Compliance Crafted, Certifications Earned

Your Journey to Assurance and Excellence

Payment Card Industry Data Security Standard–(PCI DSS) is a global Data Security Standard developed to protect debit and credit card data. This standard applies to all types of industries that deal with card payment transactions. If the business stores, processes and transmits credit and debit card data then it is required to satisfy the PCI DSS requirements in order to prevent payment card fraud.

PCI DSS is the result of collaboration between major card brands (American Express, Discover, JCB, Mastercard and Visa), with transaction processes closely monitored by the Payment Card Industry Security Standards Council (PCI SSC).

We are a Qualified Security Assessor company licensed by the PCI Security Standard Council. We deliver a broader range of PCI services to our clients in order to assist them in fully complying with the PCI DSS.

PCI DSS Standard consists of the 6 goals and 12 requirements that are mandatory in order to comply with the standard. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data. In order to become PCI compliant, the business must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

Our highly qualified and well-experienced team helps organisations to fully comply with all the PCI DSS requirements and achieve its certification successfully.

Our PCI DSS Experts team assists organisations not only to prevent payment data breaches and payment card fraud but also provide their professional services with respect to the PCI DSS compliance level of the organizations. However, same requirements don’t apply universally. In fact, there are four PCI compliance levels, which are determined by the number of transactions the organization handles each year.

Benefits of Achieving PCI DSS Certification

The current digital society has high expectations of flawless customer experience, continuous availability of services and effective protection of sensitive data. Information assets and online services are now strategically important to all public and private organizations, as well as to broader society. These services are vital to the creation of a vibrant digital economy. They are also becoming systemically important to the economy and to broader national security. All of which underlines the need to safeguard sensitive data and transactions, and thereby ensure confidence in the overall Saudi Financial Sector.

The stakes are high when it comes to the confidentiality, integrity and availability of information assets, and applying new online services and new developments (e.g. Fintech, block chain); while improving resilience against cyber threats. Not only is the dependency on these services growing, but the threat landscape is rapidly changing. The Financial Sector recognizes the rate at which the cyber threats and risks are evolving, as well as the changing technology and business landscape.

SAMA established a Cyber Security Framework (the Framework) to enable Financial Institutions regulated by SAMA (the Member Organizations) to effectively identify and address risks related to cyber security. To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.

The objective of the Framework is as follows:

The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the cyber security controls at Member Organizations, and to compare these with other Member Organizations.

The Framework is based on the SAMA requirements and industry cyber security standards, such as NIST, ISF, ISO, BASEL and PCI.

The Framework supersedes all previous issued SAMA circulars with regard to cyber security. Please refer to ‘Appendix A – Overview previous issued SAMA circulars’ for more details.

Saudi Data Management and Personal Data Protection Standard is a data security and management standard that applies to all government entities as well as all private organizations that handles the data of the public organizations.

The National Data Management Office (NDMO) as a national regulator of data has developed this standard. The purpose of this standard is to implement and govern effective data management practices across government entities and all business partners dealing with Government data.

This standard consists of 15 domains 77 controls and 191 specifications. The specifications are bifurcated into three priorities, i.e. P1, P2 and P3. The implementation of the specifications will be carried out in accordance with the said standard. For instance,

The organisation will conduct the compliance assessment at the level of each specification and assigned the 100% to specifications that are fully implemented and 0% will be assigned that are either partially or not implemented.

Our professional experts possess expertise in order to deliver the effective and efficient services on a timely fashion. They will develop the project plan consisting on the following areas so as to deliver the desired services to client.

GRC360 consultants have provided their professional services with regard to the said standards in a professional manner. Our consultants have provided a set of extensive reports, policies and procedure documents etc. to clients at the end of the project.

ISO/IEC 27001 is a leading international Information Security Standard that is jointly published by the International Organization for Standardisation, and the International Electrotechnical Commission. Information security guidelines and requirements are defined in the Standard to protect an enterprise’s information assets from loss and/or unauthorized access and recognized means of demonstrating their commitment to information security management through certification.

ISO 27001 focuses mainly on safeguarding critical and sensitive information of the organization by developing and implementing ISMS and a risk-based approach while demonstrating satisfaction, trust and confidence with business partners, clients and stakeholders.

ISO 27001 affords a framework for Information Security Management System (ISMS) not only to achieve legal compliance but also to realize the Confidentiality, Integrity and Availability of Information. CIA are the three principles of the ISO27001Standards.

ISO certification plays a pivotal role to protect the vital assets of the organisation such as client information, employee data, brand image, credibility and trust and other confidential information.

Lyxes Solution has assisted a multitude of organizations in implementing ISO 27001 effectively and efficiently. Our Professional consultants perform the following activities amidst the ISO 27001 lifecycle in order to acquire the anticipated results.

The Action Plan:

The ISO 27001 Lifecycle will be implemented in the order as described in the Diagram below.

