Intelligent Data Services
The governance, risk, and compliance (GRC) framework helps an organization to align its Information Technology with its business objectives while managing risk & regulatory compliance requirements.

Governance
Selection of the right framework of rules, relationships, systems and processes, including mechanisms to hold an organisation’s people to account. We help design a contemporary and effective governance framework and implement GRC technologies to support you stay on course as you achieve your purpose and goals.

Risk Management
We enable an organization to evaluate all relevant business and regulatory risks and controls and monitor mitigation actions in a structured manner. We advise across the spectrum of risk management, offer managed services and consulting as well as risk culture and business continuity assessments.

Compliance
To create an effective compliance program, organizations need to understand what areas pose the greatest risk and focus resources on those areas. Then, policies should be developed, implemented, and communicated to employees in order to address those areas of risk.

Concave FORT & GRC
Concave FORT’s governance, risk and compliance (GRC) services enable the client to address the broad issues of corporate governance, enterprise risk management, and effective corporate compliance and offer specialized consultancy in key areas such as information technology.
We can help organizations: Identify, Remediate, Monitor, Exploit, and manage enterprise risks.
Moreover, using different sets of frameworks addressing the utilization of People, Processes and Technology, to improve GRC effectiveness & help manage costs.
Our Cyber Plan

NIST CSF
This voluntary framework consists of standards, guidelines and the best practices to manage cybersecurity risk. This offers cost and time savings over security protocols that respond to the current crisis.

OWASP
OWASP is a free and open security community project that provides an absolute wealth of knowledge and tools to help anyone involved in the creation, development, testing, implementation and support of a web application to ensure that security is built from the start and that the end product is as secure as possible.

ISO 27001
ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way.

CREST
CREST is a blend of all the methodologies and approaches incorporating controls and roadmap for the penetration testing. The CREST also includes a follow up practice and a maturity model to check the overall maturity of the organization -> building trust & satisfaction.

CMMC
The primary goal of CMMC is to improve and ensure the safeguarding of sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) associated with federal contractors.

PCI DSS
The PCI DSS contains technical requirements which protect and secure payment card data during processing, handling, storage, and transmission. All businesses that handle payment card data, no matter their size or processing methods, must follow these requirements and be PCI compliant.
NIST CSF - Cybersecurity Framework

Identify
To Manage Cybersecurity Risk to systems, assets, data, and capabilities. What we do?
- ASSET Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management

Protect
Safeguards to ensure delivery of critical infrastructure services. What we do?
- Identity Management & Access Control
- Awareness & Training
- Data Security
- Information Protection Processes & Procedures
- Maintenance
- Protective Technology

Detect
Implementation of appropriate mechanisms to identify the occurrence of cybersecurity incidents. What we do?
- Anomalies & Events
- Security Continuous Monitoring
- Detection Phases

Respond
Take actions regarding a detected cybersecurity event. What we do?
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvements

Recover
Implementation of the appropriate processes to restore capabilities & services impaired due to cybersecurity events thus, maintenance & restoration of services. What we do?
- Recovery Planning
- Improvements
- Communications
OWASP SAMM v2 is an effective and measurable way for all types of organizations to analyze and improve their software security posture.

ISO 27001
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical & Environmental Security
- Operations Security
- Communication Security
- System Acquisition, Development and Maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
CMMC Domains
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Recovery
- Risk Assessment
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
PCI DSS
Goals of PCI DSS

Build
Maintain a secure network & systems

Protect
Cardholder data

Maintain
A vulnerability management program

Implement
Strong access control measures

Regularly
Monitor & test networks

Maintain
An information security policy
Our Implementation
Governance
- Centralize all policy documentation in a repository
- Role-based access control to documentation
- Support for policy change management through check-in, check-out, review workflow and notification
- Balanced scorecards
- Risk scorecards
- Operational dashboards
- Options policy compliance
- Certifications
Risk Management & Assessment
- Risk Management
- Risk scope
- Identify assets and processes included in an assessment
- Select controls included in the scope
- Risk Assessment
- Automate risk assessment workflow
- Capture near misses and other events
- Ensure completeness of data collected
- Tabulate assessments
- Risk calculation and prioritization
- Calculate and aggregate risk
- Risk heat maps for visual representation
- Risk remediation
- Root cause analysis
- Remediation workflow
- Reporting and disclosure
- Status, dashboards, scorecards
Compliance
- Scope
- Control hierarchy: processes/risks/controls
- Assets
- Testing
- Test effectiveness of controls
- Manual
- Automatic
- Multiple scheduling techniques
- Reporting of results including highlighting issues
- Remediation
- Issue prioritization
- Root cause analysis
- Remediation workflow
- Reporting
- Status, scorecards, dashboards
- Alerts
- Ability to support multiple regulations - corporate initiatives as well as operational compliance initiatives.
- Integrated document management capability