Depending on your specific requirements, we can provide services in multiple areas.
Given that many organisations' cyber security programmes have a dependence on policies, procedures and process documents not only being in place but being adhered to, it is vital that all documentation is both fit for purpose and relevant to the organisation (as opposed to downloaded templates with little if any tailoring to the organisation).
We can carry out a full documentation audit and review to ensure that the documents both exist and are updated.
An essential element of any security programme is to have a formal risk management process in place, to ensure that all relevant assets and potential vulnerabilities/threats are both identified and documented, together with the risk (likelihood) that the threat will exploit an identified vulnerability. Once these initial steps have been completed, an organisation can determine the best way to protect its assets through the implementation of technical, physical or administrative controls.
We can provide an end-to-end risk management service by working closely with you to ensure that not only are risks identified but are mitigated as much as possible, given any limitations imposed on the business.
The Security Standards & Frameworks pages highlight the multiple industry benchmarks and schemes to which an organisation can comply and be audited against. Tailored advice for gaining both Cyber Essentials/Plus and ISO-27001 certification can be provided, and we can certify you to Cyber Essentials and ISAME Governance/GDPR readiness.
If you are an SME or a charity, it is more than likely that you will not have the in-house knowledge, skills and experience to be in a position to provide the required levels of cyber security support to your organisation. We will soon be launching a virtual cyber security manager (vCySM™) service which is expected to comprise of:
Planning and implementation of cyber security strategy to align/support your organisation's objectives
Ongoing independent advice to address ongoing security issues and legislation compliance requirements
Provision of regular updates and/or presentations to senior management on cyber security issues
Provision of ongoing review of policies/procedures in use
Review and implementation of controls to ensure ongoing security for an organisation's information assets and continued compliance to industry standards and best-practice
Planning and delivery of cyber security education training
Co-ordination of external security testing activities as required
We can implement a full cyber hygiene health-check audit to review your technical systems, your administrative processes and your your users levels of awareness. We can then work with you to implement any subsequent recommendations to ensure your organisation is secure.
As part of the technical review, a full vulnerability assessment of your infrastructure can be carried out using industry standard tools. Following review of the assessment results, we can provide advice to ensure successful remediation and subsequent re-assessment.
Further to any cyber security assessment we can offer full life-cycle implementation services to manage planning and implementation of cyber security elements to support day-to-day operations of the organisation. These may range from implementation of a network access control, managed anti-virus, to a security incident & event management (SIEM) solution for example.
For organisations restrained by budget but still wishing to adopt good-practice in the area of cyber security, we can, following an initial assessment, implement measures which can mitigate/manage the identified security risks to the organisation.
Many organisations pay lip service when it comes to security education for their employees. They concentrate on implementation of solutions to mitigate technical risks, and do not fully understand the risks from their own employees. In many cases, organisations rely solely on an annual 'point and click' awareness multimedia presentation, which, while it may include some measure of assessment, rarely ensures that the subject gains sufficient knowledge and skills in the area, to result in both significant retention and application of the information.
We will work with you to review your current training programme and provide recommendations where appropriate to ensure that learning activities are not limited to an annual event, but are part of an ongoing education process which will provide knowledge and skills. If no training material is currently used, we can put together tailored material for your organisation.
Where required, as discussed above in terms of the vCySM™ services available, we can also provide delivery for any required training programme.
Given the plethora of information available to anyone with an internet connection, it should be remembered that much of the information is often freely-available to anyone with a browser, some specialist tools and some time. This information is known as open-source intelligence (OSINT); sources can include organisational websites, promotional material and job sites to name a few.
Using industry standard tools, we can provide a service to both organsiations and individuals through which OSINT can be acquired, analysed and reported upon. When combined with social-media intelligence (SOCMINT) which includes Facebook, Twitter, LinkedIn etc., a detailed footprint of any corporate or personal information freely-available on the internet can be supplied.
Due to the widespread risk for an organisation's employees to be exploited by malicious parties, whether by voice, email or in person, we offer social engineering assessment services, by which at-risk individuals (such as system administrators, PAs/EAs, support desk teams, CxOs) or organisations as a whole can be 'targeted'.
Further information regarding services in this area can be found on the humanredteam website.