Skip to main content
Cyber Security Audit - C3SA CORP

Compliance Audit

Compliance

From enterprise security down to individual device configurations, C3SA compliance services help achieve, maintain, and measure compliance with international security standards accepted by government, industry and academia in Canada. When you need assistance with your next consulting audit or implementation project, think: C3SA Cyber Security Audit Corp – it's what we do.

NIST SP800-53

The National Institute of Standards and Technology (NIST) SP800-53 publication is designed to help organizations meet US Federal requirements regarding Security and Privacy Controls for Information Systems in accordance with FIPS 200 and FIPS 199. C3SA can assist organizations seeking compliance with this standard in the selection of baseline security controls as outlined by FIPS 199, tailoring these controls to the unique business requirements of the organization and supplementing these controls in accordance with the organizational assessment of threat and risk.

ISO27001 & CAS(T)

ISO27001 is an information security standard publish by the International Organization for Standardization (ISO) which provides the foundation for organizations to develop and implement an Information Security Management System (ISMS) that will among other things reduce the threat and risk posed by threat actors. ISO27001 certification is achieved by an independent audit that will assess and validate the following controls:

    • Information security policies
    • Human resource security
    • Asset management
    • Access controls
    • Cryptography
    • Physical and environmental security
    • Operations security
    • Communications security
    • System acquisition, development and maintenance
    • Supplier relationships
    • Information security incident management
    • Information security aspects of business continuity management
    • Compliance with both internal (e.g., policies) and external (legal) requirements


CAS(T), which stands for CESG Assured Service (Telecoms), is a UK certification targeting the security of next-generation networks. While almost identical in scope to what is covered by ISO27001, CAS(T) can be viewed as a more stringent extension of ISO27001 where certain aspects which are optional under ISO27001 become mandatory.


Having been recognized as one of Canada's leaders in the ISO27001 certification process and being one of the only Canadian companies authorized to teach and accredit future ISO27001 auditors, C3SA can guide and accompany any organization that wishes to obtain either their ISO27001 or CAS(T) certification.  By creating a detailed and inclusive roadmap towards certification, our experts will assess the current state of your infrastructure and business processes, identify gaps and deficiencies and recommend both corrective procedural and technical measures. To this day, C3SA is one of Canada's only consulting firms that has had a 100% success rate in assisting its clients become ISO27001 certified.

NERC/CIP

The North American Reliability Corporation (NERC) publications on Critical Infrastructure Protection (CIP) provide a list of standards aimed at improving the security configuration, architecture and management on a wide-ranging number of topics such as: securing various commercial applications, detailing the management of vulnerabilities and providing guidance on the development of an Incident Response capability. Through our numerous service offerings, C3SA can help your organization meet any of the CIP standards developed and promulgated by NERC by conducting an in-depth assessment of the targeted infrastructure or business process, identify gaps, deficiencies and vulnerabilities against the desired standard and develop a custom-tailored action plan to bring the organization to full compliance.

PCI DSS

PCI Data Security Standard is a standard developed for organizations that handle most credit cards from major credit card companies. Specifically, organizations seeking PCI DSS compliance must adhere to the following controls:

    • Build and maintain a secure network
    • Protect card holder data
    • Maintain a vulnerability management program
    • Implement strong access control measures
    • Regularly test and monitor networks
    • Maintain an information security policy.


C3SA can assist companies become PCI DSS compliant by providing any of the following services along with the necessary remedial advice and guidance:

    • Security Architecture review
    • Validation that card holder data is protected through technical means such as encryption at rest and sanitized immediately after use when stored in plain text while in memory through Secure Code Analysis
    • Review and audit access control measures and safeguards to ensure that only authorized personnel has access to card holder data
    • Audit your existing vulnerability management program by conducting a Vulnerability Assessment
    • Audit and test the security of your network assets through a Penetration Test
    • Review and improve existing corporate policies, guidelines, standards and security frameworks.


CSE ITSG-33

The Communications Security Establishment (CSE), Canada's cytological agency and counterpart to the NSA, is responsible for providing official guidance to Canadian federal departments and agencies. In fulfilling this mandate, CSE has released ITSG-33, guidance aimed at federal departments wishing to assess and improve their approach to the risk management lifecycle. Having performed countless ITSG-33 audits and subsequent improvement plans for numerous Canadian federal departments, C3SA is uniquely positioned to assist any organization that wishes to improve the maturity level of their approach to managing risk and incorporate ITSG-33 into their security ecosystem.

CIS Benchmarks

The Center for Internet Security (CIS) provides a set of benchmarks that can enable organizations to assess their overall security posture by covering various control points such as configuration, access control, patch management, etc. These benchmarks are provided for most major open source and commercial Operating Systems (OS) and applications. Through our various custom-tailored service offerings such Vulnerability Management, Threat and Risk Assessments (TRAs) and Security Architecture and Design reviews, C3SA can ensure that you meet and exceed any of the prescribed CIS benchmarks by conducting a comprehensive assessment of your current security posture and developing mitigated and corrective action points when gaps and deficiencies are found.

SANS Top 20

SANS Top 20 is a list of security controls designed for organizations of all sizes to ensure an effective cyber defense strategy against the most prevalent of threats.  C3SA can assist enterprises in conforming to these controls and when deficiencies and gaps are identified, create a corrective roadmap that will guarantee a solid security posture for your entire infrastructure.

OWASP Top10

The Open Web Application Security Project (OWASP) Top 10 is a short list issued on a yearly basis of the top 10 most exploited types of vulnerabilities that plague today's websites. C3SA assists enterprises in identifying and correcting the most recurrent web-based vulnerabilities to provide a high level of assurance that your organization's web services are secured against the most common threats.

Technology we Test, Harden and Audit