Information Security Governance and Strategy
1
2
3
4
5
6
1- Certification and Accreditation (C&A) services
By corresponding information security strategy, spending and controls to risk, clients can achieve a pragmatic and prioritised security posture that reduces risks to levels within their risk appetite. The process applies to all Systems/Services that the agency operates as well as all Systems/Services that a supplier may operate on the agency's behalf. Cyber Team are able to offer assistance at each phase of the C&A process. Those phases in order are:
​
-
Triage of systems
-
Cloud risk assessment (GCIO 105) if applicable
-
Security risk assessment
-
Statement of Applicability
-
Control validations plan
-
Control validations audit
-
Security certificate
-
Exemption process
​
Each phase is carefully choreographed to be in alignment with the agency's own security maturity and security objectives. The risk assessment is the foundation of the entire process and drives the remaining phases (assuming the triage mandates a risk assessment).
We are able to provide clear business guidance on the C&A process and help improve existing processes. Cyber Team provides this by bringing together a multitude of experience and expertise from various government agencies on C&A assessments. We ensure that we are able to provide a clear contextual relationship between the technical implementation and requirements against the backdrop of security requirements be they control, policy or strategic. All of our processes align with AS/NZS ISO 31000:2009 and ISO/IEC 27005:2011 risk management standards. Cyber Team provides assurance services across a wide range of frameworks including PSR, NZISM, ISO27001, NIST, GDPR.
2- Risk Management services
Our risk management services are tailored to all levels of the organisation as we recognize the importance of using the correct language, terminology and communication styles for the different stakeholders. The risk management services:
1
Build
Understand the risk appetite and key risks in your organisation
2
Develop
Unify, standardise and collate risks across your organisation into one place
3
Maintain
Create a sustainable process that your organisation can easily use
4
Mature
Weave risk management into key decisions and funding
This will enrich each organisations process of identifying, analysing, evaluating and addressing the cyber threats and goals for the organisation. When we are talking to the business and service owners we ensure that we use business language and refrain from technical jargon as it dilutes the conversation and detracts from a coherent and comprehensive conversation.
3- Cloud Security Risk Assessments
​
-
Outline potential weaknesses in service and resource deployments within the agencies cloud
-
Analyse processes and approaches to managing security controls within resources and workloads
-
Identify weaknesses in approaches that expose cloud infrastructure
-
Provide cutting edge security insights into new cloud workloads
-
Orientate security frameworks and controls to benefit cloud workload architecture types
We can enable and structure "Guard Rails" for your organisation to move fast in cloud environments. This combined with inherent knowledge of Well architected frameworks will have you running compliant evergreen workloads in weeks
4- Supply chain risk management (SCRM)
With the SCRM service we help our customers identify their suppliers across the estate, which may include revising or introducing processes to fully identify suppliers across the organisation beyond the ICT services. We look at the various areas of the business in terms of their handling of current and new suppliers. We then establish a standardise process to manage vendors following these core practices.
​
-
Vendor Onboarding​
-
Vendor assessment – OSINT assessments​
-
Vendor issue management
-
Vendor due diligence – Customised Questionnaires ​
-
Ongoing monitoring​
-
Actionable business intelligence​
This process then enables you as an organisation to effectively create meaningful commercial conversations in regards to security state. Understand who is the biggest supplier risk to your business and where to take steps to remediate this
5- Awareness and Training
We promote cyber security awareness using a myriad of tools and techniques addressing subjects such as social engineering, phishing, data protection, effective incident response and more. Cyber Team can develop and deliver a security requirements program to educate employees who have access to IT resources. The program would include and educate employees on:
1
The impact on the organisation and the employee if the security requirements are not met
2
Appropriate use of IT resources and facilities
3
How security incidents should be handled and escalated
4
Ethical use of IT resources and facilities
5
The employee’s responsibilities for information security
​Alternatively we can review training material and programs for adequacy with respect to business requirements and their impact on necessary knowledge, skills and ability.
6- Tracking, reporting and remediation
We sit on the outside of the day-to-day operations and provide sage advice to our clients on the more strategic elements of their information security. In this role we drive the creation and implementation of security programs, ours or otherwise, as well as other important aspects of the risk landscape such as the development of architecture and policy. The role will also embed as the likely certification authority for risk assessments.