VietnamCredit: Shaping Business Success From Security Policy Development

VietnamCredit faced many challenges related to security policies, making it difficult to work with end customers. CyStack, along with the Security Policy Development solution, has helped VietnamCredit overcome obstacles and gain customer trust.

In today's fiercely competitive business landscape, financial statement analysis has become a vital process. Numbers provide businesses with insights into their performance, profits, and solvency, offering a clearer picture of their financial health. Key financial metrics like profit margin, financial leverage, and profitability aid in decision-making, risk identification, and guiding strategic investments and developments. Furthermore, analyzing financial reports helps attract investor attention, ensures regulatory compliance, and underscores business transparency and integrity.

Our valued customer, VietnamCredit, stands out as a premier provider in the credit report analysis realm, covering diverse industries with a database boasting over 1,740,000 active SMEs in Vietnam. However, the issue of privacy policy looms large for VietnamCredit, given its extensive clientele with stringent requirements.

In the process of working with the end customer, VietnamCredit has not been able to establish a reliable security assessment process. Although they tried to complete 21 security control items as required (including proof by process - policy documents, reports, forms, and photos of available evidence), VietnamCredit still faced difficulties in resolving outstanding details in 17 major items that have not been handled properly according to requests from IT auditors.

To support VietnamCredit in overcoming this situation, CyStack proposed the solution of Security Policy Development), by reviewing available documents and evidence, supplementing the remaining unresolved issues in VietnamCredit's probative documents.

Deployment time: Around 2 weeks.

Some common security policies that CyStack can deliver include:

• Information Security Policy: Outlines the company’s commitment to protecting sensitive and confidential information. It includes guidelines for data classification, access controls, encryption, and data handling procedures.
• Data Protection Policy: Focuses on the protection of sensitive and confidential data, including data classification, encryption, and data handling procedures.
• Data Privacy Policy: Addresses the privacy of customers’ and employees’ personal information and outlines data protection and privacy practices. It often addresses compliance with data protection regulations such as GDPR, HIPAA, or CCPA.
• Acceptable Use Policy (AUP): Outlines acceptable and unacceptable use of IT resources, including computers, networks, and internet access.
• Physical Security Policy: Outlines measures to protect physical access to facilities, including access controls, surveillance, and visitor management.
• Physical Asset Management Policy: Addresses the tracking and management of physical assets, including hardware and equipment, to prevent theft and unauthorized access.
• Mobile Device Management (MDM) Policy: Governs the security of mobile devices used for work, including mobile app usage and remote wipe capabilities.
• Bring Your Own Device (BYOD) Policy: Addresses the secure use of personal devices for work purposes, outlining security requirements and responsibilities.
• Information Classification Policy: Categorizes data based on sensitivity and criticality and determines how different types of data should be handled.
• Access Control Policy: Defines rules for granting, revoking, and monitoring access to information systems and resources. They include password policies, user account management, and rules for granting and revoking access privileges.
• Password Policy: Establishes rules for creating, managing, and storing passwords to prevent unauthorized access.
• Email and Communication Policy: Sets guidelines for secure email and communication practices to prevent phishing, data leaks, and malware.
• Social Media and Internet Usage Policy: Defines appropriate use of social media and internet resources to minimize security risks.
• Network Security Policy: Specifies network security measures, including firewall configurations and rules, VPN usage, network segmentation, and intrusion detection.
• Remote Work and Telecommuting Policy: Covers secure practices for employees working remotely and accessing company resources from offsite locations.
• Audit Policy: Defines how an organization will conduct auditing and logging of activities within its IT systems and networks. Key components of an audit policy may include user and administrator accountability, audit categories, audit trails, and monitoring.
• Change Management Policy: Governs the process of making changes to IT systems, ensuring changes are made with minimal disruption and security in mind.
• Software Development and Secure Coding Policy: Specifies secure coding practices for software development to prevent vulnerabilities and exploits.
• Software and Patch Management Policy: Defines how software is acquired, updated, and patched to address vulnerabilities and ensure the security of applications and systems. This also includes rules against unauthorized software installations.
• Data Encryption Policy: Defines when and how data should be encrypted to protect it from unauthorized access.
• Data Retention and Destruction Policy: Covers how long data should be retained and the secure disposal of data at the end of its life cycle.
• Backup Policy: This policy covers data backup procedures, and offsite storage to ensure business continuity in the event of data loss.
• Incident Response Policy: Provides procedures for identifying, reporting, and responding to security incidents, breaches, cyberattacks, and emergencies. It includes roles and responsibilities, communication plans, and escalation procedures.
• Business Continuity and Disaster Recovery Policy: Outlines the organization’s strategy for maintaining essential operations during disruptions and disasters.
• Cloud Security Policy: Addresses security controls, data protection, compliance and other responsibilities to cloud-based infrastructure and data, if the company uses cloud services.
• Vendor and Third-Party Security Policy: Specifies security requirements for third-party vendors, contractors, and partners who have access to an organization’s systems and data.
• Vendor Security Assessment Policy: Details the assessment process for evaluating third-party vendor security practices and products.
• Regulatory Compliance Policy: Ensures adherence to relevant laws, specific industry regulations and compliance requirements, such as GDPR, HIPAA, or Sarbanes-Oxley (SOX).
• Employee Training and Awareness Policy: Establishes the need for security training and awareness programs to educate employees about security best practices and policies.

