The PCP application of PR-AUDIT Ltd’s own development supports the classification of the organisation and its electronic information systems in compliance with the Act, and also the quick, effective and substantial completion of the assessments required for the classification. Security measures of an organisation are fundamentally dependent on the data it handles and the security classification of its infrastructures, therefore the accurate definition of the security classes on the basis of the real risk-classification of the specific information or infrastructure is of ultmost importance.
Functions of the PCP framework (PCP framework contains the functions required by KIB 28, which is the fundament of the executional ruling):
• Recording data classes in accordance with KIB 28. recommendation, using the CIA theory
• Process assessment and dependency inspection
• Conducting business impact analysis
• Completion of data asset inventory and data classification, assigning data classes to IT systems
• Classification of electronic information systems (on the basis of confidentiality, integrity and availability)
• Testing compliance with security level technological requirements – Definition of real security levels and deficiencies of electronic information systems
• Completion of action plans to achieve compliance with the required security levels
• Definition of the organisation’s required security class (SECURITY CLASS organisation =max (SECURITY CLASS electronic information system i) (i=1..n).)
• Assessment of the factual security level of the organisation
• Completion of action plans for achieving compliance with required security level
Advantages of the use of the framework:
• Use of the framework significantly facilitates the SUBSTANTIAL conduction of legally required audits. A difficulty of completing classification lies in that it needs to be done by comparing large quantities of incoming data (such as: from the classification of data handled in the IT system, the system’s classification must be defined based on the high water mark principle). Querying such correlations is largely facilitated by the relational dabase used for data arrangement.
• Assessing compliance with technological security levels is done by using complex matrices, which – if lacks software support – requires high amounts of resources
• Completion of review and maintenance in a resource-conservative manner
• Supplying data to supervisory authorities in systematic, organised and methodologically supported ways.
• PR-AUDIT Ltd is willing to provide full-scale support in the conduction of assessments and classifications, and also in the processes of implementing the system, providing education, and assuming advisory tasks in the course of all of the processes.