Cyber Security
Hackers, Bad Actors, Rogue and Disgruntled Employees, all out to find and exploit your Assets’ Vulnerabilities using the latest Attack Vectors, like Phishing, Smishing, Brute Force and SQL Injection attacks to corrupt or Steal your Data, plant Trojans, Worms, Malware and Ransomware to make your data, files and systems useless to you and ultimately incurring considerable cost.
Sounds not only like a horror story, but a complex landscape to navigate through, right? Well, rest assured we are here to help and have the expertise on hand to do so effectively and efficiently.
Cyber Security Services
Complimenting our Information Security services which look at processes, people and management systems, our Cyber Security services are primarily focused on technology and systems, albeit including where people interact with these as vulnerable points. We have a range of expertise that we can call upon for your specific needs, no matter what technologies you use.
We are proud to be an Approved Consultant for Cyber Essentials.
This means of course that should you want to seek certification to Cyber Essentials, we have proven ourselves capable of helping you to do so.
Our approach is simple and we can assure you of certification at the end of the processes. And as we do not sell ICT products or software, so we will ensure your compliance is delivered without the up-selling of such things during the project. Only what you need, from where you normally buy it from.
Ethical Hacking is a commonly used term used to describe the process of finding and exploiting vulnerabilities and weaknesses in your processes and systems, done with the permission of the owner, to test and/or validate the current maturity and effectiveness of information security measures in place. The results of these activities are used to determine improvements and additional controls to mitigate the risk of a cyber attack.
Vulnerability Scanning will identify potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications.
Vulnerability Scanning scope is business-wide and requires automated tools to manage a high number of assets. Expert knowledge is needed to effectively interpret the vulnerability scan results and instigate actions to mitigate the identified risks.
Penetration Testing is narrower in scope and always has a hands on human factor. There are no automated penetration testing solutions on the market, however some are known to incorrectly refer to vulnerability assessments as penetration tests.
Our competent Pen Testers use a lot of tools and at some point during their testing will craft a script, change parameters of an attack or tweak settings of the tools he or she may be using. They may utilise social engineering attacks (Phishing, etc) combined with on the ground interactions to complete their work.
There are many variations to consider, but in all cases the Pen Tester is actively working to exploit vulnerabilities to gain access to systems and information.
People are often the weakest link in the chain. We can help raise awareness as well as test the vulnerabilities associated with the human resources in your operations.
Using tools like simulated Phishing, (including spear phishing, vishing and smishing), Pretexting, Baiting, Quid Pro Quo and Tailgaiting, we can risk assess and test your physical, orgnisational and personel risks within your systems
Cyber Security has a plethora of standards and frameworks to use to ensure you are working to best practice in your efforts to ensure security. Many of these allow you to seek certification to the standards which will help assure your customers and other stakeholders.
Security Standards and Frameworks
Cyber Essentials (CE) is a cyber security certification scheme that offers a sound foundation of basic IT security controls that all types of organisation’s can implement and potentially build upon. Implementing these controls can significantly reduce an organisations vulnerability. The scheme specifies five key areas of IT security control that can help to prevent around 80% of known cyber-attacks. Cyber Essentials is for organisations of all sizes and in all sectors. The Cyber Essentials scheme provides businesses large and small with clarity on good basic cyber security practice.
ISO/IEC 27002:2013 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation’s information security risk environment(s).
ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations, which provide information processing services as PII processors via cloud computing under contract to other organisations.
The guidelines in this document can also be relevant to organisations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
– additional implementation guidance for relevant controls specified in ISO/IEC 27002;
– additional controls with implementation guidance that specifically relate to cloud services.
This standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
The US National Institute of Standards and Technology (NIST) has developed and made available a robust cybersecurity framework.
The framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management.
The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.
Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service
SOC 1®— SOC for Service Organizations: ICFR
SOC 2®— SOC for Service Organizations: Trust Services Criteria
SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
A reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
Don't hesitate to contact us to discuss your requirements. We can chat via phone, video call or email as per your preference!
Contact Us now and a member of the team will be happy to speak with you!