Security Testing for Compliance

parallax background

The security testing exercises performed by StrongBox IT helps you adhere to major clauses across all regulating compliances and general information security processes. With experience across standard reporting formats for regulated compliances, our test reports become good enough evidence to support your commitment to Information Security.

Controls Mapping

Sub category Description ISO 27001:2013 SOX HIPAA CFR Part11
Access control
Business requirements of access control  To limit access to information and information processing facilities A.9.1 SOX-Network Security 164.312(a)(1) 11.10(d)
User access management To ensure authorized user access and to prevent unauthorized access to systems and services A.9.2 SOX-Network Security 164.308(a)(4)(i) 11.10(c), 11.10(d), 11.10(g), 11.300
User responsibilities To make users accountable for safeguarding their authentication information A.9.3 SOX-Network Security 164.308(a)(4)(i) 11.10(g)
System and application access control To prevent unauthorized access to systems and applications A.9.4 SOX-Network Security 164.312(a)(2)(iii) 11.10(c), 11.10(g), 11.10(k), 11.70
Cryptography
Cryptographic controls To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information A.10.1 SOX-Network Security 164.312(a)(2)(iv), 164.312(e)(2)(ii) 11.5, 11.100(a), 11.100(b), 11.200(a)
Operations security
Operational procedures and responsibilities To ensure correct and secure operations of information processing facilities A.12.1 SOX-Network Security 164.308(a)(4)(ii)
Protection from malware To ensure that information and information processing facilities are protected against malware A.12.2 SOX-Virus Contol 164.308(a)(5)(ii)(B)
Logging and monitoring To record events and generate evidence A.12.4 SOX-Network Security 164.312(b), 164.308(a)(5)(ii)(c ), 164.308(a)(1)(ii)(D) 11.10(b), 11.10(e ), 11.10(f), 11.300
Control of operational software To ensure the integrity of operational systems A.12.5 SOX-App Development 164.312(d) 11.10(f)
Technical vulnerability management To prevent exploitation of technical vulnerabilities A.12.6 SOX-Virus Contol 164.308(a)(1)(ii)(A)
Information systems audit considerations To minimise the impact of audit activities on operational systems A.12.7 164.312(b) 11.10(f)
Communications security
Network security management To ensure the protection of information in networks and its supporting information processing facilities A.13.1 SOX-Network Security 164.308(a)(5)(ii)(B)
Information transfer To maintain the security of information transferred within an organization and with any external entity A.13.2 SOX-Network Security 164.312(e)(1)
System acquisition, development and maintenance
Security requirements of information systems To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks A.14.1 SOX-App Development 164.312(c)(2)
Security in development and support processes To ensure that information security is designed and implemented within the development lifecycle of information systems A.14.2 SOX-App Development 164.308(a)(7)(ii)(e )
Test data To ensure the protection of data used for testing A.14.3 SOX-App Development
Supplier relationships
Information security in supplier relationships To ensure protection of the organization's assets that is accessible by suppliers A.15.1 164.308(b)(1)
Compliance
Compliance with legal and contractual requirements  To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements A.18.1 164.308(a)(8)
Information security reviews To ensure that information security is implemented and operated in accordance with the organizational policies and procedures A.18.2 164.308(a)(1)(ii)(D)