Certification Assistance



Does your business process credit card information electronically? Have you been requested by your Bank or card machine company to complete a PCI assessment? Galactech can help.

The Payment card industry first created the original data security standard back in 2004 and it has evolved since then up to version 3.2.1 released in May. The compliance came about due to the growth in electronic credit card fraud – which was often caused by lax standards at the payment point. The PCI standard aims to improve this by demanding a fair level of security and auditing on the local network – however the questions can seem difficult to answer and implement to small businesses.

PCI-DSS is primarily common-sense to most businesses – however if a network has been setup by a non-professional or if it has organically grown from a small system it’s possible several items will need attention, such as:

We can assist with getting your business through the PCI-DSS certification by offering affordable advice and recommendations. We work with you existing systems where we can and optimise them so you can get the most from your setup.

Due to every organisations different setup and systems we are unable to offer exact prices on the website – however we provide a full quotation prior to any work commencing.

Originating in 2012 as 10 steps to Cyber Security by HM Government, the guide evolved into a scheme supported by businesses to ensure a minimum standard of IT security. Covering all major components of most businesses IT systems, it confirms that the holder of the standard has appropriate mechanisms to mitigate the majority of attacks.

The CyberEssentials scheme is divided into two levels of certification:

CyberEssentials – This is based upon a self-assessment questionnaire that is sent to an external certifying body for review.

The questionnaire is detailed and features questions on:

CyberEssentials Plus – This includes the self-assessment questionnaire from the standard qualification but also features the following:

External Penetration Testing – The assessor attempts to break into the company’s systems using the Internet – if this fails, the testing shifts to seeing what data can be leaked through the systems.

On-Site Audit – The assessor visits the sites and attempts internal penetration tests and confirms the answers in the self-assessment are correct.

We provide help to get your business compliant with the CyberEssentials scheme - depending upon your current systems we can adapt your current configurations to help meet the scheme’s requirements in most cases; if not we can supply hardware and software to ensure compliance.

The guidelines need not only technical requirements but also procedural specifications for user modifications, security roles and data storage locations. We can assist with this by providing templates and adjusting them to suit your business needs.

Whilst we don’t provide Certification ourselves, we work with a partner company and can arrange the tests to ensure your business suffers minimal disruption and gets the accreditation.

The General Data Protection Regulation is an EU standard, being written into UK law. It went live to much fanfare on May 25th 2018.

Before GDPR existing data regulation protections were somewhat dated – the last EU directive being in 1995 – a requirement for an updated policy that takes into account the Internet was long overdue. GDPR provides a set of guidelines that require businesses to make reasonable precautions to ensure personal data is kept securely and enforce reporting of data breaches.

In our view the most important part of any computer system is the data. GDPR demands data containing personally identifiable information is kept secure and you’re only keeping information you require to process.

Here are some of the requirements that GDPR requires you to have in place:

Consent

One of the main changes GDPR demands is certain requirements on the use of consent for processing personal data. Consent should be “opt-in” as opposed to “opt-out” and you cannot bundle services into the consent.

You should also be able to easily withdraw consent for processing.

Right to be forgotten

If a person contacts your company and asks for their data to be removed from their systems, this must be completed promptly and proof of deletion supplied to them. Obviously proving that something doesn’t exist is somewhat of a difficult prospect, but best efforts apply here.

Personal Data Export

The subject can request a copy of the personal data you hold for them through subject access requests.

Data Breaches

We have witnessed multiple companies admitting to large-scale data breaches involving loss of personal information about customers in the last few years and receiving relatively small fines.

GDPR aims to make businesses more accountable for the security of the personal data they process by forcing them to notify the data protection regulator within 72 hours of a preach and depending upon the information leaked the personal individuals involved.

Fines

Prior to GDPR the highest fines for breaking data protection laws were £550,000. GDPR significantly ups the ante by imposing maximum fines of up to €20 million or 4% of global annual turnover – whichever is the greater.

How can we help?

As the deadline has passed, your business should already be GDPR compliant – but if you’re not, we can help your company meet the standard.

We offer a free initial assessment and can assist not only with the technical requirements – but also assist in helping draw up procedures and policies for your organisation to follow.

If you're interested in a quote for certification assistance or would like to find out more - Give us a call, email, or speak to someone on our live chat

Email Us Call Us Webchat