Black Cell Risk Advisory and Compliance
With a commitment to technological innovation and broad industry expertise, Black Cell offers a fully customisable suite of cybersecurity solutions and managed security services. Black Cell’s Risk Advisory and Compliance team has the capabilities and experience to deliver the answers an organization needs to enhance their electronic information systems and processes in order to warrant the confidentiality, integrity and availability of their respective information assets.
Black Cell offers a variety of tailor-made consultancy services that helps organizations to comply with European Union and Member State cybersecurity and privacy legislation, supervisory authority recommendations, international standards; to perform risk assessments; and to ensure appropriate procedures are in place to guarantee business continuity. Black Cell professionals combine the best domestic practices with international expertise to provide objective advice and effective execution.
In an increasingly digital world, cyber brings new opportunities and threats. Black Cell Risk Advisory services help our customers address those threats to create a resilient, yet highly adaptive organization that can withstand all kinds of external and internal cyber threats. Black Cell primarily helps organizations identify, prioritize and remediate various risks that could cause damage due to a loss in confidentiality, integrity or availability of information assets and electronic information systems.
Black Cell’s Risk Advisory services include:
- Cyber Risk Management, including risk assessment and risk treatment, based on widely recognized standards (e.g. ISO 31000, ISO/IEC 27005:2018) or MITRE’s Crown Jewels Analysis.
- Control Maturity Assessment based on ISO/IEC 27001:2013, NIST CSF and SP800-53 Rev.4 among EU and Hungarian legislative acts to ensure that robust control solutions are in place to ensure compliance, manage cyber risks, including process improvement and control optimisation.
- Assurance and assistance in the implementation and configuration of third-party compliance tools, such as SeCube GRC.
Cyber Risk Management
Managing risks and potential threats is an important factor in operating any organization, but cyber risk management is vital for IT departments (or IT-focused service providers), as they have extensive control over electronic information systems and information assets. The international standard ISO/IEC 27001:2013 provides the requirements to deploy an information security management system. Assessing the relevant controls of the international standard within an organization is the risk-based approach to organizational information security risk management that addresses people, process as well technology. Black Cell experts conduct cyber risk analysis in a qualitative manner.
MITRE’s Crown Jewels Analysis (CJA) is a multipurpose tool that can be used as a risk assessment methodology that identifies the cyber assets (critical information assets and electronic information systems) that are most critical to the accomplishment of an organization’s mission. Organizations need to identify all IT assets that may cause critical operational dependency in order to be aware of the possibly targeted IT assets. Black Cell experts conduct CJA in a quantitative manner.
Control Maturity Assessment
Structural shifts in an organization’s operations often result in heavily modified electronic information systems and procedures connected to the management of the organization’s GRC. Therefore, it is recommended that the modification of the control environment is performed in a controlled and structured manner, in accordance with the provisions of a widely recognized standard. Thus, before any structural shift (e.g. Security Operations Centre implementation, replacement of the base IT infrastructure) the control maturity of the organization or the affected department must be assessed.
Black Cell experts assure and assist the implementation and configuration of SeCube GRC, a highly modular GRC solution. SeCube helps organizations govern their information security, conduct risk assessments, as well ensure compliance with various legislations and standards. SeCube currently has the following modules:
- Inventory to model the organization.
- BIA to conduct business impact analyses.
- Risk management.
- Compliance to assess compliance with specific standards and regulations.
- GDPR module to create the records of processing activities, data protection impact assessments and additional mandatory records.
- BCM module to support business continuity planning.
Black Cell Compliance Services help our customers stay up-to-date with external and internal requirements, as well complying with regulations in a constantly evolving threat environment and regulatory landscape. Black Cell experts ensure the compliance of our customers with national legislative acts (e.g. L Act of 2013), EU legislative acts (e.g. GDPR, NIS Directive), Hungarian regulatory requirements (e.g. 4/2019, 8/2020 and 12/2020 MNB recommendations) and international standards (e.g. ISO/IEC 27001:2013).
