Quality Management System
Management system certification helps organization to continually improve through lessons learnt from past thereby to manage the present effectively & efficiently and planning to meet the challenges of future.
ISO 9001: 2015
ISO 9001:2015 standard sets out the criteria for a quality management system that can be used by any organization, large or small, regardless of its field of activity.
This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach, risks & opportunities based thinking and to achieve continual improvement.
Implementation of the standard is a means to demonstrate the organizations ability to consistently provide reliably quality products / services and build customer confidence.
The ISO 9000 family of quality management systems (QMS) standards is designed to help organizations ensure that they meet the needs of customers and other stakeholders while meeting statutory and regulatory requirements related to a product or service.ISO 9000 deals with the fundamentals of quality management systems, including the seven quality management principles upon which the family of standards is based.ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill.
Third-party certification bodies provide independent confirmation that organizations meet the requirements of ISO 9001. Over one million organizations worldwide are independently certified, making ISO 9001 one of the most widely used management tools in the world today. However, the ISO certification process has been criticized as being wasteful and not being useful for all organizations.
ISO 9001:2015 brings a number of benefits
• Focus on demonstration of leadership within the organization.
• Promotes Risk based thinking within the organization.
• Integration of QMS into business processes, as accountability of QMS, lies with top management.
• Due to focus on intended outcome i.e on desired output of process and associated risks and opportunities results in more reliable Product/Services for more effective and efficient service/product provision processes.
• Enhanced efficiency: With the ISO 9001 Certification, you can be assured of better performances within the company.
• Employees within organization would be working towards achieving the vision , mission, common goal of organization.
• Enhance the performance and productivity of each department and organization.
• High Morale among Employee.
• Building up of Excellent Brand Image.
• Application for certification from client
• Submission of offer by IRQS
• Acceptance of Offer by client and Confirmation of agreement by both client organization and IRQS.
• Conduct of Initial Certification audit – (Stage 1 + Stage 2) / Re-Certification audit.
• Issuance of the “Certificate of approval” on successful completion of the initial / Re-certification audit process.
• Validity of “Certificate of approval” is for three years from the date of decision, subject to conduct of annual Surveillance audits as agreed upon.
• Re-certification audit process to be completed before the expiry of “Certificate of approval”.
The most important asset of any company around the world would be its data. The stakeholders expect and demand for the confidentiality, availability of the data; it would be an absolute disaster if any sensitive information was hacked or stolen. Information security is even more vital for the internet of things era. ISO/IEC 27001:2013 is a Information security standard dealing with the information security for an organization.
Information Security Management Systems (ISMS) is a systematic and structured approach to securely handle company’s sensitive information. ISO/IEC 27001:2013 provide requirements for establishing, implementing, maintaining and continually improving an information security management system.
Understanding the most important assets of your company is a must. You must be able to evaluate the assets you need to protect and those that need to be considered critical. There are many companies that have taken the risk of not protecting their valuable information and have paid for it. Companies in the past that have been brought down to their knees because they have not taken the right measures to secure their information. Having your data and information protected is vital for your company and this is where an ISO 27001 Certification comes in.
So what is information security management system and how does it help your organization? It is a quality standard that explains the different requirements to implement an information security management system. This is to make sure there are security parameters in place to protect the most vital data of any organization.
When you have such a standard implemented, you can be rest assured that your data will be protected from any possible security threat. There would be different processes and procedures that are implemented in your organization that would help your employees understand how data must be protected. These changes in the system and the certification too would give a lot of confidence to employees, clients and possible customers.
At IRQS, we understand that such standards must be added not only in large MNCs but also in startup companies. After all it is a quality standard that will only help the company improve. We encourage more companies to look at such quality standards to improve the levels of efficiency in the company. With an information security management system, there is no doubt that the company will progress through the industry ranks. Such a certification is a must in many companies in India that handle vital data of their foreign clients.
