Cyber Security & Information Security Management
Technology has advanced over the years – with it, its vulnerabilities! There was a time when computing technology was touted as the ‘be all and end all’ of saving businesses in time and resources. Today it no longer provides the promise of saving businesses and organisations time and resources. Technology does not provide the security our industry had hoped for back in the 90s and 2000s. Instead, businesses are grappling with a complex sea of system, application, hardware vulnerabilities with zero day exploits – which are costly in terms of resources and incidents.
As technology changes – as does the terminology!
Computer security and IT security are now commonly known as information security and cyber security. Cyber security is the latest buzz word which has varying definitions and uses.
From our perspective information security is a holistic term which incorporates the security of information in all its forms:
- Hardcopy information
- What is known
- What is spoken
- Electronic / digital information that is stored – processed – transmitted in and through systems, cloud, media, mobile devices, multifunction devices (and other embedded devices), removable storage devices etc.
This means that the management of information security extends from the traditional ICT business area to the business areas responsible for information management (records and documents), facilities (physical security), human resources or people and culture (personnel security).
No organisation can function without its information – therefore, information is critical to the continuing operation of any organisation. As we have all seen, the success of ransomware is due to the fact that information has value – thus, it is attractive to criminal organisations. The value that organisations apply to their information is varied and some organisations don’t go through the process of identifying and valuing their information – let alone knowing where the information is stored or how current it is. How an organisation manages its information becomes a problem for the ongoing protection of personal information (PI) and sensitive business information, particularly if security controls are not sufficient or poorly managed.
Sichernet can take you on the journey to identify, value and protect your sensitive and critical information assets.
What is critical and sensitive information?
Financial details – account details – financial statements – bank statements – utility account details – client details – client information including PI – payroll details and information – employee records and information – critical business information – Board papers – plans – mergers – stock information – ICT diagrams – system details – access account details – passwords – IP addresses – and the list goes on!
Where does Information Security sit within an organisation?
If you think about it, information security goes across every business function and area in some form or to some extent i.e., procurement, contract management, people management, physical access, asset management, records management etc.
The best starting point is at the top. Organisations should have some form of governance with a top down approach from the executive. Larger organisations would normally have the following frameworks in place:
- Governance
- Risk Management
- Information Management
- Compliance
- Assurance and Audit
Each of the above frameworks set the scene in regard to how legal and regulatory compliance obligations, including privacy are managed. Information security requirements should be aligned to each framework and cascade down through their policies and procedures. The Risk and Audit Committee would include information security as an agenda item.
Not a simple initiative! Sichernet can help you work out the best approach to incorporating information security requirements across your organisation.
Fraud, corruption and privacy security requirements have been common in frameworks for decades. The controls to manage these risks i.e., separation of duties, access, authority, approvals, logging, alerts etc. They are all security controls.
Whatever the information security governance approach you take, the human element across all areas of security must be considered!
Security is something that applies to a thought process i.e., what someone thinks and acts upon! Similar to safety, privacy and risk etc. Some people automatically go through a thought process when they do something, and some don’t. In other words, it can be ingrained in how we think and act or not.
Information Security Governance
Fraud, corruption, privacy and safety have all been embedded within businesses and organisations for decades (some with more pain than others). Information security governance needs to be embedded within an organisation to be effective. The development of a security culture with a top down approach is an important step in embedding security practices across your business.
Embedding requires executive support formalised through frameworks, policies, procedures and processes – subject to continual monitoring, internal / external reviews and audit.
The first step should be to formulate an overarching security management framework which aligns to your Risk, Governance and Compliance Frameworks – and supported by policies, standards, procedures and processes.
No matter the information security governance approach you take, the human element must be considered!
When security requirements are not ingrained in thought processes, ongoing, targeted security awareness messaging may be required to treat the risk. Have a look at our Security Awareness services for further information.
Sichernet can help you in every step of the process in aligning, establishing and implementing an information security governance framework.
Security Risk Management and Assessments
Information security risks should be incorporated into an organisation’s overall risk management framework and assessments.
If this has not been done and you feel that security risks are not being addressed adequately, Sichernet can help to facilitate changing the paradigm.
Information security risks may be complex and require experienced and knowledgeable resources to work with organisations to identify threats and manage risk.
For further information refer to our Risk Management Services.
ISO 27001 / 27002 were updated with new versions published in 2022!
Within the time span between the previous and current editions of the standards, a great deal of change has occurred across the information security arena, with massive advances in technology and with those advances, the introduction of new cyber threats and security risk.
The security controls listed in the Annex of 27001:2022 have vastly changed from the 27001:2013 edition. The changes address the technology advances and introduce new security controls help organisations to protect their assets and to treat security risk. In addition, the 2022 release includes a harmonised structure for management systems, standards and a vastly changed Information Security Controls Reference and guidance.
The information security controls have been restructured into the following groups:
- Organisational 37 controls
- People 8 controls
- Physical 14 controls
- Technical 34 controls.
If you already have an ISMS and want to prepare for certification against the 2022 edition or your organisation has decided to take the journey towards certification, Sichernet is well placed to provide you with the tools and resources to document, establish and implement your ISMS, security policies, standards and other supporting documentation.
We will work directly with you to review existing security measures, identify gaps, and develop a comprehensive security management plan to take you on your journey towards certification.
ACSC Essential Eight
The Australian Cyber Security Centre’s Essential Eight is recommended by the Australian Government as the first major step for organisations to take in securing their ICT networks and protecting their information assets.
The Essential Eight is ahead of its time due to the fact that it has been freely available to organisations for years now. It was developed by the Australian Signals Directorate (DSD) and Australian Cyber Security Centre and contains tried and tested best practice security technical controls to increase the security posture of your systems and mitigate cyber security incidents.
