Policy

If you don’t know where you are right now, it’s almost impossible to work towards a destination. This is something Saepio see regularly.

Our customers want to improve their security posture and to reduce risk, but they’re unsure where to begin.

Security Audit

The best way to kick off the process and to establish your Baseline is to conduct an audit of your existing security policies, processes and controls, against a compliance standard or best practice framework. We call this your ‘Security State of the Nation’. Key stakeholders are interviewed. Existing security infrastructure is documented. Risks are quantified. Recommendations are made for how you will move forward to achieve your target state… but what is your target state?

Target State

We help you define a sensible target security state, starting with the basics, maturing in time to a gold standard.

Having something measurable to aim at is key, there are 2 broad types of Target state.

Best Practice Frameworks

Best practice frameworks are standards that help to both mitigate risk through following a methodical plan of security improvement, and also to achieve a certified level of maturity which you, your supply chain and your customers will be proud of.

Examples

•  Cyber Essentials Plus
•  ISO27001
•  CIS 20 Critical Security Controls
•  Cloud Security Alliance

Legislative Frameworks

Very much the “Stick” to the Best Practice “Carrot”. These are mandated on organisations by government or regulators, if you want to work, or continue to work in a specific sector, geography or vertical then you will need to comply with them. Failure to do so can result in loss of reputation, business, or potentially huge fines.

Examples

•  UK Data Protection Bill
•  EU General Data Protection Regulation
•  The Network and Information Systems Regulation (NIS)
•  PCI-DSS

 

Security Improvement Plan

Once an Audit has been completed, the improvements can begin. The plan will look at Policy, Product & People, ensuring the work is directed towards risk reduction and the overriding best practice or compliance standard.

Saepio can assist with delivery of the plan through one of our experienced virtual CISOs if required.

Certification & Accreditation

If the end goal is to be formally awarded a best practice certificate, Saepio assist by making sure you are in a position of readiness prior to the audit with the chosen accrediting body.

People

The human firewall is often a neglected area of security. Regardless of how much technology you introduce, a poorly trained user, who doesn’t understand the Policy or Process you’re looking to implement can be very costly.

It’s not just staff who need awareness training though, so might your board, or your executive team. Don’t forget about your overworked staff in IT, they might need help too.

Security Awareness
Social Engineering and Training

How do you baseline your staff security effectiveness? Saepio recommend regular testing to get an idea of the scale of any potential training or enablement requirement. Being able to demonstrate that you regular test staff can help meet compliance or regulatory goals.

Security Awareness Training

Going in hand with testing, is training and education. It’s good business practice, as well as great corporate social responsibility to make sure your staff are well trained to recognise and prevent potential cyber threats. Regular short doses of training are key to ensure the knowledge is retained and the program is successful.

Virtual CISO

If you don’t have this expertise in-house, then we can supply it. We have consultants acting as vCISO to provide guidance to the board, and to enact the Security Improvement Plans where required. Acting on a retainer basis, the vCISO becomes an extension of your team, providing regular updates to a risk register and often project managing our customers drive towards Cyber Essentials Plus or ISO27001 certification

Security Resource
Penetration Testing

Penetration testing is a great way to baseline or ultimately prove  your security posture from a product maturity, configuration and operational standpoint. Working with our teams of external, CREST accredited Penetration Testers, Saepio can supply a wide range of services – External, Internal, Wireless, Web App, Red Team, Social Engineering and more.

Incident Forensics & Response

If the worst happens, and you do fall victim to a cyber attack or incident of some kind, then understanding exactly what happened can be key to preventing it from happening again. In the litigious culture that we live in, where failure to report a breach correctly inside 72 hours can have huge consequences, sometimes expert help is needed to investigate. Saepio work with consultants holding all appropriate badges, certifications and security clearances to undertake this work if required.

Product

Whilst Technology alone won’t solve all your problems, it’s a significant component of an effective information security ecosystem.

In a world where budgets are limited, and IT staff time often more so, it’s imperative that each organisation takes stock of their current situation, requirements, risk profile, headcount and funds prior to investing in technology.

Saepio recommend a methodical approach, don’t try to run before you can walk.

We have grouped the never-ending list of Security technologies into 3 distinct areas – Essential, Advanced & Enhanced

Essential Controls

These should be the foundations of any modern companies security stack. In line with Cyber Essentials Plus these are the areas that if neglected will represent the greatest risk to the majority of organisations. Do the basics well. Ignoring these areas will leave fundamental gaps in your defence

  • Firewall and IPS
  • Web and Email
  • Anti-Malware
  • Multi Factor Authentication
  • Vulnerability Management
  • Backup & Availability
  • Encryptionesting
Advanced Controls

Once you’ve worked through the Essential Controls, and you want to continue to mature your position, then a whole other world of technology becomes relevant. As the value of the data/systems/applications that you use/deliver/support/manage increases then looking at these areas will help to further reduce your risk of falling foul of a cyber incident

  • SIEM / Security Monitoring
  • Incident Response
  • Privileged Access Management
  • Identity Access Management
  • Data Risk Management
  • Data Leak Prevention
Enhanced Controls

These types of technology will not be required by all organisations. However, if you are starting to move more data and applications into the cloud. Or if you are developing more of your own code or software, then these are areas to consider.

  • Web App Firewall
  • DDoS Prevention
  • Breach Simulation
  • Threat Intelligence
  • CASB
  • SOAR
  • DSAT
Varonis
DUO
Pentest People
Druva
KnowBe4
Malwarebytes
Mimecast
Okta
Rapid7
Red Sift