Information Assurance, Accreditation and Compliance
It is surprising how many organisations take time to carry out active asset discovery to understand where their assets are, and who has what. Many do not know the state of their various assets. It is often the case that when an active asset discovery is conducted that surprises happen. “OMG, we did not know those systems are still running Windows XP, or that asset is still in the DC, or we thought they were decommissioned years ago! …”
What we do, is to conduct an active asset discovery to understand the state of the environment, so that our client can realise the true situation of things. We then risk-prioritise, i.e., risk based prioritisation, the environment to better ‘educate’ our client so that an informed decision can be made. We ensure that our client’s core services are identified, and that active risk management is put in place to address risk.
We drive active assurance and active risk reduction and risk management. We do not encourage the ‘once a year ITHC in order to get assurance or accreditation’. This is a tick box exercise, and do not encourage this practice. We believe that the bottom line to protecting valued assets and critical national infrastructures and services is by ensuring that systems and services are adequately protected. To do this, appropriate controls must be in place, this include people, process, procedural and technical controls. Technical controls alone are still insufficient! We encourage holistic active risk management.
We assist our customers conduct expert risk assessments, ensure active continuous assurance through frequent IT Health Checks (ITHCs), continuous vulnerability assessment (CVS), continuous assurance reviews, Red and Blue Team exercises. We ensure that processes are kept up to date, and that policies are written, and appropriate standards are followed and adhered.
All our work is carried by very highly qualified, holders of academic degrees, extensive hands-on experienced and respected individuals. We also use independent and CHECK-accredited organisations to ensure traceability, openness and accountability.
We are a ‘doer’ and not a ‘talker’ organisation. This means, we produce and provide our clients with a number of collaterals to support the assurance or accredited of the service, such as:
- Threat matrix
- Business impact assessment (BIA)
- Privacy impact assessment (PIA)
- GDPR assessment and report
- Accreditation strategy
- Baseline control sets (BCS)
- Risk assessment and management
- Risk documentation and Security Assurance Document (SAD)
- Remedial Action Plan (RAP)
We ensure that active risk management is in place to continually manage residual risks. The actual focus should be about risk reduction. So measures must be put in place to drive, encourage and ensure active risk reduction and risk management. We also provide you with an Account Manager / Liaison to interface with your internal and external stakeholders such as the NCSC and your Lead Accreditor, and ensure excellent senior stakeholder management experience.
We are privileged to have worked for a number of central government departments, OGDs government agencies, industries and academia. We are committed to excellence and will go the extra mile in making you engagement another success story for you. We will provide you references should you ask.