When conducting security policy development, CyStack follows various industry standards and best practices to build up the security policy framework and corresponding policies. Specific standards and regulations that these security policies comply with may depend on the needs and requirements of CyStack’s clients, as well as the industry or regulatory environment in which they operate. Some common industry standards that may be referred to include:

• ISO/IEC 27001: An international standard for information security management systems (ISMS), providing a framework for establishing, implementing, maintaining, and continually improving information security.
• ISO/IEC 27002: Provides guidelines and best practices for implementing security controls, complementing ISO/IEC 27001.
• Payment Card Industry Data Security Standard (PCI DSS): Mandatory for businesses that handle credit card data, PCI DSS outlines security requirements for cardholder data protection.
• NIST Cybersecurity Framework: Developed by the U.S. National Institute of Standards and Technology (NIST), this framework offers guidelines and best practices for managing and reducing cybersecurity risk.
• NIST’s Special Publication (SP) 800 series: Developed by NIST, these documents provide guidelines, best practices, and recommendations for various aspects of information security, cybersecurity, and information technology management. Some of the most commonly referenced publications within the series include NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations”, NIST SP 800-30 “Guide for Conducting Risk Assessments”, NIST SP 800-61 “Computer Security Incident Handling Guide”, and NIST SP 800-115 “Technical Guide to Information Security Testing and Assessment”.
• Center for Internet Security (CIS) Critical Security Controls: A set of prioritized actions for enhancing cybersecurity, helping organizations address fundamental security issues.
• Control Objectives for Information and Related Technologies (COBIT): A framework for governance and management of enterprise IT, ensuring alignment with business goals and compliance requirements.
• CSA Cloud Controls Matrix (CCM): A framework that provides a detailed, industry-accepted standard for security controls and benchmarks to assess the security and compliance posture of cloud service providers. It aligns with various global regulations, standards, and frameworks.

It’s also important to note that besides using industry standards, we will take into consideration the regulations that the company must comply with. It would be ideal to align the service with the specific goals and objectives of the organization. Some common regulations that may be required for specific customers include:

• Cybersecurity Law No. 24/2018/QH14 of Vietnam dated June 12, 2018 (Vietnam Cybersecurity Law): Provides for the protection of national security and public order in cyberspace; responsibility of relevant organizations and individuals.
• Decree No. 13/2023/ND-CP on Personal Data Protection of Vietnam dated April 17, 2023 (Decree 13): Provides for personal data protection and responsibilities of relevant agencies, organizations and individuals for the protection of personal data. The Decree applies to Vietnamese and foreign agencies, organizations, and individuals, who directly process or are involved in processing personal data in Vietnam.
• General Data Protection Regulation (GDPR): Applicable to companies that process the personal data of European Union (EU) citizens, GDPR sets strict data protection and privacy standards.
• California Consumer Privacy Act (CCPA): Enforces data protection and privacy rights for California residents, impacting organizations that collect and process their data.
• California Privacy Rights Act (CPRA): Expands on CCPA, introducing additional privacy rights and protections for California residents.
• Health Insurance Portability and Accountability Act (HIPAA): Mandated for healthcare organizations in the United States, HIPAA focuses on safeguarding the privacy and security of patient health information.
• Sarbanes-Oxley Act (SOX): Enforced for public companies in the United States, SOX establishes financial reporting and internal control requirements to prevent fraud and protect shareholders.
• Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to protect consumer financial information and privacy.
• Federal Information Security Management Act (FISMA): Governs information security practices within the U.S. federal government and its contractors.
• Digital Millennium Copyright Act (DMCA): A United States copyright law that addresses various issues related to digital content, copyright protection, and online service providers.

With years of experience and a deep understanding of security standards and laws as well as the latest threats in the industry, the CyStack team of experts restructured VietnamCredit's existing security policy with the following procedures:

Step 1: Initiation and Planning

• Received and discussed the issues of VietnamCredit to clearly understand the needs and mandatory requirements to determine goals, allocate resources and plan the project appropriately.
• Established and unified a common form of information transmission (via Telegram, email).

Step 2: Risk Assessment

• Received documents from VietnamCredit including: detailed documents on evaluation results and additional requests from the Auditor; collection of documents and evidence that are being misjudged, poor quality or lacking.
• Analyzed threats, impact levels, statistics and prioritized identified risks.

Step 3: Framework Design

• Defined the scope and structure of the policy, referencing current laws and regulations
• Researched and compared with the documents received from VietnamCredit.

Step 4: Policy Development

After researching and comparing, made appropriate corrections and additions, including specifying the personnel responsible for implementation and compliance monitoring. The instructions and procedures within each policy should be presented clearly and understandably.

Step 5: Policy Review

Ensure policies were consistent, not obscure, and consistent with the business's stated goals. If necessary, policies can be further evaluated by the client's legal department.

Step 6: Policy Implementation

• Resent the revised documents so that VietnamCredit can continue working with the IT auditor
• Guidance on drafting existing application forms, revising policy documents and consulting on proof methods.

Step 7: Ongoing support

• Continuously discussed and supplemented if the IT auditor did not recognized the results at the above stage
• The revision and supplementation process ended when VietnamCredit was confirmed by IT auditors to have fully met the requirements for the standard security framework.
• Handed over all documents to VietnamCredit.

*Steps 4 and 5 will be repeated until all requirements are met.

Over the span of September, we have adjusted multiple documents after consultation. Categories that have been evaluated and consulted include:

• Governance
• Risk Management
• Personnel Security
• Information Asset Management
• Identity and Access Management
• Cryptography
• Remote Access Connection
• Cloud Security
• Change Management
• Endpoint Security
• Network Security
• Vulnerability Management
• Protective Monitoring
• Physical Security
• Business Continuity and Disaster Recovery
• Third-party Risk Management.

CyStack was still successful in completing the project on schedule and ensuring output quality. Moreover, positive approval from VietnamCredit's end customers is an important step in the journey of supporting the building of a security foundation for businesses.