The security testing exercises performed by StrongBox IT helps you adhere to major clauses across all regulating compliances and general information security processes.
With experience across standard reporting formats for regulated compliances, our test reports become good enough evidence to support your commitment to Information Security.
| Sub category | Description | ISO 27001:2013 | SOX | HIPAA | CFR Part11 |
|---|---|---|---|---|---|
| Access control | |||||
| Business requirements of access control | To limit access to information and information processing facilities | A.9.1 | SOX-Network Security | 164.312(a)(1) | 11.10(d) |
| User access management | To ensure authorized user access and to prevent unauthorized access to systems and services | A.9.2 | SOX-Network Security | 164.308(a)(4)(i) | 11.10(c), 11.10(d), 11.10(g), 11.300 |
| User responsibilities | To make users accountable for safeguarding their authentication information | A.9.3 | SOX-Network Security | 164.308(a)(4)(i) | 11.10(g) |
| System and application access control | To prevent unauthorized access to systems and applications | A.9.4 | SOX-Network Security | 164.312(a)(2)(iii) | 11.10(c), 11.10(g), 11.10(k), 11.70 |
| Cryptography | |||||
| Cryptographic controls | To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information | A.10.1 | SOX-Network Security | 164.312(a)(2)(iv), 164.312(e)(2)(ii) | 11.5, 11.100(a), 11.100(b), 11.200(a) |
| Operations security | |||||
| Operational procedures and responsibilities | To ensure correct and secure operations of information processing facilities | A.12.1 | SOX-Network Security | 164.308(a)(4)(ii) | |
| Protection from malware | To ensure that information and information processing facilities are protected against malware | A.12.2 | SOX-Virus Contol | 164.308(a)(5)(ii)(B) | |
| Logging and monitoring | To record events and generate evidence | A.12.4 | SOX-Network Security | 164.312(b), 164.308(a)(5)(ii)(c ), 164.308(a)(1)(ii)(D) | 11.10(b), 11.10(e ), 11.10(f), 11.300 |
| Control of operational software | To ensure the integrity of operational systems | A.12.5 | SOX-App Development | 164.312(d) | 11.10(f) |
| Technical vulnerability management | To prevent exploitation of technical vulnerabilities | A.12.6 | SOX-Virus Contol | 164.308(a)(1)(ii)(A) | |
| Information systems audit considerations | To minimise the impact of audit activities on operational systems | A.12.7 | 164.312(b) | 11.10(f) | |
| Communications security | |||||
| Network security management | To ensure the protection of information in networks and its supporting information processing facilities | A.13.1 | SOX-Network Security | 164.308(a)(5)(ii)(B) | |
| Information transfer | To maintain the security of information transferred within an organization and with any external entity | A.13.2 | SOX-Network Security | 164.312(e)(1) | |
| System acquisition, development and maintenance | |||||
| Security requirements of information systems | To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks | A.14.1 | SOX-App Development | 164.312(c)(2) | |
| Security in development and support processes | To ensure that information security is designed and implemented within the development lifecycle of information systems | A.14.2 | SOX-App Development | 164.308(a)(7)(ii)(e ) | |
| Test data | To ensure the protection of data used for testing | A.14.3 | SOX-App Development | ||
| Supplier relationships | |||||
| Information security in supplier relationships | To ensure protection of the organization’s assets that is accessible by suppliers | A.15.1 | 164.308(b)(1) | ||
| Compliance | |||||
| Compliance with legal and contractual requirements | To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements | A.18.1 | 164.308(a)(8) | ||
| Information security reviews | To ensure that information security is implemented and operated in accordance with the organizational policies and procedures | A.18.2 | 164.308(a)(1)(ii)(D) | ||