Benefits of ISO270001 Implementation:

SO/IEC 27017:2015 is an information security code of practice for cloud services. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls for cloud service providers and for cloud service customers. An organization implementing the standard would select the relevant controls for their circumstances.

Benefits of ISO 27017 Certification

External assurance to customers

Provides external assurance to customers that information processed in the cloud by their cloud service provider is secure.


It helps reduce the risk of a security breach and other risks, this will increase stakeholders trust.

Extends and enhances certification

It extends and enhances a clients ISO 27001 certification.

Framework for cloud services customers

Provides a comprehensive information security management framework for cloud services customers and in so doing it holds their providers to account.

Framework for cloud services customers

Provides a comprehensive information security management framework for cloud services customers and in so doing it holds their providers to account.

Why implement ISO 27017?

Making clients feel safe about their data being stored in the cloud is vital. Having ISO/IEC 27017 standard allows an internationally standardised framework that can help reduce the risk of data breaches and build customer trust by showing your commitment to information security. The standard also gives guidance to cloud service customers on what they should want from their cloud service hosts.

The standard covers a range of topics such as asset ownership, removal and return of assets when a customer contract has been terminated, protection and separation of a customer’s virtual environment and more. With a growing risk of cloud data breaches now more than ever is important to know you and your organisation are doing the most to try and reduce these risks as a cloud service provider and/or a cloud service customer.

As ISO 27017 is built from the foundations of ISO 27001 and ISO 27002 framework, the certification shows compliance internationally and helps your organization for both the cloud service providers and cloud service customers against risks within the cloud.

Financial services organizations have long been a target for malicious actors. In November 2020, the Australian Prudential Regulation Authority (APRA) announced that it would be strengthening its enforcement of Cross-Industry Prudential Standard (CPS) 234. Although CPS 234 has been around since 2018, the regulatory body has remained lenient in its enforcement. However, with more stringent enforcement on the horizon, understanding the APRA CPS 234 becomes more important for organizations that need to prove compliance.

What is APRA CPS 234?

APRA is the regulatory authority for Australia’s financial services industry. CPS 234 sets out a series of guidelines for financial services organizations so that they can maintain cybersecurity resiliency and continue to protect sensitive data.

CPS 234 has four key requirements:

Who does the APRA Prudential Standard apply to?

At a high level, CPS 234 applies to any APRA-regulated entity. The standard falls under sections of the following laws:

On a more detailed level, CPS 234 specifically references the following:

What are the primary requirements for complying with the APRA Prudential Standard CPS?

CPS 234 consists of thirty-six paragraphs, twenty-four of which discuss how the governing body expects covered organizations to mature their security programs. Within those twenty-four paragraphs, nine basic requirements outline how APRA expects covered organizations can better secure data.

Roles and responsibilities

Under this standard, organizations need to assign cybersecurity responsibilities across all leadership and departments. This includes:

Specifically, CPS 234 requires robust governance by the covered entity’s Board of Directors.

The National Institute of Standards and Technology (NIST) has its own set of standards for penetration testing. In NIST Special Publication 800-115, “Guide to Penetration Testing”, NIST outlines the requirements for a successful penetration test.

One of the key requirements for a successful penetration test is that the tester must have a clear understanding of the organization’s network and systems. The tester must also have a thorough understanding of the organization’s security policies and procedures.

In order to gain this understanding, the penetration tester will need to perform some initial reconnaissance. This may include active or passive information gathering techniques. Once the information has been gathered, the tester will need to analyze it and identify potential vulnerabilities.

After the initial reconnaissance and analysis phases have been completed, the penetration tester can begin launching attacks. These attacks can be either automated or manual in nature. During the attack phase, it is important for the tester to remain undetected by the organization’s security systems.

Once the attack has been completed, the penetration tester will then need to analyze the results and prepare a report. This report should include a detailed description of the attacks that were performed, as well as any vulnerabilities that were identified. The report should also include recommendations for remediation.

The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”

The ISM is intended for:

The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”

Cybersecurity Principles

The first section of the ISM consists of a set of cybersecurity principles. The purpose of these principles is to “provide strategic guidance on how an organization can protect their systems and data from cyber threats”.

The ISM’s cybersecurity principles are grouped together into 4 categories: govern, protect, detect, and respond. Here’s a summary of what each principle covers:

Australian Information Security Manual (ISM) & Data Wiping

The second part of the ISM is a series of in-depth cybersecurity guidelines that are split up into a number of subsections and security controls. The Guidelines for Media chapter outlines security controls that cover the following 4 areas: Media usage, media sanitization, media destruction, and media disposal. The media usage and media sanitization sections, in particular, provide information on the importance of data wiping.

The ‘Media sanitization processes and procedures’ subsection of the Guidelines for Media states: “Using approved methods to sanitize media provides a level of assurance that, to the extent possible, no data will be left following sanitization. The methods described in these guidelines are designed not only to prevent common data recovery practices but also to protect from those that could emerge in the future.” In the same section, Security control ISM-0348 advises: “Media sanitization processes, and supporting media sanitization procedures, are developed and implemented.”

