0 comments 7.154 views

For your convenience we have outlined some of our services below (click on any of these links listedbelow to get more info):


Is the CyTRAP Guide different?

Ever since it was started, the information security and compliance guide for SME’s in the finance industry edited by Urs E. Gattiker and Nahum Goldmann has established its reputation and public profile as ‘The CyTRAP Guide’.

To ensure “the worst case scenario”, we have mainly covered here the requirements for small Financial Institutions (FIs) as a subset of SMEs that is typically heavily regulated and which provides the most attractive target for various villains (“as that’s where the money are”). But of course this Action Guide is applicable to all small and medium size organizations, whether industrial, government or voluntary.

The official trademark is The CyTRAP Labs Guide®

By what criteria does the CyTRAP Guide include regulations and standards

The metrics are mainly based on a dozen of the top security guides and handbooks published by the world leading standard and regulatory bodies.

The Guide is a selection of regulations and standards in each category of threat and risk management. Guides are chosen above all on the quality of their content, nonetheless, how useful they are for an SME and their practicality from financial and human resource aspects (what skill is needed to do it right) are carefully noted too.

The stars regarding criticality only reflect the importance attached to a particular issue. In general we have included four star and five star issues in this guide only. Reason being manifold. However, to achieve greater returns while assuring legal compliance and better risk management requires focusing on the most critical issues first.

The Guide is a selection of important practices and metrics, not a critical review.

How does the guide address national and international regulation that might be important?

Management, auditors, IT security engineers and system administrators must first consider local regulations about information security, data privacy, risk management and so on and then any international or global regulation the enterprise is adopting.

If the enterprise is international, it must consider that local regulation takes precedent over corporate regulation. Nonetheless, the company may have to comply with both (e.g., the Sarbanes-Oxley Act for US companies). Nonetheless, increasingly compliance work, such as Sarbanes-Oxley 404, is IT-related. For example, some estimates put the IT-related work for compliance regarding Article 404 in SOX as high as 50-75 percent.

Being pro-active and becoming compliant according to planed change can pay off handsomely as well, whereby certain legislation such as the California Security Breach Information Act (SB-1386) (July 2003) may trigger a whole wave of regulatory change across a continent and beyond. For instance, SB-1386 was the first law addressing data security breach regulation and encouraged most U.S. states to introduce similar legislation. Moreover, the Province of Ontario is considering legislative changes in this area.

The UK’s Financial Services Authority (2007-02-14) fined Nationwide Building Society for an inadequate internal control system that had not resulted in customer data being encrypted. This happened without specific UK legislation being used by the regulator to justify its decision. The agency felt that the accused had simply failed to protect data against data security breach according to best practice.

The above indicates that it is far more effective to plan for compliance and implement the necessary safeguards in a carefully engineered process than trying to respond the night before or else extinguishing fires frequency. The Guide provides an easy to understand guide for SMEs that would allow them to intelligently navigate the ocean of defensive security measures.

What role do readers’ letters or e-mails play in the CyTRAP Guide ?

We receive numerous suggestions and ideas of e-mails, with an average of two suggestions and comments per e-mail. We make a point of replying to all correspondence we receive. All the information is carefully noted and recorded, according to well-defined criteria. As a result, we are able to track the development of different guidelines, standards and regulatory changes.

Sometimes an e-mail alerts us to recent developments in a particular country that may require further investigation.


Who are the inspectors? What sort of training or qualification do they have?

The inspectors are our employees who know that one has to ask about many things before one will be able to reach a conclusion when it comes to information security and compliance.

They act in the interests of the Guide’s readers. They have mostly worked in the financial industry as certified public accountants, security engineers, system administrators and risk officers and thus already have a considerable professional status when they join us. They are enthusiastic, inquisitive and open-minded, unfazed by different situations. They are genuinely passionate about information technology and have a real expert knowledge of their subject.

They do not see themselves as consultants, dispensing advice or telling people how to run their business.

Does the CyTRAP Guide have an ethical code of practice?

We do not currently have an ethical charter but we respect the following principles:

– We remain entirely independent of the profession in order to safeguard our complete impartiality,

– We uphold the independence and free expression of experts of all the guides and regulation as well as checklists we assess, and to guard against the imposition of any single style which would hinder a better management of risk

– more

Doesn’t the guide force enterprise’s to possibly over-invest ?

We have never told a manager or SME owner how to run their business. Don’t forget our information helps the enterprise to better protect its information assets while achieving legal compliance and that alone. As for the effectiveness of the security policy put in practice in an organiyation, there are two important points to bear in mind:

1. It is the owner of the business who makes decisions about the operation and processes in the firm, based on what he or she thinks the customers expect and appreciate;

2. The business owner or manager, naturally wants a level of information security which best enables clients to do business with the enterprise giving the firm a strategic advantage.

In the past, it has often been the case that after having used the Guide, firms have invested heavily to improve their risk posture, security metrics and legal compliance.

Is there a fixed quota of 5-star rankings to be given out?

Absolutely not! All the guide can do is present what we believe is critical to protect information while meeting regulatory standards and following best practice. If we were to find security guides or laws that help address critical issues security the enterprise’s security posture, naturally we would put them in the guide. The absence of a fixed quota cuts both ways, however…

Why do you never explain your decisions?

The idea is to recommend approaches and measures that address particular security, risk and compliance issues, not to act as consultants or critics for the industry.

CyTRAP does not comment on its classification of a threat or vulnerability what some people misinterpret as a lack of openness is really a true mark of respect for the profession.

Everyone knows his own business best, and our job is not to be the official critics of the industry.

How does the CyTRAP Guide see itself?

The CyTRAP Guide has remained true to its vocation from the beginning. It is designed to make the complexity of compliance, information security and risk management regarding IT-related issues less complex and to allow people to have confidence and trust in their IT operations.

It recommends standards, laws and checklists in the most important areas of technology-mediated communication (e.g., smartphone, database, notebook and telecommuting) for everyone. The guide’s reason for existence rests on the selection and classification of standards, which is totally independent and covers as wide a range as possible. The CyTRAP Guide lets everyone choose the kind of security tools, procedures or standards and best practice approaches they need, wherever they need it, at the right price.

Which issues are currently covered by the CyTRAP Guide?

Currently we cover:

– Rated Compliance and Comparative Metrics Action

Get also more information here:

CyTRAP Labs guide

compliance the practical way