How to use this document
The SRS Standard Service Descriptions are designed to provide Customers and prospective Customers with details of services we provide in a particular domain. We deliver Services from a catalogue of capability of which regular customers will be familiar. We reference our library of Service descriptions to enable Customers to focus on Solution content and statement of works.
3 Overview of our Information (Data Security) Services
To put our services in context this section deals with three short introductions to the concept of Information (Data) Security, Cyber Security and ISO27001.
3.1 Introducing Information Security
Information security, also known as infosec is the process of keeping data and information secure from any kind of violations in the form of theft, abuse, or loss. There is no more important topic in organisations currently than information security. It permeates every strategy regardless of industry or sector. For commercial companies getting this right can be a major competitive advantage and for organisation in the public and third sectors can make or break reputations.
Information Security vs. Cybersecurity
Though often used interchangeably, the terms information security and cybersecurity are two different domains. Cybersecurity deals with digital security activities which involves securing IT assets from misuse, theft, and disclosure. Information security is a specific sub-domain under the umbrella domain of cybersecurity. SRS services covers the whole domain based on three key principals:
Confidentiality: Ensuring your data is not disclosed to unauthorised sources or is not accessed by any unwarranted party.
Integrity: Ensuring that data is maintained in its intended state and not modified by any accident or compromised in any other way.
Availability: Availability refers to how accessible the data is on a regular basis. Businesses always prefer high availability since it enables seamless operations with optimised data usage.
Data breaches are the biggest information security risk that organisations face. Whether it is cyber criminals hacking into a database or employees losing or misappropriating information, the financial and reputational damage caused by a breach is significant.
In the Cyber Security realm malicious software is the big issue. With Malware preventing servers from hosting or accessing data. This referred to as distributed denial of service (DDoS). It is the kind of attack that has become common place and its avoidance is at the heart of vulnerability assessments.
3.2 Introducing ISO 27001
The ISO/IEC 270000 is a series of best practices to guide UK organisations in their ongoing improvement of their information security.
Published by ISO (the International Organisation for Standardisation) and the IEC (International Electrotechnical Commission), the series sets out a framework that creates an Information Security Management System. An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes, and technology. All organisations that deal with data should create a comprehensive data security regime
ISO 27001 can be applied to organisations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business.
An organisation certified against the ISO/IEC 27001 standard demonstrates an organisation’s commitment to information security and provides confidence to their customers, partners, and stakeholders. By adopting the ISO/IEC 27001, an
organisation can:
· Form a basis to enable the secure exchange of information and to protect data privacy, in
relating to sensitive information.
· Manage and lower risk exposure, hence less chance of incidents being realised and in turn reducing time and money spent on responding to incidents.
· Strengthen the internal organisation and improve the security structure of the business. This could by defining responsibilities and duties related to information security.
· Reduce the resources needed for completing security-related information in bidding for contracts,
IS0270001 is a sought-after accreditation for any organisation as well as professionals operating in the Information Security space. SRS supports organisations seeking the accreditation
4 SRS Info Services
SRS offers a range of services to deliver our customers support appropriate to their needs and level of maturity regarding compliance. Customers can rely on us to provide support should they be in the process of responding to a breach, require training or providing short term resource to take on the responsibilities demanded to maintain compliance.
4.1 Incident Response
SRS’s Data Security or Cyber Incident Response is an emergency service, designed to quickly manage, contain, and neutralise a threat posed by an ongoing or historical attack.
The service is for organisations that suspect that they are under cyber-attack or know they have suffered a breach. In both circumstances, SRS’s objective is to facilitate rapid and decisive response to control the incident and limit the damage to the organisation.
Once the threat is identified, SRS pinpoints the source of the breach and isolates the affected devices to minimise any downtime and impact to your organisation. We meticulously remove any source of further threat and restore affected elements to enable business as usual operations to take place. Depending on the nature and severity of the incident, SRS can perform a range of incident response related activities, including:
· Incident management: including stakeholder liaison, communication, and collaboration with internal and third-party responders.
· Technical investigation: including data and log retrieval and investigation, and forensic analysis of artefacts to gather and preserve evidence.
· Malware analysis.
· Incident containment.
· Post-incident support: assist with post-incident activities such as internal and external reviews, evidence presentation for legal and/or criminal proceedings, and follow-on consultancy services to address security concerns following the breach.
4.2 Readiness Assessments
Are you ready to meet the challenges posed by Data Security? SRS completes a series of assessments that can be tailored toward your needs to pre-empt threats.
4.2.1 Breach Readiness Assessment
A Breach Readiness Assessment is a more comprehensive and score-based, focussed evaluation of your organisation’s breach readiness capabilities. It seeks to answer one straight question - Are you prepared for a data breach?
This assessment looks at the breach readiness capability of a specific group of people and gauges how they react in a specific cyber-attack scenario targeted at a distinct, critical asset.
This risk assessment is a cost-effective way to demonstrate how a particular group of staff members will respond to a cyber crisis. It is also important to satisfy current and future regulatory requirements with least disruption to business operations.
4.2.2 Cyber Assessment
A Cybersecurity Assessment, simply put, is an evaluation of your organisation’s readiness to deal with a cyber incident.
