Identifying, assessing and managing security, privacy & cyber threats and risk in a dynamic technology space is difficult if you don’t have the relevant expertise and resourcing within your workforce.

We use our decades of experience and knowledge to assist you in identifying and managing your security & privacy threats and risks:

• If you don’t already have security risk management established within your organisation, we can take you through the steps needed; supply you with the required documentation and train your team. 

• If you have established security risk management and want a status check, we can help you!

In the ever changing complex security, cyber security and privacy regulatory environment, Boards and senior executives have compliance obligations to know how their information assets are being protected by security controls and to what level those security controls are established – implemented – managed  - maintained - continually monitored – improved.

The ISMA assesses security controls across eight broad categories of Context and Leadership  - Organisational Culture  - Evaluation and Direction  - Compliance, Audit & Review  - Security Prevention  - Security Detection  - Security Incident Response & Recovery  - Measurement;  encompassing a total of 199 security controls.

• ISMA level 1 is comprised of a verbal assessment conducted through interviews with selected employees with the results providing an overview of your organisation’s security framework and how it is managing its compliance obligations.

• ISMA level 2 seeks documentary and electronic evidence to substantiate the results of ISMA level 1.

Instances of cyber security incidents and privacy breaches reported in the media are becoming a common occurrence.  At the same time, the repercussions of such incidents and breaches i.e., reputational damage, loss of clients, cost to investigate, business impacts due to systems and data unavailability, cost to recover or rebuild systems and restore data (where possible) and regulatory penalties etc, can be crippling.

To help, we can review your existing information security incident response and management policy and cyber security incident response plan and how you have worked in privacy breaches.  We can also determine the workability of your:

• Roles and responsibilities. 

• Cyber security incident response phases.

• Cyber playbooks.

• Business continuity and disaster recovery plans.

• Information security and privacy incident reporting to internal / external stakeholders including clients and regulatory bodies etc.

• Desktop training requirements of the cyber security incident response team (CSIRT).

If you don’t have the required documentation, e.g., policy, standard and plans, we can help you!

If your organisation is an Australian Government department, agency, body or have a Deed of Agreement with such, or have chosen to uplift your security controls in preparation of a potential IRAP assessment - to the level expected of an IRAP assessment  - we have you covered!   In addition, we can take you through your APRA, ASIC and ACNC cyber security obligations and help you along the path to compliance.

If you decide the Essential Eight is the best approach for your technical security controls, we can help you through the planning process.  We know the pitfalls which may consume your resources, if Essential Eight establishment and implementation is not approached carefully with the involvement of internal and external stakeholders.

We can also help you with the documentation requirements which support the technical security controls and would normally be requested by auditors.

If you are a Victorian Government department, agency or entity and  / or have a mandatory obligation to comply with the Office of the Victorian Information Commissioner’s (OVIC) Data Protection Act, e.g., Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS).   We have you covered!

Our specialty is the validation of Protective Data Security Plans against your documentary evidence and the identification, assessment and management of information security threats and risks.  The validation process assesses compliance and can be seen as a gap analysis against the VPDSS Elements and a general review of the information within the documentation provided.  We document our findings in a formal report and outline any discrepancies, anomalies and general observations regarding cross referencing and general readability etc.

To assist those clients who do not have all of the necessary VPDSS documents, we have developed a suite of VPDSS policies and standards which are designed to save you time and not stretch your resources any further.

The creation of security policies can be a difficult undertaking for the uninitiated and may not be generally suited to highly technically focussed individuals.   Our core premise for security policies is that they should be written to a level, the lowest common denominator of the expected audience can comprehend and as such, comply with those policy directives.

To help, we have created a suite of security policies and standards which contain a hybrid mix of security controls based on the Information Security Manual (ISM) and ISO/IEC 27001 / 27002 as well as security industry best practices across the following subject areas:

Information security management - information & technology asset management  - classification & handling  - information security threat & risk management  - third party security governance  - network security management - vulnerability management  - ICT change management  - event logging & continual monitoring  - security incident response & management  -  business continuity & disaster recovery  - security awareness & training  - identity & access management - standard operating environments (SOE)  - information & data records management  - email management  - mobile device management  - systems & software development  - physical security  - personnel security  - endpoint device management.

If you are not sure if your current policies pass muster, we are more than happy to review them and give you our feedback regarding their readability.

Considering that many cyber security incidents and privacy breaches have occurred through an organisation’s third party provider and or managed service provider, this means that procurement and contract management requirements must be  changed to incorporate fundamental security threat and risk management techniques to identify and manage those risks throughout the third party lifecycle phases:

• Due Diligence and Selection

• Third Party Security Profile 

• Security Risk Management 

• Contractual Agreement

• Onboarding Onsite or Offsite    

• Contract Monitoring and Review 

• Contract Termination and Asset Disposal

We can help you navigate the quagmire of pitfalls throughout the third party lifecycle phases to ensure you are in a position to security risk manage each of your third party relationships.

If you don’t have a third party security governance policy and standard, we can help you out.