Governance & Risk Compliance

GRC or Governance, Risk and Compliance, mainly refers to the strategy for managing the organization’s governance, enterprise risk and compliances. GRC has three main components:

  • Governance – The effective management of the company by the management officials to achieve the company’s objectives
  • Risk – To mitigate the risk identified in the organization which can hinder the operations of the organization.
  • Compliance– Making sure that the organization’s operations comply with the regulations already set for the organization.

RBI Gopalakrishna Committee Report

This report was submitted by the working group created by the RBI to address the issues on information security, electronic banking, technology risk management and cyber fraud.

The report is divided into different chapters and each chapter include introduction, associated roles and responsibilities and the desired control recommendations from the RBI for banks to implement compulsorily.

The report covered 3 topics in-depth:

  • Governance
  • IT Operations
  • IT Outsourcing

Objectives of the working group:

  • Provide recommendations with respect to information security in order to comprehensively provide for a broad framework to mitigate present internal and external threats to banks
  • Provide recommendations for effective and comprehensive Information Security Audit related processes to provide assurance on the level of IT risks.
  • Identify measures to improve Business Continuity and disaster recovery related processes in banks.
  • Assess the impact of legal risks arising out of cyber laws, the need for any specific legislation relating to data protection and privacy.

IRDAI Guidelines for ISNP

ISNP stands for Insurance Self Network Platform. In order to create a digital platform for the insurance industry, the Insurance Regulatory and Development Authority of India (IRDAI) issued guidelines for insurance e-commerce on 9 March. Guidelines are issued by IRDAI for ISNP under reference number IRDA/GDL/ECM/055/03/2013.

The idea of these guidelines is to standardize e-commerce rules across different entities selling insurance online. Anybody who now wants to sell insurance on a digital platform will need to setup an insurance self-network platform (ISNP) and follow the rules for it. Insurance Self Network Platform means an electronic platform set up by any applicant with the permission of the authority.

Only insurers, brokers, agents, intermediaries or other entities recognised by IRDAI can sell policies on the online platform. Insurance intermediaries include distributors such as corporate agents, web aggregators and insurance marketing firms. As agents are tied to one insurer, they can use the digital platform of the insurer to sell policies online.

ISO 27001 Readiness

Having a systematic approach to information security is the key to its success in an organization. ISO 27001 is the only standard which gives you a best practice management framework for implementing and maintaining security. ISO 27001 helps implementing organizations to protect your information assets by eliminating vulnerabilities. It brings consistency in the entire organization’s approach to information security making it highly manageable.

How we can help?

Implementation: Implementation, consulting and advisory services to assist in design and development of controls and policies with assistance in successfully obtaining certification Transition/Readiness/GAP Analysis: Readiness audit / Gap analysis for certification; transition assistance from ISO27001:2005 to ISO27001:2013,; Technical Risk Assessment

Monitoring, Maintenance and Optimisation: Monitoring the organization ISMS, Controls Maintenance, Optimization of ISMS including metrics / KPIs; Enabling process and technology controls – change management, patch, backup etc; BCP/DR; GRC and process automation solutions.

PCI DSS

PCI DSS was developed by 5 major credit card companies: Visa, MasterCard, Discover Financial Services, JCB International and American Express. No matter how big or small a business is, if it takes credit or debit card payments, it needs to comply with the Payment Card Industry Data Security Standard (PCI DSS).

It was mainly developed to increase card holder’s data security and to facilitate wide adoption of data security measures globally.

The major objectives of PCI DSS are:

  • Transactions should be conducted in a secure environment.
  • Cardholder’s information such as date of birth, father’s name must be protected wherever it is stored.
  • Systems should be protected against malicious attacks by frequently updating anti malware softwares.
  • Restrictions should be imposed on the access to system information.
  • Systems should be constantly monitored to ensure that all security measures are functioning properly.
  • A formal information security policy must be maintained and followed by all entities and at all times

Benefits of PCI DSS:

  1. Decreased risk of security breaches.
  2. Peace of mind for our clients.
  3. Boost in customer confidence and thus increase in customer satisfaction.
  4. Costly fines are avoided.
  5. Relatively quick and easy transactions

HIPAA

Heath Insurance Portability and Accountability Act was signed by President Bill Clinton on Aug 21, 1996. HIPAA came into place in order to protect vital patient’s information so that the patient can rely on the health organization who ensured the safety of their information. HIPAA compliance is applicable to 3 covered entities:

  • Providers of Health care who transmit information electronically
  • Health care insurance companies
  • Health care clearing houses who are the facilitators for processing of health information for billing purposes.

HIPAA contains 5 sections:

  • HIPAA Health Insurance Reform.
  • HIPAA Administrative Simplification.
  • HIPAA Tax Related Health Provisions
  • Application and Enforcement of group help plan requirements.
  • Revenue Offsets

There are 8 key steps which an organization should consider, regardless of the size or complexity of the organization, when it is preparing to comply with the security rule:

  • Obtain and maintain senior management support
  • Develop and maintain Security policies and procedures
  • Conduct and maintain inventory of ePHI
  • Be aware of Political and Cultural issues raised by HIPAA
  • Conduct Regular and detailed risk analysis
  • Determine what is appropriate and reasonable.
  • Documentation
  • Prepare for on-going compliance

What is considered protected health information under HIPAA?

  • Patient’s name, address, birth date and social security number
  • Individual’s health condition
  • Aid provided to the individual

Information regarding the payment of the care provided that identifies the patient

GDPR Compliance Readiness

GDPR Compliance Readiness

General Data Protection Regulation (GDPR) as a new law, effective May 25, 2018, requires some significant changes in the way Mobile Apps, Websites operate currently. Core of the law requires ‘Forget Me’ for end users and this implies relevant user interface changes as well as data encryption in transit and archiving. Apps using AI or machine learning also need tweaks in the way data can be processed or presented for end users opting to ‘Restrict Processing My Data’.

Data Protection Model Under GDPR

data protection model under GDPR

Why Is It Important?

  • Transparency, fairness, and lawfulness in the handling and use of personal data
  • Minimizing the collection and storage of personal data
  • Ensuring the accuracy of personal data and enabling it to be erased or rectified
  • Limiting the storage of personal data.
  • Ensuring security, integrity, and confidentiality of personal data
  • Expanded jurisdictional reach
  • Expanded “personal data” definition
  • “Technical and organizational [security] measures”
  • Severe penalties (4% of overall Turnover of the Company or €20M, whichever is greater)

How We Can Help?

  • Privacy Framework for Governance
  • Training for DPO (Data Protection Officer)
  • Data inventory – identify processes and unlawful held data
  • Audit & Mapping of Data Flow
  • Compliance & Technical Gap Analysis
  • Information Commissioner Notification support
  • Implementing Personal Information Management System
  • Privacy GAP / Current State Assessment
  • Implementation of ISMS as per ISO 27001 Standard
  • Defining and Creating Incident Response Process
  • Continuous Monitoring, onsite Consultancy
  • Vulnerability Assessment & Penetration Testing
  • Yearly Readiness Audit