ISO 27001 certification looks intently at the totality of an organization’s information assets and then steps through a process which gauges risks related to these assets. Participants in the process look at the likelihood of an attack or failure, the impact that such an attack or failure would have on the organization and the effectiveness of controls intended to protect the assets. It Increased Reliability and Security of the Systems.
• Increase in business as customers / suppliers recognize a credible trusted partner
• Independently demonstrates that applicable laws and regulations are observed
• Business differentiator providing competitive advantage over similar organizations
• Compliance with Legislation
• Improved Management Control
• ISO/IEC 27001:2013 is the only auditable International standard that defines the requirements of information security
• ISO/IEC 27001:2013 Certification helps businesses expand in global markets. It demonstrates credibility when tendering for contracts.
• Protect and enhance organization’s reputation by avoiding costly penalties and financial losses due to data / information breach
• ISMS improves company culture on understanding the infosec risks and integrating the security controls into the organizational processes and thus, lowering the overall risk to the organization.
Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security. This triad has evolved into what is commonly termed the Parkerian hexad, which includes confidentiality, possession (or control), integrity, authenticity, availability and utility.
Information security handles risk management. Anything can act as a risk or a threat to the CIA triad or Parkerian hexad. Sensitive information must be kept – it cannot be changed, altered or transferred without permission. For example, a message could be modified during transmission by someone intercepting it before it reaches the intended recipient. Good cryptography tools can help mitigate this security threat.
Digital signatures can improve information security by enhancing authenticity processes and prompting individuals to prove their identity before they can gain access to computer data.
Threats to Information Security
In Information Security threats can be many like Software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion.
Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus, worms, bots are all same things. But they are not same, only similarity is that they all are malicious software that behave differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software that can be an intrusive program code or a anything that is designed to perform malicious operations on system. Malware can be divided in 2 categories:
1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:
1. Virus – They have the ability to replicate themselves by hooking them to the program on the host computer like songs, videos etc and then they travel all over the Internet. Ther Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus etc.
2. Worms – Worms are also self replicating in nature but they don’t hook themselves to the program on host computer. Biggest difference between virus and worms is that worms are network aware. They can easily travel from one computer to another if network is available and on the target machine they will not do much harm, they will for example consume hard disk space thus slowing down the computer.
3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The name Trojan derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the inside.
Their purpose is to conceal themselves inside the software that seem legitimate and when that software is executed they will do their task of either stealing information or any other purpose for which they are designed.
They often provide backdoor gateway for malicious programs or malevolent users to enter your system and steal your valuable data without your knowledge and permission. Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc.
4. Bots –: can be seen as advanced form of worms. They are automated processes that are designed to interact over the internet without the need of human interaction. They can be good or bad. Malicious bot can infect one host and after infecting will create connection to the central server which will provide commands to all infected hosts attached to that network called Botnet.
Malware on the basis of Actions:
1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They display ads on computer’s desktop or inside individual programs. They come attached with free to use software, thus main source of revenue for such developers. They monitor your interests and display relevant ads. An attacker can embed malicious code inside the software and adware can monitor your system activities and can even compromise your machine.
2. Spyware – It is a program or we can say a software that monitors your activities on computer and reveal collected information to interested party. Spyware are generally dropped by Trojans, viruses or worms. Once dropped they installs themselves and sits silently to avoid detection.
One of the most common example of spyware is KEYLOGGER. The basic job of keylogger is to record user keystrokes with timestamp. Thus capturing interesting information like username, passwords, credit card details etc.
3. Ransomware – It is type of malware that will either encrypt your files or will lock your computer making it inaccessible either partially or wholly. Then a screen will be displayed asking for money i.e. ransom in exchange.
4. Scareware – It masquerades as a tool to help fix your system but when the software is executed it will infect your system or completely destroy it. The software will display a message to frighten you and force to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say administrative privileges in the user system. Once gained the root access, the exploiter can do anything from stealing private files to private data.
6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy and steal information rather they wait for the command from hackers
• Theft of intellectual property means violation of intellectual property rights like copyrights, patents etc.
• Identity theft means to act someone else to obtain person’s personal information or to access vital information they have like accessing the computer or social media account of a person by login into the account by using their login credentials.