These assessments gauge the level of risk your organisation faces as well as examine where the major loopholes lie in your cybersecurity infrastructure, plans and processes.
As cyber threats are evolving and becoming more complex and virulent with every passing day, it is critical that all businesses look at investing in regular cybersecurity assessments.
4.2.3 NIST Health Check
The NIST Health Check is an assessment of your organisational cyber health and resilience against the NIST Cybersecurity Framework. NIST Health Checks are typically time and cost-effective.
The assessment will evaluate your overall compliance and incident response maturity, apart from identifying vulnerabilities. It will also contain recommendations on how to patch up any deficiencies that require urgent attention. The NIST Health Check is ideal for those organisations who want to kick start their journey towards complete cyber resilience with an actionable improvement plan.
4.2.4 Ransomware Readiness Assessment
As the name suggests, this assessment is targeted specifically at evaluating your organisation’s ability to respond to and contain a ransomware attack - the number one growing concern in the world of cybersecurity today.
A Ransomware Readiness Assessment is the quickest way to validate your security investments and check if your technology infrastructure is up to scratch. It also helps you identify gaps in your existing ransomware strategies, apart from helping you understand specific issues in your plans and processes.
4.3 Vulnerability Testing
Whilst Readiness Assessments tend to concentrate on regular assessments of your processes should you face a security incident, Vulnerability tests are significantly more intrusive. Using ethical hackers and technical network architects, SRS sets out to stress test your security regime. We do this with the Penetration Test. (or Pen Test)
4.3.1 Application Penetration Testing
Application Penetration Testing is a key part of the assurance lifecycle for digital systems and assets, to ensure they meet internal and external compliance requirements and limit exposure to cyber risks.
An Application Penetration Test ensures that users are only able to perform actions they are intended to, and that the application implements sufficient measures to protect users by limiting an attacker’s ability to abuse a compromised account. This is achieved by identifying any vulnerabilities present in an application that could be used by an authenticated or unauthenticated attacker to:
· Gain unauthorised access to information.
· Perform malicious actions within the application.
· Compromise other application users.
· Escalate privileges within the application.
· Compromise the application’s underlying infrastructure.
Application Penetration Testing is suitable for both internal- and external-facing applications (including web and mobile applications. It is designed to identify vulnerabilities that could affect the confidentiality, integrity or availability of systems and the data they process.
4.3.2 Network Penetration Testing
Network Penetration Testing is to ensure that your network infrastructure is securely implemented and that your networked assets cannot be abused through misconfiguration or vulnerability. The primary goal of a Network Penetration Test is to identify vulnerabilities which can be exploited by attackers targeting network devices and connecting infrastructure such as routers, switches, systems, and hosts.
Network Penetration Testing can be performed both internally and externally, targeting internal systems and infrastructure and internet-facing hosts, respectively. It is designed to identify vulnerabilities that could affect the confidentiality, integrity or availability of systems and the data they process.
4.3.3 Physical Penetration Testing
A Physical Penetration Test simulates the activities that an attacker is likely to undertake when attempting to gain access to an organisation’s facilities (e.g., offices, warehouses) to assess the effectiveness of physical security controls.
Physical Penetration Testing can be performed as a covert exercise designed to simulate a realistic attempt by a malicious party to infiltrate the target facility, or as a more collaborative exercise designed to audit the implementation and effectiveness of physical access controls and safeguards more comprehensively.
An attack chain involving physical breach will typically overlap with virtual methods to progress the attack, leveraging direct access to the internal network and physical devices to gain privileged access to internal systems to be able to perform malicious actions. SRS will identify potential actions which, if performed by a real attacker, are likely to result in a significant business impact.
Once the physical segment of the attack has been concluded, SRS will identify the follow-on actions and the probable impact.
5 Obtaining ISO27001 Accreditation
The ISO 27001 certification requires adherence to strict guidelines for planning, implementing, and monitoring regarding information security. Organisations cannot self-certify and require a partner that will take them through all the key stages of becoming or remaining compliant including:
· Preparing your organisation for accreditation
· Guidance through the accreditation process
· Establishing and documenting a mandatory management framework.
· Conducting risk assessments
· Implement controls to mitigate risk
· Conducting training and coaching key staff
· Reviewing and updating the required documentation
SRS will ensure that become familiar with the requirements of ISO 27001
Preparation is the key to a business success. By leveraging SRS’s experience and knowledge across this domain your organisation can:
· Optimise its security investment: By aligning security requirements with your risk profile to ensure that security controls are appropriate for your business needs.
· Increase confidence in your business: To build the trust of your internal stakeholders and external authorities, customers, and partners alike.
· Deliver and maintain an effective security operating model: Implement and leverage best practices without being constrained by arbitrary compliance requirements which are not relevant to your business.
· Drive sustainable development of your security operating model over time: With short, medium, and long-term recommendations to deliver prioritised improvements to your security posture.
6 Further Information
SRS offers an unparalleled range of Services in GDPR Related Consulting and Information Security. Request a Copy of our Product description on GDPR Compliance.
Comments
Post a Comment