COMPLIANCE 

 

What is a Standard?

​

A standard is a document that has been established by consensus and approved by a recognised organisation. It provides, for common and repeated use, rules, guidelines, or characteristics, for activities or their results and aims to achieve effective implementation. Recognized  organisations are national standardisation bodies. Each standard is optional, unless required by law or other provisions.

 

What Standards are supported by Velocity Check?

​

At Velocity Check we are fully supporting the compliance, certification, and operation of the following Standards:

​

1. ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements

2. ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

3. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements

4. ISO/IEC 20000-1:2018 Information technology — Service management — Service management system requirements

5. ISO 9001:2015 Quality management systems — Requirements

6. PCI DSS v4.0, v3.2.1 Payment Card Industry (PCI) Data Security Standard - Requirements and Testing Procedures

7. MPA CSP v4.10, v5.0 Content Security Best Practices

​

In addition, we have completed the design, implementation, and rollout of frameworks, fully aligned with industry specific standards like the risk management guidelines from the International Maritime Organization (IMO) MSC-FAL.1/Circ.3 and regulations like GDPR and NIS1 & 2.

​

ISO Standards

 

What is ISO/IEC 27001:2013?

 

ISO / IEC 27001: 2013, provides general guidelines for information security management. It defines the design, implementation, maintenance, and improvement of an information security management system. It establishes risk management as a fundamental mechanism for protecting a company’s business mission. It is addressed predominately to those responsible for implementing information security. It describes a common basis of protection measures to achieve the desired level of information security. It supports information security management and helps build trust between companies.

 

What is ISO/IEC 27701:2019?

 

ISO/IEC 27701:2019, specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. It also specifies PIMS related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

 

What is ISO 22301:2019?

 

ISO/IEC 27701:2019 specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from disruptions when they arise.

 

What is ISO/IEC 20000-1:2018?

 

ISO/IEC 20000-1:2018 specifies requirements for an organisation to establish, implement, maintain, and continually improve a service management system (SMS).

 

What is ISO 9001:2015?

 

ISO 9001:2015, specifies requirements for a quality management system (QMS) when an organisation needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

 

Are the above ISO Standards applicable to any company type and size?

 

Yes. All the requirements of the International Standards are generic and are intended to be applicable to any organisation, including public and private companies, government entities and not-for-profit organisations, regardless of its type or size, or the products and services it provides.

 

What are some of the benefits of complying with ISO standards?

 

• Understanding of the risks of the company.

• Risk reduction through the implementation of appropriate controls.

• A sense of trust in the overall business environment, through the company's top management commitment to formal management of information security, business continuity, privacy management, quality and in the delivery of IT services.

• Obtaining an objective, independent and experienced opinion on the adequacy and compliance of the management system.

• Objective proof of the company's commitment to apply industry best practices.

• International recognition and validity of the ISO certificates.

​

Industry Specific Standards and Regulations

 

What is PCI-DSS?

 

PCI-DSS provides a baseline of technical and operational requirements designed to protect payment card data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

 

What is MPA’s CSP?

 

Motion Picture Association Content Security Best Practices provide current and future third-party vendors engaged by MPA’s members with an understanding of general content security expectations and current industry security best practices.

 

What is IMO’s MSC-FAL.1/Circ.3?

 

International Maritime Organization guidelines on maritime cyber risk management provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management.

 

What is GDPR?

 

The General Data Protection Regulation (GDPR) aims to protect natural persons against the processing of personal data and defines the rules regarding the free movement of personal data. It consists of 99 main articles and 173 explanatory notes. GDPR is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area. It consists of 99 main articles and 173 explanatory notes. In the UK, GDPR as a National law came into effect on 01 January 2021. It sets out the key principles, rights, and obligations for most processing of personal data in the UK.

 

What is NIS2?

 

The Network and Information Security (NIS) Directive 2 aim is to increase the level of cyber-resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors, by putting in place rules that ensure that all public and private entities across the internal market, which fulfil important functions for the economy and society, are required to take adequate cybersecurity measures. In the UK the NIS Regulations came into force on 10 May 2018. Following a consultation in 2022 the UK government announced its intention to update the NIS regulations to improve the UK’s cyber resilience, effectively aligning its position with NIS2.

 

How can Velocity Check help my company comply with the above ISO and industry specific Standards and Regulations?

 

We have a proven track record in implementing the controls required, to organizations of all sizes, type, and nature. A common theme among all the above ISO and industry specific Standards and Regulations, is to follow a risk-based approach first. Our approach delivers a "security injection at the heart of a company". We analyse the means, opportunity and motives of threat actors and we combine them with real world, categorised, security vulnerabilities to come up with a detailed threat scenario. We then add to our risk formula monetary and reputational business impact values to extract the level of risk. It doesn't sound innovative, but it is effective. The level of risk is "translated" to a practical scale of priority. The threat scenario is driving the implementation of technical and organisational preventative, detective and corrective security controls and the business impact is "telling" us how to advise you in managing your company's information security, business continuity, privacy management and quality risk.

​

CERTIFICATION

 

What is the international Organization for Standardization (ISO)?