• Theft of equipment and information is increasing these days due to the mobile nature of devices and increasing information capacity.
• Sabotage means destroying company’s website to cause loss of confidence on part of its customer.
• Information extortion means theft of company’s property or information to receive payment in exchange. For example ransomware may lock victims file making them inaccessible thus forcing victim to make payment in exchange. Only after payment victim’s files will be unlocked.
These are the old generation attacks that continue these days also with advancement every year. Apart from these there are many other threats. Below is the brief description of these new generation threats.
• Technology with weak security – With the advancement in technology, with every passing day a new gadget is being released in the market. But very few are fully secured and follows Information Security principles. Since the market is very competitive Security factor is compromised to make device more up to date. This leads to theft of data/ information from the devices
• Social media attacks – In this cyber criminals identify and infect a cluster of websites that persons of a particular organisation visit, to steal information.
• Mobile Malware –There is a saying when there is a connectivity to Internet there will be danger to Security. Same goes to Mobile phones where gaming applications are designed to lure customer to download the game and unintentionally they will install malware or virus in the device.
• Outdated Security Software – With new threats emerging everyday, updation in security software is a pre requisite to have a fully secured environment.
• Corporate data on personal devices – These days every organization follows a rule BYOD. BYOD means Bring your own device like Laptops, Tablets to the workplace. Clearly BYOD pose a serious threat to security of data but due to productivity issues organizations are arguing to adopt this.
• Social Engineering – is the art of manipulating people so that they give up their confidential information like bank account details, password etc. These criminals can trick you into giving your private and confidential information or they will gain your trust to get access to your computer to install a malicious software- that will give them control of your computer. For example email or message from your friend, that was probably not sent by your friend. Criminal can access your friends device and then by accessing the contact list he can send infected email and message to all contacts. Since the message/ email is from a known person recipient will definately check the link or attachment in the message, thus unintentionally infecting the computer.
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security.
These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.
ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
a) establish, implement, maintain and improve a security management system;
b) assure conformance with stated security management policy;
c) demonstrate such conformance to others;
d) seek certification/registration of its security management system by an Accredited third party Certification Body; or
e) make a self-determination and self-declaration of conformance with ISO 28000:2007.
There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.
It is not the intention of ISO 28000:2007 to require duplicative demonstration of conformance.
Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.
ISO 28000:2007 was developed to codify operations of security within the broader supply chain management system. The PDCA management systems structure was adopted in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001:2000 and ISO 14001:2004.
Benefits of ISO 28000 Supply Chain Security Management System
An ISO 28000 certificate brings you many benefits:
• Global recognition
• Competitive advantage in the market
• Enhanced reliability
• Enhanced customer satisfaction
• Opportunity to gain new businesses
• The ability to control and manage threats within an organization
• Integrated enterprise resilience
• Systematised management practices
• Enhanced credibility and brand recognition
• Aligned terminology and conceptual usage
• Improved supply chain performance
• Benchmarking against internationally recognisable criteria
• Greater compliance processes
ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
ISO 27001 uses a topdown, risk-based approach and is technology-neutral.
The specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.
The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
Many organizations turn to ISO 27001 certification. The ISO 27001 standard offers a well-known framework to implement industry best practices in areas such as security incident management and physical security. But is ISO 27001 certification worth the trouble? Does it make a difference?
After all, certification takes up resources and can be very complex. ISO 27001 can force you to take 114 specific measures across your entire organization, from HR to legal to networking and governance and management. It is already challenging to manage an organization – how can you be expected to implement all of this, too?
To understand if certification makes sense for your organization, let’s investigate three types of security goals you might have and if ISO 27001 will help you reach then. Then, I’ll discuss some common misunderstandings about it.
Information Security Management Systems (ISMS) is a systematic and structured approach to securely handle company’s sensitive information. ISO/IEC 27001:2013 provide requirements for establishing, implementing, maintaining and continually improving an information security management system.