The General Data Protection Regulation (GDPR) is justifiably the most progressive change in the last twenty years of EU data protection law, which significantly exercises influence on daily operations of data controllers and processors both from an information security and a legal point of view.
By replacing the 95/46/EC Data Protection Directive, GDPR is a regulation that meets the requirements of the 21st century’s digital environment and is applicable to all organizations controlling and/or processing personal data in all member states of the European Union and European Economic Area.
In order to harmonize the GDPR with the national data protection legislation, Act CXII of 2011 on Information Self-determination and Freedom of Information was amended in July 2018. However, until the adoption of Act XXXIV of 2019 in March 2019 the compliance of the sectoral legislation with GDPR in Hungary was not warranted. The adoption of the sectoral data protection legislation created another compliance compulsion for data controllers and processors to fine-tune their data protection management systems.
The combined application of the abovementioned sources of law is necessary to ensure the adequate level of compliance of the data controllers and processors with the GDPR. Full compliance with the GDPR and the sectoral data protection legislative acts is an ongoing procedure and definitely not a one-off event. The compliance must be continually reviewed to comply with the requirements set forth in the ever-changing regulatory landscape.
Unlike the 95/46/EC Data Protection Directive, under GDPR the personal data breaches must be directly reported to the supervisory authority (in Hungary to the Hungarian National Authority for Data Protection and Freedom of Information) and in some cases the data controller shall communicate the personal data breach to the data subject in a timely manner. This necessitates the organizations to have a proper privacy incident management procedure that is well-known across the organization.
Black Cell’s GDPR services include:
- Comprehensive privacy audit, including exploration of data controlling and processing procedures, examination of the lawfulness of processing, purposes of processing, processing of special categories of personal data, conditions for consent.
- Reviewing and implementing GDPR principles into the relevant data controlling and processing procedures.
- Performing data protection impact assessments.
- Maturity assessment of information technology systems and services supporting the data controlling and procedures. Proposing technical controls to ensure the confidentiality, availability and integrity of the controlled personal data.
- Privacy assessment of the internal documentations and policies.
- Assessing the detection, identification, communication and remediation capabilities of personal data breaches. Developing or fine-tuning the existing incident management procedure.
- Preparing the adequate documentation and record framework in accordance with the provisions set forth in GDPR.
- Supporting the data protection officer or outsourced DPO-as-a-Service.
Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity of critical infrastructures in the EU. In the past decades, as the political-economic integration of the EU has been on a significantly lower level, the different member states have historically had very uneven levels of cyber-defence readiness, as well as completely different approaches to regulating the protection of their respective critical infrastructure.
This legislative fragmentation in itself was considered as a vulnerability. The NIS Directive strives to strengthen the overall cyber-defence preparedness of the EU as a digital single market firstly by amplifying cooperation among all the member states (“EU Security Network”), in order to support and facilitate strategic cooperation and the exchange of information, secondly by establishing equivalent cyber defence requirements across the EU, and thirdly by adopting a member state strategy that defines security goals as well as relevant policy and regulations needed to enforce the envisaged cybersecurity strategy set forth in the NIS Directive.
The scope of the NIS Directive applies to traditional critical infrastructures, such as energy, transport, drinking water supply, financial market infrastructure, digital infrastructure, banking and healthcare as well as to key digital service providers, such as online search engines, cloud computing services and online marketplaces. These organizations must comply with the security and notification requirements under the NIS Directive, that member states adopted in separate legislative acts.
In accordance with the provisions of Government Decree 270/2018. (XII. 20.) Black Cell focuses on assisting digital service providers achieving compliance with the Government Decree and the NIS Directive. The digital service providers, as essential services, must
- register at Special Service for National Security (SSNS), as this authority is the appointed national competent authority,
- conduct a risk assessment, implement and apply adequate security measures,
- notify the national competent authority about a security incident,
- review the adequate security measures at least annually, and following the occurrence of a security incident, implement necessary changes to the security measures based on deficiencies identified during the review.
