Governance and Compliance
Management systems compliance
According to the modern practices, the information security governance is an essential part of the overall enterprise governance. It ensures risk control, supports realization of business goals and allows to optimize resource spent on data protection. Mature processes and widely recognized information security management system certifications in many cases is a requirement to get trust from customers. Our team is ready to develop and support enterprise information security management system according to the best practices. Our service can contribute to any implementation and certification project which delivers compliance with one of the company level information security certifications: ISO27001, PCI-DSS, SOX, NIST RMF, SOC2, Cyber essentials, etc.
IT systems compliance
Out team can certify the IT system in accordance to the OWASP Application Security Verification Standard (ASVS) which is a widely recognized certificate which proves the strength of IT system controls.
Project case: OWASP ASVS certification
The goal of the project was to verify if the customer’s web application is ASVS 4.0 compliant. The application was tested according to level 2 recommendations from the ASVS 4.0 standard. The project consisted of two phases: pentest and interview. During the interview, the SDLC practices and system architecture were analyzed. During the pentest, the application was verified according to the selected set of ASVS requirements. As a result, the customer has received a detailed report which included:
After fixing identified weaknesses the customer got the ASVS compliance certificate.
- the ASVS 4.0 L2 requirements and their verification results (OK, Found, N/A)
- detailed recommendations on how to fix vulnerabilities to become ASVS compliant
- appendix with evidences on how each requirement was verified.
Project case: Disaster recover planning
The goal of the project was to create a detailed business continuity and disaster recovery plans for AWS infrastructure compromise scenarios.
For BCP/DR creation, there were used the AWS best practices and the rich experience of the Pakurity team.
As a result, the customer received the ready for implementation BCP and DR. Each item of the plan included: preparation activities required to reduce impact and probability of the threat event, incident eradication activities, forensics activities, restoration and recovery actions. The following AWS services were in scope:
- AWS accounts itself
- Kubernets clusters
- Lambda functions