How the standard works
Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that management:
• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
Note that ISO/IEC 27001 is designed to cover much more than just IT.
What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
Management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.
The PDCA Cycle
The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) cycle aligning it with quality standards such as ISO 9000. 27001:2005 applied this to all the processes in ISMS.
1. Plan (establishing the ISMS)
Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.
2. Do (implementing and workings of the ISMS)
Implement and exploit the ISMS policy, controls, processes and procedures.
3. Check (monitoring and review of the ISMS)
Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.
4. Act (update and improvement of the ISMS)
Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
What Is Network Security?
Network security is any activity designed to protect the usability and integrity of your network and data from hackers. It targets a variety of threats and stops them from entering or spreading on your network.
Why Network Security necessary?
Our world has presently been transformed by digitization, resulting in changes in almost all our daily activities. It is essential for all organizations to protect their networks if they aim at delivering the services demanded by employees and customers. This eventually protects the reputation of your organization. With hackers increasing and becoming smarter day by day, the need to utilize network security tool becomes more and more impotent.
How do I benefit from network security?
Network Security helps in protecting personal data of clients existing on network.
Network Security facilitates protection of information that is shared between computers on the network.
Hacking attempts or virus / spyware attacks from the internet will not be able to harm physical computers. External possible attacks are prevented.
Private networks can be provided protection from external attacks by closing them off from internet. Network Security makes them safe from virus attacks, etc.
What includes Network Security?
Intrusion prevention systems
Mobile device security
What Is Web Application Security?
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.
Why Web Application Security necessary?
Web Application Security necessary to identify all security issues and vulnerabilities within the web application itself before a malicious hacker identifies and exploits them. That is why it is very important that the web application vulnerabilities detection process is done throughout all of the SDLC stages.
How do I benefit from Web Application security?
Safety and Security of Confidential Information
Web Application Security helps in protecting personal data of clients existing on network.
Vulnerability Assessments are a process of identifying, quantifying, and prioritizing vulnerabilities in a system. A vulnerability refers to the inability of the system to withstand the effects of a hostile environment.
Penetration Tests are a method of evaluating computer and network security simulating attacks on a computer system or network from external and internal threats.They are usually defined by a given test objective.
NEED OF VAPT
As the IT Scenario is changing, it is opening up new internet security challenges being faced by many organizations. Conducting business transactions over the internet (online) has always been a risk. It’s a world of unforeseen traps, with vulnerabilities and threats manifesting themselves in the least expected place, at the least expected hour.
These challenges are required to be addressed by framing appropriate security policies, application of the controls and regular review & monitoring of the controls to ensure organization’s information in protected. The VAPT audits need to be carried out periodically to ensure compliance to the set policy, the controls and adequacy of these controls to address all types of threats.
BENEFITS OF VAPT
Comprehensive Testing for Applications and Networks
Identifies the weakest link in the chain
Eliminates false positives and prioritizes real threats
Detection of attack paths missed through manual testing. Facilitates regular and frequent scans
Secures against business logic flaws
Increased ROI on IT security
Importance of vulnerability assessments
A vulnerability assessment provides an organization with information on the security weaknesses in its environment and provides direction on how to assess the risks associated with those weaknesses and evolving threats. This process offers the organization a better understanding of its assets, security flaws and overall risk, reducing the likelihood that a cyber criminal will breach its systems and catch the business off guard.
Types of vulnerability assessments
Vulnerability assessments depend on discovering different types of system or network vulnerabilities, which means the assessment process includes using a variety of tools, scanners and methodologies to identify vulnerabilities, threats and risks.
Some of the different types of vulnerability assessment scans include the following:
• Network-based scans are used to identify possible network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks.
• Host-based scans are used to locate and identify vulnerabilities in servers, workstations or other network hosts. This type of scan usually examines ports and services that may also be visible to network-based scans, but it offers greater visibility into the configuration settings and patch history of scanned systems.
• Wireless network scans of an organization’s Wi-Fi networks usually focus on points of attack in the wireless network infrastructure. In addition to identifying rogue access points, a wireless network scan can also validate that a company’s network is securely configured.
