Purpose of the Compliance module
Using the Compliance module compliance with numerous predefined international information security standards and regulations as well as freely arranged requirement catalogues can be measured, regularly revised, and a planned management of discrepancies can be implemented. As a result of the tests and audits, detailed compliance and audit reports can be made, along with action plans for findings.
- Compliance audits mean the systematic revision and management of compliance with a requirement set. Requirement packages can be easily set up according to your needs, so, for instance, Clients can map the requirements of their own information security rules or their audit plan. A list of requirement can be:
- Legal requirement
- Contractual obligation
- Standard (e.g. ISO or NIST)
- Objectives of information security
- Audit plan
- Business objectives
- Regulations of the regulatory body
- Client needs
- Corporate regulation
- Parent company requirements
Of course, you can also choose from and work with a continuously expanding set of requirement packages (without aiming to give an exhaustive list):
- ISO/IEC 27001:2013
- MSZ ISO 27001:2014
- PCI DSS
- HIPAA security requirements
- NIST SP 800-53r4-2013 – FISMA
- NIST Critical Infrastructure Cybersecurity Framework
- SOX 404 security requirements
- ITIL v3
- ISO/IEC 20000
- SOX 404
- WLA-SCS -. World Lottery Association Security Control Standard
- Hungarian laws:
- Decree No. 41/2015 of the Minister of Interior (in relation to Act L of 2013 on Information security)
- 65/A of Act LX of 2013 on Insurance Institutions and the Insurance Business
- Government Decree No. 535/2013 on the Protection of IT Systems of Financial Institutions
- MNB 1/2015 on the Protection of IT Systems
The software functionality especially supports the analysis of compliance with the requirements of standard ISO27001:2013 and monitoring compliance.
Detailed reports can be generated from the results of the compliance audit (GAP analysis) in the software. Compliance with requirements can be regularly revised, periodical audit operations can be performed and audit results can be stored. Action plans can be prepared for instances of non-compliance and for the management of findings within the audit, the implementation of corrective measures can be monitored, and the effects of implemented measures can be traced back.
- Compliance and GAP analysis reports
- Finding reports
- Action plans for findings
- Interactive GAP and action plan charts
Hungarian Act L. of 2013. on Information security
The decree (Decree No. 41/2015 of the Minister of Interior) implementing the Hungarian Act on Information security requires affected Governmental and Critical infrastructure organizations to perform numerous analytical and administrative tasks. The functionality of the Compliance module supports the effective and time-saving fulfillment of tasks required under implementing decrees. Compulsory reporting tasks for supervisory Authorities are also well supported.
- The security classificationof information systems, physical facilities or organizational units calculated on the basis of risk management and business impact analysis data, as required separately by CIA.
- Analysis of compliance with class-dependent requirements, thus reveal the currently achieved CIA security classes. The analysis is made easier with an effective user interface, where resources (e.g. information systems) can be evaluated in combination, hence considerably speeding up the assessment.
- Preparation of a comprehensive Action plan. The measures of the action plan can be put into sequence according to various aspects, for instance the order of implementation needed to achieve expected security classes on a desired time scale.
- Interactive compliance and action plan management reports,
- Effective support of continuous compliance.The status of the action plan can be monitored, the measures implemented are routed back into analyses, thus enabling continuous maintenance of compliance with information security regulations and, if needed, up-to-date reports can be generate by pressing a single button.
- Detailed exports required under the Hungarian Act on Information Security and the related decree
- Following of Legislative and Authority requirement changes.
- Export packages for supervisory Authorities can be generated on demand, contains all data required under applicable legal regulations.
Information security law results
- Classification and GAP analysis reports
- Action plan
- Export package for supervisory Authorities
- Management reports