Pursuant to the MNB Act, the Magyar Nemzeti Bank (MNB) exercises continuous supervision over the entities and persons covered by laws of the financial sector. The Bank monitors the activities of the financial institutions in relation to preventing and combating money laundering and the financing of terrorism, as well as performs IT supervision. Black Cell professionals help organizations under the scope of the 42/2015. (III. 12.) government decree and the MNB recommendations (4/2019 MNB recommendation on the cloud services; 8/2020 MNB recommendation on the protection of the IT systems and 12/2020 MNB recommendation on the protection of teleworking and remote access) stay compliant with the rather rigorous cybersecurity and procedural requirements.
Additional benefits of the certified ISMS include:
- An ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the Cloud, hard copies and personal information.
- ISO’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
- An ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, integrity and availability of information assets.
- Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.
Business Continuity Management System
A Business Continuity Management System (BCMS) integrates the disciplines of crisis management, disaster recovery (information technology continuity) and business continuity (organizational/operational continuity). If a priori not required by legislation or by customers, it is a competitive business advantage for organizations to be resilient to cyber incidents affecting their business and technology continuity. A BCMS will not only maintain operations during times of crises or disasters, but will also decrease costs, reduce damage and recovery time.
A crisis management plan provides the key communication mechanisms necessary to ensure employee and customer safety, provide initial information and direction, and organize ongoing actions. The business continuity plans (BCP) are specific to each critical business function and articulate the specific steps necessary to enable the respective process. The disaster recovery plans (DRP) are the processes in place to restore essential information technology systems and applications that enable critical business processes.
Black Cell assists organizations in their business continuity planning to develop and continuously review a robust Business Continuity Management System in accordance with the provisions of international standard ISO 22301:2019. The aim is to create a framework to reduce the effects of an incident, re-establish operations, and deliver key business services in the aftermath of a disruptive event.
BCP and DRP testing
Black Cell professionals help our customers to determine the effectiveness and to identify potential weaknesses in the Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) by testing. Methods for testing include walk-through and tabletop exercises, checklists and live simulations, subject to the specific control requirement.
Data Protection Officer
Outsourced Data Protection Officer (DPO) is a practical and cost-effective solution for organisations that don’t have the requisite data protection expertise and knowledge to fulfil their obligations related to the designation of a DPO under the GDPR. By outsourcing privacy tasks and duties to Black Cell, our customers get access to expert advice and guidance that helps them address the compliance demands of GDPR while staying focused on their core business activities. Black Cell’s outsourced Data Protection Officer services include:
- Informing and advising the customer and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Member State data protection provision.
- Monitoring compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the customer in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
- Providing advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of GDPR.
- Cooperating with the supervisory authority.
- Acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of GDPR, and to consult, where appropriate, with regard to any other matter.
Information Security Officer
Organizations under the scope of Act L of 2013 may not be in a position to find, recruit and hire their full-time Information Security Officer (ISO), yet the legislation makes the appointment of the ISO mandatory. Outsourced Information Security Officer is a practical and cost-effective solution for organizations to appoint an ISO having the appropriate qualifications (i.e. Electronic Information Security Manager). Black Cell’s outsourced Information Security Officer services include:
- Ensuring that activities related to the security of the organisation’s electronic information systems comply with the appropriate legislation.
- Preparing the IT security regulations for the organization’s electronic information systems.
- Preparing the security classification of the organisation’s electronic information systems and the classification of the organization’s security level.
- Providing advice on the organization’s regulations and contracts in the field of cybersecurity with regard to the security of electronic information systems.
- Acting as the contact point for the supervisory authority and the national CERT.
Training and Awareness
A majority of cybersecurity incidents are caused by human errors. Enterprises lose millions recovering from staff-related incidents – but the effectiveness of traditional training programs intended to prevent these problems is limited, and they generally fail to inspire and motivate the desired behaviour. Black Cell’s security awareness training leverages real-life examples and skills that can be put to immediate use. Thematic security awareness trainings focus on privacy in the age of GDPR, as well information security based on the specific requirements the organization needs to comply with.