The Guidelines for Media chapter goes on to provide more specific advice for sanitizing volatile and non-volatile types of media. There are also recommendations for sanitizing media before first use, before it is reclassified to a lower sensitivity, and when media is transferred between 2 systems.

Australian Information Security Manual (ISM) & Encryption

Sticking with the ISM’s cybersecurity guidelines, the Guidelines for Cryptography is the chapter that offers organizations advice on using encryption. In the ‘Encrypting data at rest’ subsection, the ACSC recommends that organizations use full disk encryption as “it provides a greater level of protection than file-based encryption.” Another solution for protecting all the data on your hard drive is volume encryption, which we believe is a more secure alternative to full disk encryption.

A list of the encryption algorithms that are approved by the Australian Signals Directorate can be found in the ‘ASD-Approved Cryptographic Algorithms’ section of the Guidelines for Cryptography. The guidelines state: “The only approved symmetric encryption algorithm is Advanced Encryption Standard (AES)”. The AES is used for encrypting data at rest, and is the default encryption algorithm used by BestCrypt Volume Encryption and BestCrypt Container Encryption.

Use the Right Data Protection Software

The type of data that needs to be wiped and encrypted will help you decide what kind of software your organization should use. If you have sensitive data on a computer that’s no longer needed, then you should use software that’s able to wipe your entire hard drive. However, if you want to be prepared in the event that one of your devices gets lost or stolen, you should secure the contents of the relevant hard drive by investing in whole disk encryption.

To help your organization comply with the ISM’s recommendations for media sanitization and encryption, GRC360 offers 2 types of software:

In an effort to significantly improve the cyber resilience of Australian businesses, the Australian federal government is mandating compliance across all eight cybersecurity controls of the Essential Eight framework. This is an ambitious move that may be burdensome to the many entities still struggling to comply with just the top four controls of the Essential Eight. This post clearly outlines the expectations of all eight security controls and explains how Australian businesses can achieve compliance for each of them.

What is the Essential Eight?

The Essential Eight is an Australian cybersecurity framework by the Australian Signals Directorate (ASD). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the ASD. The Essential Eight introduced 4 additional strategies to establish the eight control that aim to protect Australian businesses from cyberattacks today.

The eight strategies are divided across three primary objectives – prevent attacks, limit attack impact, and data availability

General Data Protection Regulation- (GDPR) refers to the regulation for the privacy of personally identifiable information of European citizens and residents. it is the toughest privacy and security law in the world. it was drafted and passed by the European Union (EU. The regulation came into effect on May 25, 2018. The GDPR levies stern fines and penalties against those who violate its privacy and security standards.

GDPR 7 Principles and Requirements - There are two key areas which need to be considered in order to satisfy the requirements and for becoming fully compliant with GDPR.

First of all, the seven key principles around which the specific requirements of the GDPR are based. Then there are the individual rights which ensure that data subjects are aware of how an organization handles both data privacy and data protection. Our consultant team possess extensive knowledge and vast experience in the GDPR domain and ensures that all the principles and requirements of GDPR are satisfied to be fully compliant with it.

With the GDPR, Europe is signalling its stern stance on data privacy and security at a time when numerous people are entrusting their personal and confidential data with cloud services and security breaches are a daily occurrence. The regulation is large, and far-reaching in specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

The maximum penalty for non-compliance is 4% of annual revenue or €20 million, whichever is higher. Lower fines of up to 2% are possible for administrative breaches, such as not carrying out impact assessments or notifying the authorities or individuals in the event of a data breach.

Don’t wait until it’s too late – Contact GRC360 today to learn more about our GDPR services and how we can help you secure your business. Our consultant has extensive experience in helping clients to achieve EU GDPR Compliance.

Key Business Benefits of GDPR Compliance:

Control Objectives for Information Technologies- (COBIT) is a best-practice IT Governance Framework developed by the ISACA in order to specifically manage IT Governance and IT management. COBIT defines the components and design factors to build and sustain a best-fit governance system. It provides a set of controls not only to implement in IT but also to organize them around the framework of information technology-related processes. It helps organizations to create optimal value from IT. Organizations regardless of their sizes and types of business can benefit from it.

It helps in organizing the objectives of IT governance and bringing in the best practices in IT processes and domains while linking business requirements.

COBIT separates the process design activity by segregating it as follows:

Governance objectives are grouped in the Evaluate, Direct, and Monitor (EDM) In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy.

Management Objectives are grouped into four domains:

COBIT 2019 is comprised of the COBIT Core Model that contains two main domain Governance and Management. These two domains consist of 40 Objectives. Additionally, The 6 Principles and 6 process capability levels. The process capability levels are used to assess the level of the existing practices against the COBIT 40 process.