Planning

“If you know the enemy and know yourself, you need not fear the result of a hundred battles”  ―
Sun Tzu
The Art of War​

Understanding the current environment is an important starting point for developing effective and sustainable security solutions. We provide the following services to create  insight, awareness and remediation plans:

Security Policy Review

The objective  of this review is to assess the effectiveness of the security policies in delivering the targeted business priorities. Our review process is based on the recognised ISO 27000 series international security standards.

For example, a common challenge is in balancing the objective of strong authentication against an acceptable user experience. Most users struggle with complex password rules (e.g. password must contain letters, numbers and special characters with minimum length).  This encourages insecure practices such as using same password across multiple systems or simply rotating a number or alphabet in the password when prompted to change.

Our review starts by identifying the targeted business priorities such as authentication strength, ease of use, access technology and solution cost. Where possible, some form of financial dimension is assigned to these priorities. Such analysis provides a framework for assessing policy elements such as bio-metric controls, security analytics and the use of threat intelligence which can have significant privacy and cost implications.

For example, acquiring a smart phone with bio-metric technologies like finger print or face recognition might cost a bit more but it could reduce the total solution cost by reducing the fraud rate.  Another example is the use of authenticated smart phone apps as a second authentication factor instead of relying on SMS messaging. SMS is insecure which has been extensively exploited for online banking fraud. Our review helps to put such technology decision into perspective.

Security Risk Assessment

It is no surprise that risk assessment is a foundation of security management. What is less understood is how “risk based” security controls can help to reduce cost and improve agility.

A good way to describe this approach is “protect what matters”. This is an almost universal approach in public policy making such as education, health care, transport etc. Society simply cannot afford to offer the same level of service to everyone without any level of targeting based on needs. The Gonski education funding adopted by the Australian government is an example of this approach where funding is calculated based on the SES (Socio-Economic Status) score of the school.

A “risk base” security policy  is developed by firstly identifying valuable information assets and infrastructure and then assigning financial value to them. These financial metrics provide guidance on development of operational processes and selection of technologies to offer the targeted protection level.

Making decisions based primarily on financial metrics can cause a number of ethical concerns. Such concerns might be expressed as “putting profit ahead of data security and privacy”. Our team are experts in asset discovery and risk assessment with extensive experience in modelling the associated financial impact gathered from our IT audit  and Business Continuity Planning (BCP) development engagements.

Cloud Migration Readiness Assessment

This assessment examines the operational and governance implications in migrating existing applications or deploying new applications to cloud services.[more…]
Business Continuity Planning (BCP) and Disaster Recovery (DR) process review

This review focuses on providing an all round review on critical IT security considerations which might have a material impact to business continuity.

Business Continuity Planning

Business Continuity Planning (BCP) is often described as a backup requirement or Disaster Recovery (DR) process. In fact backup and DR are merely building blocks of BCP. BCP is a process focused view (e.g. the way to think about it) whereas DR has an operational dimension (e.g. what we actually do).

I found this mind map published by MindCert.com offers a good explanation:

Please click on the following link to download a copy of the full size mind map:

MindCert_CISSP_BCP_MindMap

In the diagram, backup is identified as a task for the Recovery Team. While it is a very important task, it only produces business value when programmed correctly in the context of a DR process.

Most importantly, in some situations, DR might not be a physical option during a BCP recovery process. A recent example is the data breach suffered by Equifax. Its share price dropped by 25% since the disclosure of the breach on 7th Sept 2017. Such events can threaten the viability of the firm rendering it vulnerable to take over. Some systems might have been restored from backup up as part of the incidence response process but no DR was nor could be executed as part of the recovery process.

This review focuses on providing an all rounded review on critical IT security considerations which might have a material impact to business continuity.

IT Audit

The purpose of IT audit is to provide an assessment to the delivery teams on how well they are managing IT risk but comparing their processes to applicable security standards and procedures.

However it is a common misperception that IT audit is only about measuring compliance. While it is procedurally correct that audits do result in creating measurement in levels of compliance against the audit policies and standards, it does not in itself create any business value.

Audit is best viewed as a tool to identify and management IT risks. All forms of risk management have cultural and operation dimensions. Policies and standards represent consensual risk views and appetite. Compliance measurements help people to understand their current practice and process relative to the expectations placed on them.

It is often said that business is all about risk management. It is, therefore, natural for business units to take calculated risks within risk guidelines. However it is often difficult to fully understand the risk implications of certain operational decisions particularly when complex technology is involved such as consumption of cloud services. Gaps identified in the compliance report compel teams to come together to make sense of their collective operational decisions and develop appropriate responses. It should be noted that the decision to “take no action” through “risk acceptance” is an explicit and documented decision.

Audit Remediation Plan

The focus of the remediation plan is to address gaps identified in the IT audit in order to deliver scalable and sustainable secure processes and systems. This can only be achieved when participants work in a collaborative and synergetic manner instead of merely satisfying the audit findings.

Cost pressures, human resource constraints, technology barriers, architectural and business process designs can impose limits on the availability of remediation options. In fact, these are often the root causes of non-compliance in the first place.

Our team helps the remediation items to identify, catalog and prioritise these potential constraints to be presented to management for review and approval. A remediation plan is developed and subjected to constraints with assigned resources and an agreed timeline. Project managers might be assigned to manage delivery of some of the remediation items. Our team continually monitors the delivery of the remediation plans. We consult with and inform the remediation teams if re-prioritisation of the plan or any remediation items is desirable or required.