• Application scans can be used to test websites in order to detect known software vulnerabilities and erroneous configurations in network or web applications.
• Database scans can be used to identify the weak points in a database so as to prevent malicious attacks, such as SQL injection attacks.
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
First, a secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
Second, cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers’ maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet.
Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system (OS) vendors should be regularly installed to ensure the highest possible level of vulnerability management.
Fourth, access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.
Goal: Building and maintaining a secure network
1. Install and maintain a firewall configuration to protect cardholder data. Companies must create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data. Your hosting provider should have firewalls in place to protect and create a secure, private network.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. This means creating, maintaining and updating your system passwords with unique and secure passwords created by your company, not ones that a software vendor might already have in place when purchased.
Goal: Protect Cardholder Data
1. Protect stored data.This requirement only applies to companies that store cardholder data. Specifically, companies that do not automatically store cardholder data are already avoiding a possible data security breach often targeted by identity theft.
A PCI compliant hosting provider should provide multiple layers of defense and a secure data protection model that combines physical and virtual security methods. Virtual security includes authorization, authentication, passwords, etc. Physical includes restricted access and server, storage and networking cabinet locks, according to Computerworld.com.
2. Encrypt transmission of cardholder data across open, public networks. Encrypted data is unreadable and unusable to a system intruder without the property cryptographic keys, according the PCI Security Standards Council. Cryptographic keys refers to the process in which plaintext, like the words seen here, are transformed into ciphertext. Ciphertext contains information unreadable to those without the cipher, or the specific algorithm that can decode the text.
As an added security measure, sensitive authentication data, including card validation codes or PIN numbers, must never be stored after authorization – even if this data is encrypted.
Goal: Maintain a Vulnerability Management Program.
1. Use and regularly update anti-virus software. An anti-virus software service needs to be frequently updated to protect against the most recently developed malware. If your data is being hosted on outsourced servers, a managed server provider is responsible for maintaining a safe environment, including generating audit logs.
2. Develop and maintain secure systems and applications. This includes discovering newly identified security vulnerabilities via alert systems. Your PCI compliant hosting provider should be monitoring and updating their systems to accommodate any security vulnerabilities.
Goal: Implement Strong Access Control Measures
1. Restrict access to cardholder data by business need-to-know. Limiting the number of personnel that have access to cardholder data will lessen the chances of a security breach.
2. Assign a unique ID to each person with computer access. User accounts with access should follow best practices, including password encryption, authorization, authentication, password updates every 30 days, log-in time limits, etc.
3. Restrict physical access to cardholder data. If your data is hosted in an off-site data center, your data center provider should have limited personnel with access to the sensitive information. PCI compliant data centers should have full monitoring, including surveillance cameras and entry authentication to ensure a secure and PCI compliant hosting environment.
Goal: Implement Strong Access Control Measures
1. Track and monitor all access to network resources and cardholder data. Logging systems that track user activity and stored archives can help your hosting provider pinpoint the cause in the event of a security breach or other issue.
2. Regularly test security systems and processes. With regular monitoring and testing processes in place, your data hosting provider should be able to assure you that your customers’ cardholder data is safe at all times.
Goal: Maintain an Information Security Policy
1. Maintain a policy that addresses information security. This policy should include all acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.
The fastest and the biggest growth industry of the recent times is the food industry. With the increased awareness among the consumers, their expectations are also increasing. At the same time, it is the moral duty of the organizations involved in the industry to provide consumer safety and well being. According to Food Safety and Standards Authority of India(FSSAI), the prime body that provides certification for food safety, food safety means adequate control on the presence of food-based hazards in food at the time of its consumption. However, food safety is not a single stage control. Rather, it involves combined efforts of all parties that participate in the food chain and processing. For this matter, cleaning agents, pesticides, fertilizers, veterinary drugs, caterers, food service outlets, transporter, packaging material and feed producers are also involved. The food safety management system is a tool to ensure your food safety at your premises.