The Essential Eight’s security controls have been taken from the Information Security Manual and contains several maturity levels for any organisation to reach to lessen the potential for security breaches and incidents.
Sichernet can help your organisation to plan and document the steps required to implement, maintain, manage and monitor the Essential Eight controls.
Australian Government Security Frameworks and Compliance Services
If your organisation is a government department or agency, or your organisation has contractual obligations or a Deed of Agreement with a government department or agency, Sichernet is here to help you.
We specialise in compliance frameworks and security compliance reviews. We understand the Australian Government’s Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) and can help you implement your information security obligations and manage your contractual obligations.
We can help you to understand and address your compliance obligations in preparation for an IRAP assessment and address the outcomes.
Victorian Government VPDSF and VPDSS
If you are a Victorian Government department or agency with VPDSF / VPDSS compliance and reporting requirements, including your PDSP, Sichernet can help you.
We are very familiar with both and can help you navigate your responsibilities and provide you with our VPDSS specific security policies and other supporting documents as outlined in the section below.
Our security awareness services and products are based on all areas of security and as such, are designed to increase awareness levels of the handling requirements of public sector information assets.
Security Policies, Standards and Other Documentation Services
If your security policies are a little dated and need a refresh to keep up to date with today’s security frameworks and technologies, we can help.
We have developed a comprehensive suite of information security policies and standards which are based on a hybrid mix of ISO 27001 and Information Security Manual (ISM) security controls. In addition, we also work with NIST based policies and standards.
Technical people may not always be the best authors of information security policies which have a broad audience across all levels of employees in an organisation. Our policies have been written to the level of understanding by the lowest common denominator. This means that you will have a higher level of assurance that a broad audience will comprehend and understand their security responsibilities.
Why is this important? Policy non-compliance can lead to disciplinary action including termination. Disciplinary action can be challenged in court if the document is poorly written and too technical for the audience to comprehend.
To save you time, we can provide our suite of information security policies and standards using your document template, branding, style, roles and responsibilities so they are ready to be approved, published and communicated once they have gone through peer review within your organisation.
We can review your existing policies and undertake a gap analysis to determine any deficient areas. We are known for our ability to highlight any perceived issues in your existing policies relating to document management requirements, readability and understanding by the intended audience and areas of conflicting statements.
Security Incident Response and Management set | Access Control | Compliance |
Business Continuity & Disaster Recovery set | Encryption | Human Resources Security |
Information Classification and Handling | Information Security Management | Malware and Anti-Virus |
Physical and Environmental Security | Network and Operations Security |
ICT Asset Management Mobile Devices |
Vulnerability and Patch Management | Acceptable Use | Software Management Security |
System Development and Maintenance | Third Party Governance | Remote Work Security |
If you need a policy, standard or any other document across a differing subject area other than those listed above, talk to us today. We have the resources and subject matter experts across the broad spectrum of security areas to help you.
Managing Third Party Providers, Cloud Providers and Vendors – Supply Chain
Every business or organisation has a duty of care to protect its people, information assets, products, equipment and facilities.
Managing the risks represented through partnerships and use of third party providers, managed services, suppliers, vendors etc including cloud providers is critical to any business.
Read through the following questions to ascertain where your organisation currently stands:
Are you aware that you cannot outsource full responsibility to an external third party?
Do you think that the due diligence and screening processes of third parties during the selection phase are sufficient to provide a high level of assurance over the suitability of the third party?
Do you require vendors and suppliers who are transparent about their security practices?
Is there a requirement to undertake a full security risk assessment of the provider, the services they will provide, the sensitivity / criticality of the information assets they will access, store, process, transmit onsite and offsite etc?
If your assets are to be used offsite by the third party, is there a requirement to conduct a site security assessment?
Are relevant security policies and security controls stipulated in your contractual agreements?
Would you rate those security clauses to be robust?
Have your third party providers, suppliers etc signed the contractual agreement supplied by your organisation?
Do you have a compliance monitoring regime operating to manage third party contractual compliance over the period of the contract?
Have you stipulated security controls to cater for the termination of the contract?
Are your procurement and project management policies aligned with your information security policies and procedures to ensure security controls are applied?
Do you have oversight of relevant third party providers security incident response and disaster recovery plans?
Does your security incident response plan include communication requirements with relevant third party providers/managed services and vice versa?
If you have answered NO to any of the above, please contact us today.
Managing security risks associated with third party providers, managed service providers, suppliers and vendors can be complex and fraught with difficulty, particularly for smaller organisations. Sichernet can work with you to identify, understand and manage security threats which may impact your third party relationships through the following phases:
- due diligence through the selection and procurement process
- contractual agreements / SLAs
- reviews of contractual obligations
- contract cessation – return of information assets and or the sanitisation and disposal of information assets and the equipment they resided on.
We can tailor a comprehensive third party governance framework (including policy, standards and guidelines etc) based on security industry best practices to help you integrate and align third party governance and compliance across your organisation.
Highly Professional Approach
Our approach to ICT risk and security management is one that emphasises a superior standard of professionalism. Our ability to provide independent and quality consultancy solutions for clients is what separates us from the competition.
We’re also passionate when it comes to meeting your needs and tailoring a service to suit your own unique requirements.
Broad Scope Of Expertise
Our risk and security management capabilities encompass an extensive variety of market sectors, including:
- Finance
- Government
- IT Services
- Not-For-Profit
- Resources
- Telecommunications
- Transportation
Our staff have successfully delivered exceptional results for a diverse range of clients.
Comprehensive Consulting Services
Sichernet is able to offer you comprehensive ICT risk and security management services which are integrated and practical. Our service also covers the entire lifecycle of your project, from concept through to initiation - planning - delivery - operational maintenance.
Call our team to discuss how ICT risk and security management can benefit your organisation.