Being part of an organization committed to information security contributes to improving staff motivation.
- It is an investment for the future that implies a competitive advantage and a power of distinction for the company against the competition, since having an ISMS gives greater reputation and image at national and international level that will increase the confidence of customers and suppliers.
NNS
The National Security Scheme establishes the security policy for the adequate protection of the information processed and the services provided through a common approach to the protection of information and services provided. basic principles, minimum requirements, protection measures and compliance and monitoring mechanisms for the public sector, as well as private sector technology providers that collaborate with the Administration.
Its implementation is a requirement established by Law 11/2007 of June 22, 2007, on citizens’ electronic access to Public Services, and regulated by Royal Decree 3/2018 of January 8.
NNS Objectives
Spain’s National Security Scheme has six main objectives:
- To create the necessary conditions of trust for the use of electronic media by citizens in their relationship with the Public administration.
- To introduce common elements and methodologies in the field of IT security for public administrations.
- To provide a common language to facilitate interaction between the different Administrations, as well as the communication of information security requirements to the Industry.
- Promote continuous safety management.
- Promote prevention, detection, and remediation to improve resilience to cyber threats and cyber-attacks.
- Serve as a model of best practices.
Which organizations, public or private, are required to comply with this Scheme?
The General State Administration, the Administrations of the Autonomous Communities, the Entities that make up the Local Administration, and the public law entities linked to or dependent on them (universities, hospitals, collegiate bodies…) are obliged to comply with the National Security Scheme.
Likewise, those companies that contract or subcontract with the Public Administration must also consider compliance with the NNS. for the provision of services related to the scope of application of the regulations, i.e., everything related to the exercise or fulfillment of the rights and duties of caretakers through electronic means or access to information through them.
ISO 22301
ISO 22301 is the internationally recognized standard that determines the requirements for implementing, operating, monitoring, reviewing, maintaining, and improving a Business Continuity Management System (BCMS) to ensure business continuity and recovery of business processes in the event of a disruptive event, improving resilience and minimizing the consequences of such events.
Among the many benefits of complying with the standard, we can highlight that, in the event of an event that paralyzes an organization’s operations, having an ISO 22301-compliant BCMS will provide the organization with the following advantages:
- Avoid improvisations, and act according to pre-established plans and strategy.
- Minimize downtime of processes, services, and systems.
- Control financial, legal, operational, and image impacts.
- Plan resources and set realistic priorities and objectives.
- Building organizational resilience for effective response.
- Prepare personnel and ensure maintenance of the plans.
ISO 20000
ISO 20000, is a quality standard that ensures that a company’s IT (Information Technology) management and support systems follow best practices
It has been published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (ICE), so it is accepted in most countries of the world.
The objective of the ISO standard is to offer companies a certification that guarantees that the methodology and good practices are correctly established in their information management processes.
By implementing ISO 20000, companies will achieve an integration of their processes that includes a system of continuous improvement in the quality of their services, both to their customers and internally.
Benefits:
- Improve reputation. ISO 20000 certification is a differentiator within the IT sector because it guarantees quality in service and customer care.
- Increases productivity. By implementing ISO 20000, the company optimizes its processes and services, improving speed, reducing costs, and improving quality, which will make it much more productive.
- Garantiza cumplir con el nivel exigido. Obtaining ISO 20000 requires compliance with a series of demanding requirements so that companies that are certified guarantee the quality of their services.
- Decreases the cost. The service is optimized because simpler processes are used and, as a result, there is a gain in speed and a reduction of resources and time required.
- Dynamism and speed. New processes make it easier to adapt to changes and respond more quickly to demands. Services are streamlined, increasing the skill and speed with which processes are performed.
- Competitive advantages. All the advantages mentioned above make the company more competitive and provide it with differentiating characteristics.
COMMON CRITERIA
Common Criteria is an internationally recognized standard for evaluating the security features and confidence level of an IT product. This standard is based on seven assurance levels (EAL) of increasing severity. Depending on the evaluation level (EAL), the requirements demanded by the standard increase, as well as the assumed attack potential of the attackers who intend to breach the evaluated product (TOE).
