Security Norms Consulting

ISO 27K, ENS and TSP. We are aware of every security related norm. If you are about to undertake a security audit or evaluation call us.

Request information

Security Norms

There are many norms that promise to guarantee the security of a product or system by implementing various controls or by specific audits.

We are familiar with all of them and can help you to attain the certification that is required by your company

We are experts in risk analysis and can help you to achieve success by giving you access to our expertise.

Whatever your problem, do not hesitate to contact us to see how we can help you, compliance is still the great unknown in many respects and the advantages it can bring seem to raise multiple doubts in the organizations that implement it, and SMEs almost do not yet know about the importance of the concept of compliance, something that all companies are obliged to comply with.

Recent events such as the proliferation of more advanced ransomware, has made many companies re-state the security of their systems, and you? Have you checked the security status of your business already?

Scheme definition

jtsec members have a great experience in different well known IT evaluation methodologies and schemes as Common Criteria, FIPS 140-2, Global Platform TEE, FIDO, EMVco or eIDAS Regulation (EU) 910/2014. We have also participated in different innovative initiatives as the European IACS Cybersecurity Certification Framework in industrial sector or a Security evaluation framework for IoT. We have also supported the launching of some these schemes.

jtsec may be your perfect partner if you need to define your IT security certification scheme including the methodology, security requirements, evaluation/certification process or lab accreditation process.

FIPS 140-2

FIPS 140-2 is a norm for the validation of software and hardware cryptographic modules. Conformance with this norm implies the correct implementation of a set of a cryptographic algorithms choosen in accordance with the CMVP(Cryptographic Module Validation Program) and with the CAVP (Cryptographic Algorithm Validation Program) NIST criteria for key sizes and approved security functions. The norm usually requires the presence of a role based access and a correct key management. FIPS 140-2 defines four security levels and takes into account a lot of requirements to protect the module against physical access. Ask us about our FIPS 140-2 Consulting service.

View more...

ISO 27001

ISO 27001 is an ISO norm (International Organization for Standarization) that allows the establishment, implementation, maintenance and continuous improvement of a Information Security Management System (ISMS) to keep the confidentiality, integrity and availability of the information managed inside an organization. To achieve this, it is required to perform a risk analysis and the treatment of the identified risks. The apropiate treatment of the risks using the control objectives described in the norm, will allow us to keep the risk under control. We offer professional ISO 27001 Consulting services. With our help, your business will be able to pass the ISO 27001 Auditory. We will help you to design and implement the required ISO 27001 controls that will be reviewed by an ISO 27001 Auditor. If you need an ISO 27001 Certification call us now.

View more...

ENS

The Esquema Nacional de Seguridad is a national spanish norm that regulates the fulfilling of requirements in the management of information security to the public administrations giving services through the Internet. Similarly to ISO 27001, the ENS manage security from a risk analysis perspective, but with its own controls and establishing a mandatory minimal security based on the system's category.

AICPA SOC2

A SOC2 (Service Organization Contol) report is a report based in the fulfilling of a guide created by the AICPA (American Institute of Certified Public Accountants) about the accomplishment of a number of organization control over one or more of the "Trust Service Principles" (TSP) described by the AICPA, that is: security, availability, processing integrity, confidentiality and privacy. There are two kinds of SOC2 report, named Type I and Type II, depending on whether the existance of records demonstratin the actual implementation of the described controls is required. SOC2 guides are widely used nowadays to certify the security of cloud service providers. We are expert in SOC2 consultancy.

View more...

PCI

The PCI Data Security Requirements applies "to all Members, merchants, and service providers that store, process, or transmit cardholder data." Additionally, these security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.

FIDO

The FIDO ("Fast IDentity Online") Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.FIDO is the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication. The specifications and certifications from the FIDO Alliance enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

View more...

GDPR

The EU has published the new General Data Protection Regulation to create an environment of common legislation for all member states of the European Union, so that existing data protection laws adapt to new technological developments, which have led to an exponential growth in the processing of personal data. In order to comply with the new regulation, it is necessary for companies to be clear that the concept of personal data refers to all the data of a person that makes it possible to be identified or identifiable without excessive effort, so that they are able to answer the following questions: What personal data do they work with? What kind of processing is carried out on these data? Are these high-risk treatments? What is the purpose of the treatment? What are the risks involved? What severity and probability of occurrence do you suppose? What rights do the data subjects have?

View more...