The Food Safety and Management Systems is a set of standards established to direct and control food safety aspects. Also referred to as FSMS, it helps the food business operators to gain this trust of the consumers or even serve them efficiently. A food business organization that beholds certification for FSMS depicts assurance that the organization has taken care of appropriate Food Safety and Management System. There are many international organizations like Hazard Analysis and Critical Control Point (HACCP), ISO 22000, Food Safety System Certification; FSSC 22000 that offer FSMS.
Food Safety and Standards Authority of India (FSSAI) is the prime food authority in India. Established by the Ministry of Health and Family Welfare, it is responsible for food safety in India. Established under the Foods Safety and Standards Act (FSSA), 2006, sets science-based standards for the purpose of regulating food products at the time of its production, storage, distribution, sales, and imports. Voluntary certification is provided in accordance with the Food Safety and Standards Act, 2006. This ensures adoption of good manufacturing processes that are hygienic and clean, hazard analysis, and critical control point. The practices are well defined in the regulation. It is therefore mandatory to submit FSMS plan while filing for FSSAI license or its renewal.
Need for Food Safety Management System (FSMS)
Food Safety Management System (FSMS) cannot be separated from food safety. This is because food safety is the prime reason for an FSMS programme. It helps ensure that the food provided by the food business operators is safe for human consumption. Several regulations have been framed by Food Safety and Standards Authority of India (FSSAI) including the FSMS programme that all food business operators must follow.
The International Standard ISO 22003, defines FSMS as a set of interrelated elements that establish policy and objectives. Policies have been extensively used to direct and control the business organization such that the objective of food safety is achieved. For this purpose, many food safety certifications have been established to strengthen the system of providing food safety.
In India, FSMS is a system is a set of systems that are interrelated. This includes procedures and controls laid down by FSSAI. Good manufacturing practices, good hygienic practices, hazard analysis and critical control point are some of them specified under the FSSAI regulations. A combination is used to ensure food safe for human consumption and effective for food businesses to adopt these regulatory procedures.
Food Safety Management System Certification
ISO, FSSC, and HACCP are the prime bodies providing the management system certification schemes. While there are others also available, but there is some difference in their approach. Here are a few features that food safety management system certifications:
1. Audit approach: Audits usually have a stronger focus on the management effectiveness and commitment. It supports continuous improvements in areas wherever it is possible. FSSC audit is long and is conducted in great depth. It is covered in two stages. The stage 1 audit involves the review of the food safety management system and also takes into account the deep review of HACCP plan.
2. Focus on food safety: Most organizations who want to integrate quality in their food management systems try to follow the requirements prescribed under the ISO 9001. ISO 22000 provides technical specifications for PRPs covering the food safety. Mostly, all management system standards follow the same format and therefore, the integration of these systems is easy. This means that it is possible to integrate other aspects such as environment through ISO 14001 and corporate responsibility through SA 8000.
3. Transparency: All information on the food management systems and their certification can be found on their respective websites. This includes the details regarding scheme requirements, decisions taken by the board, names of accelerating bodies, and the certification bodies.
4. Supply chain approach: The scope of FSC 22000 is limited to manufacturing of food products, food ingredients, food packaging materials, manufacturing of feed, animal production, retail, catering, transport, and storage. In comparison to this, ISO and other supply chain trade organizations are developing their own technical specifications. Further, ISO has also decided to bring in technical specifications for PRPs in each of the food supply chains.
5. Integrity program: In order to achieve integrity of audits, it is important that all licensed certification bodies meet the FSSC requirements. This is important to ensure confidence in certification. FSSC 22000 has an integrity program that reviews the performance of all contracted certification bodies.
Key elements of ISO 22000:22005 Certification are:
1. Interactive communication is effective as it is essential to ensure all possible hazards that are duly identified and adequately controlled at each step in the food chain.
2. The management system must be compatible with the ISO 9001.
3. Adaptation of ISO 22000:2005 should be a planned decision of any organization. This monitors the critical control point and ascertains corrective actions thereon.