Governance, risk and compliance in corporate data protection

Spike Reply can support the companies which want to create a Security Governance System and that – in more general terms - need to define and implement appropriate solutions for an effective and efficient management of Business Security processes by providing specific consultancy activities in compliance with the main international standards (ISO 27001, BS 25999, ITIL,…) and industry best practices.

The management of organization and procedure related aspects connected to Information Security is today a priority for the business, both because of the evolution of the standard scenario which is more and more complex and pervasive (ex. Italian Law Decree 196/03, Law Decrees 231/01, Basilea2,…), and because of the fast evolution and spread of the used technologies which imply not only unquestionable advantages but also many potential risks for handled information and for the assets used to support company activities.

The line offered and intended to meet the customers’ needs is structured within the following areas:

• Compliance with standards – Support in the identification of the applicable standard and in the implementation of the relevant requirements in particular as far the information heritage protection is concerned (Italian Law Decree 196/2003 – Code for personal data protection) and computer crime prevention (for example, extension of Italian Law Decree 231/2001 Company administration responsibility for the aspects connected to the so-called "computer crimes").
• Design and implementation of a certifiable Information Security Management System (SGSI) – Support for design, implementation, check and maintenance of an information security management system in compliance with the ISO27001:2005 provisions. Support to the customer in the certification process of the implemented management system.
• Risk Analysis and Management – Support for the definition of a general approach to the management of the risks connected with information and company asset security. This top-down approach starts from company processes and the use of tangible and intangible assets in these processes and allows for the identification of the relevant risks and for the successive definition of the intervention plan to be carried out on the basis of the obtained results and the company general strategies. The risk evaluation is based on methods and strategies developed by Spike Reply with reference to industry best practices, the most common standards and the legislation in force or with the support of market methods (if required, selected after a specific activity aimed at identifying the most suitable for the customer’s situation).
• Security panel – Identification of business requirements and company strategies to be used to define the appropriate indicators required to keep under control –in an organic and complete way- the results obtained in the field of security management activities (both for organization and procedure related activities and for technical activities), to check the accuracy of the interventions and to direct any improvement intervention.
• Design and implementation of a certifiable Business Continuity Management System (BCMS) – Support for the design (Business Impact Analysis and definition of project operative plan), implementation (plan preparation, training, support for technology solution implementation), check (internal audit and plan tests) and maintenance of a Business Continuity Management System which can guarantee the availability of business-critical processes and services in compliance with general standards (BS25999:2006) and specific industry standards (ex. Provisions of Banca d’Italia for finance). Support to the customer in the certification process of the implemented management system.
• Risk Driven Security Assessment – Support for the identification of company process and information system security level, for the check of the accuracy-completeness level of the company security management system and for the definition of the ICT risk management strategies through the analysis of all the security-related aspects (technological, organizational, standard-related and procedural). The analysis is carried out through a proprietary method based on Spike Reply experience and compliant with the standards in force (ISO 27001, Cobit, ITIL, PCI, D.lgs. 196/03, Italian Law Decree 231/01, BS25999, PMI).