The purpose of this certification is to give a security product the reliability that its future users need to keep their networks protected. It adds a differential value that proves to be decisive in qualifying the efficiency and effectiveness of a cybersecurity solution. All this is within the framework of worldwide safety standards.
It is internationally valid thanks to the Common Criteria Recognition Agreement (CCRA). As well as at the European level thanks to the SOGIS agreement.
SOC
What is a SOC?
The Security Operations Center, SOC, refers to the team responsible for ensuring information security.
The SOC is a platform that allows the monitoring and management of information system security through collection tools, event correlation, and remote intervention.
The purpose of a SOC is to provide horizontal services in the field of cybersecurity.
Its objectives are:
- Increase the capacity for monitoring and threat detection in the daily activities of a company’s information and communications systems.
Analyze attacks or possible threats.
- Recover lost or damaged information that a company may have had as a result of such attacks.
- Improve the capacity to respond to any attack.
- The main benefit of having a security operations center is improved detection of security incidents through continuous monitoring and analysis of data activity.
LEET
LEET Security Certification is the specific qualification of the security level of ICT services.
The LEET seal gives a “score” to the security measures integrated by the provider in the construction and operation of the service, as opposed to other mechanisms that only corroborate the existence and compliance with management procedures.
The LEET seal gives a score to the security measures integrated by the provider in the construction and operation of said service in three dimensions: Confidentiality, Integrity, and Availability, showing the rating obtained by the rated service in each of them according to the security and continuity measures implemented, expressed by three letters, from A+ (corresponding to the highest level) to D (the most basic level).
Advantages:
- Promotes transparency: All users can know the qualification levels of service and have a complaint mechanism in case of non-compliance with the necessary conditions.
- Limits the usual conflict of interest in trusted third parties: LEET Security’s system, based on tutored self-assessment, reduces the possibility of conflict of interest and fixes responsibility on the side of the service provider.
- Simplifies the understanding of the security level: An expert is not required to evaluate whether the service to be contracted is adequate to one’s own risk profile.
- Reduces implementation costs: The tutored self-assessment model allows suppliers to be attached without facing large adaptation costs.
- Streamlines the audit process: By using the rating system that incorporates the controls of the most widespread regulations and standards, ICT service providers can simplify the audit process by avoiding repetitive testing of the same controls (“audit once, use many times” principle).
Pinakes
Pinakes is a platform for rating, managing, and monitoring the services of providers in the financial sector. This set of actions allows the entities participating in the platform to know the cybersecurity levels of the services that the suppliers have contracted with them and, from the supplier’s side, to expose to the sector the cybersecurity strengths of their services with a view to possible future contracts. In turn, the entities, if they have a contractual relationship, comply with the requirements emanating from the EBA guidelines, in order to comply with their obligations to evaluate the controls and security measures of their suppliers.
Pinakes Qualification
The Pinakes certification is a label that materializes and shows the level of cybersecurity that a provider has in the qualified service. The rating gives a “score” to the safety measures integrated by the supplier in the construction and operation of the evaluated service.
This rating consists of three sections (Confidentiality, Integrity, and Availability of information), which in turn have five levels ranging from the highest “A+”, where the most demanding measures and controls are implemented for the handling of very sensitive information, to the lowest “D”, where minimum security measures are complied with.
SAMA (Saudi Arabian Monetary Authority)
SAMA established a Cyber Security Framework (“the Framework”) to enable Financial Institutions regulated by SAMA (“the Member Organizations”) to effectively identify and address risks related to cyber security. To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.
The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in Member Organizations.
The Framework provides cyber security controls which are applicable to the information assets of the Member Organization, including:
- Electronic information.
- Physical information (hardcopy).
- Applications, software, electronic services and databases.
- Computers and electronic machines (e.g., ATM).
Information storage devices (e.g., hard disk, USB stick).
- Premises, equipment and communication networks (technical infrastructure).
The Framework provides direction for cyber security requirements for Member Organizations and their subsidiaries, staff, third parties, and customers.
For business continuity-related requirements please refer to the SAMA Business Continuity Minimum Requirements.
The Framework has an interrelationship with other corporate policies for related areas, such as physical security and fraud management. This framework does not address the non-cyber security requirements for those areas.