 

The mission of the organization is the development, communication, and marketing of industry related standards. Since 1947 ISO has published 22919 industry related standards. 164 countries are ISO members. Each standard is developed by authorities in their industry, and it is based on consensus and only the agreed final version is published as an international standard. Compliance with the standards of the International Organization for Standardization is voluntary for management systems, products, and services.

 

What is Certification and what is Accreditation?

 

• Certification is the process by which a certification body gives a written guarantee that a product, management system or service complies with specified standard requirements.

• Accreditation is the process by which an authorized body provides formal recognition that another body or person has the capacity to perform a particular task.

 

What is UKAS?

 

The United Kingdom Accreditation Service (UKAS) is the United Kingdom’s sole national accreditation body. UKAS is formally recognised by the UK government, to assess and accredit against internationally agreed standards, organisations that provide conformity assessment activities including certification, testing, inspection, and calibration services. UKAS operates as an independent, non-profit-distributing private company, fulfilling a public authority role.

 

What if an organisation is not accredited by UKAS, but by another Accreditation Body?

 

UKAS is a signatory, along with other recognised accreditation bodies from around the world, to multilateral agreements for the purposes of mutual recognition through the European co-operation for Accreditation (EA), the International Accreditation Forum (IAF) and the International Laboratory Accreditation Co-operation (ILAC). Those bodies that are signatory to these agreements are deemed to provide technically equivalent services having undergone stringent peer evaluations.

 

Is the Hellenic Accreditation System (ESYD) a member of MLA signatories?

 

Yes. The Hellenic Accreditation System, is a Member Organization of MLA signatories IAF/ILAC and EA.

 

Is TUV Austria Hellas an Accredited Conformity Assessment Body?

 

Yes. TUV Austria Hellas is VELOCITY's preferred Conformity Assessment Body, accredited by the Hellenic Accreditation System (ESYD).

 

What is a Management System?

 

Management systems standards define the design, development, implementation, operation, monitoring, and continuous improvement of a ruleset, roles and responsibilities, work instructions and controls, among other elements, to support the mission of a company. The form of a management system is complex and depends on many factors such as the requirements of the standard, the size of the company as well as the full or partial implementation of the standard.

 

What are some of the benefits of certified Management Systems?

 

• Quality customer relationship

• Leadership involvement and commitment

• More engaged personnel

• Effective management of human resources

• Ease of training

• Competitive advantage

• Practical proof of a company's commitment to apply rules

• Continuous improvement

 

Can Velocity Check manage the certification process of PCI-DSS and MPA’s CSP?

 

Yes. Predominately we ensure the organization complies with the requirements of the industry specific Standards, by designing and implementing the required controls, and then we fully manage the administration of the certification process, on behalf of our client, from the selection of the preferred PCI DSS QSAC/TPN Assessor, to supporting our client during the 3rd party audit/assessment.  

 

What is an audit?

 

The systematic independent and documented process for obtaining and evaluating objective evidence to determine the extent of fulfilling / satisfying the agreed audit criteria.

​

CYBERSECURITY

 

What is information security?

 

Many concepts together, but primarily a complex and difficult task. It can be achieved if there is the necessary commitment from the top management and It is typically implemented via an information security management system:

 

• Information security principles

• Information security policies

• Information security procedures

• Security organization

• Technical, administrative, and procedural detective, preventative and corrective Security controls

• ….

 

It is constantly reviewed, through internal structured inspections and 3rd party audits, among many other activities, to ensure it is properly and effectively implemented.

 

What are some well know security threats?

 

1. Hackers/malicious insiders

2. Social engineering/phishing

3. Natural disasters

4. Malware/Ransomware

5. Unauthorised access

6. Access brokers

7. Fraud/theft

8. Environmental control failures

9. Hardware & application failures

10. Poor user password management

11. Missing user access rights reviews

12. Unpatched systems & networks

13. Default usernames and/or passwords

14. Misconfigured systems, applications, and network elements

 

What are some common indicators of compromise?

 

1. Unusual inbound and outbound network traffic

2. Geographic irregularities, such as traffic from countries or locations where the organization does not have a presence

3. Unknown applications within the system

4. Unusual activity from administrator or privileged accounts, including requests for additional permissions

5. An uptick in incorrect log-ins or access requests that may indicate brute force attacks

6. Anomalous activity, such as an increase in database read volume

7. Large numbers of requests for the same file

8. Suspicious registry or system file changes

9. Unusual Domain Name Servers (DNS) requests and registry configurations

10. Unauthorized settings changes, including mobile device profiles

11. Large amounts of compressed files or data bundles in incorrect or unexplained locations

 

What are some common security tips, proven to improve my company’s security posture?

 

1. Security cannot afford complexity, keep it simple

2. Maintain an asset/data inventory

3. Monoculture is good and bad

4. Layered defence is good

5. Apply least privilege principle

6. Provide access on a need-to-know basis

7. Implement choke-points and monitor

8. Hackers only need to get it right once; we need to get it right every time

9. Don’t forget to backup

 

Why choose us?

 

Clients should choose Velocity Check for its comprehensive services, industry expertise, customized solutions, technology-enabled services, and reputation for excellence in the field of compliance, certification, and cybersecurity.