The best way to kick off the process and to establish your Baseline is to conduct an assessment of your existing security policies, processes and controls, against a compliance standard or best practice framework. We call this your ‘Security State of the Nation’. Key stakeholders are interviewed. Existing security infrastructure is documented. Risks are quantified. Recommendations are made for how you will move forward to achieve your target state… but what is your target state?

We help you define a sensible target security state, starting with the basics, maturing in time to a gold standard.

Having something measurable to aim at is key, there are 2 broad types of Target state.

Best practice frameworks are standards that help to both mitigate risk through following a methodical plan of security improvement, and also to achieve a certified level of maturity which you, your supply chain and your customers will be proud of.

Examples

•  Cyber Essentials Plus
•  ISO27001
•  CIS 20 Critical Security Controls
•  Cloud Security Alliance

Very much the “Stick” to the Best Practice “Carrot”. These are mandated on organisations by government or regulators, if you want to work, or continue to work in a specific sector, geography or vertical then you will need to comply with them. Failure to do so can result in loss of reputation, business, or potentially huge fines.

Examples

•  UK Data Protection Bill
•  EU General Data Protection Regulation
•  The Network and Information Systems Regulation (NIS)
•  PCI-DSS

Once an initial assessment has been completed, the improvements can begin. The plan will look at Policy, Product & People, ensuring the work is directed towards risk reduction and the overriding best practice or compliance standard.

Saepio can assist with delivery of the plan through one of our experienced virtual CISOs if required.

If the end goal is to be formally awarded a best practice certificate, Saepio assist by making sure you are in a position of readiness prior to the assessment with the chosen accrediting body.

How do you baseline your staff security effectiveness? Saepio recommend regular testing to get an idea of the scale of any potential training or enablement requirement. Being able to demonstrate that you regular test staff can help meet compliance or regulatory goals.

Security Awareness Training

Going in hand with testing, is training and education. It’s good business practice, as well as great corporate social responsibility to make sure your staff are well trained to recognise and prevent potential cyber threats. Regular short doses of training are key to ensure the knowledge is retained and the program is successful.

If you don’t have this expertise in-house, then we can supply it. We have consultants acting as vCISO to provide guidance to the board, and to enact the Security Improvement Plans where required. Acting on a retainer basis, the vCISO becomes an extension of your team, providing regular updates to a risk register and often project managing our customers drive towards Cyber Essentials Plus or ISO27001 certification

Penetration testing is a great way to baseline or ultimately prove  your security posture from a product maturity, configuration and operational standpoint. Working with our teams of external, CREST accredited Penetration Testers, Saepio can supply a wide range of services – External, Internal, Wireless, Web App, Red Team, Social Engineering and more.

If the worst happens, and you do fall victim to a cyber attack or incident of some kind, then understanding exactly what happened can be key to preventing it from happening again. In the litigious culture that we live in, where failure to report a breach correctly inside 72 hours can have huge consequences, sometimes expert help is needed to investigate. Saepio work with consultants holding all appropriate badges, certifications and security clearances to undertake this work if required.

These should be the foundations of any modern companies security stack. In line with Cyber Essentials Plus these are the areas that if neglected will represent the greatest risk to the majority of organisations. Do the basics well. Ignoring these areas will leave fundamental gaps in your defence

• Firewall and IPS
• Web and Email
• Anti-Malware
• Multi Factor Authentication
• Vulnerability Management
• Backup & Availability
• Encryption

Once you’ve worked through the Essential Controls, and you want to continue to mature your position, then a whole other world of technology becomes relevant. As the value of the data/systems/applications that you use/deliver/support/manage increases then looking at these areas will help to further reduce your risk of falling foul of a cyber incident

• SIEM / Security Monitoring
• Incident Response
• Privileged Access Management
• Identity Access Management
• Data Risk Management
• Data Leak Prevention

These types of technology will not be required by all organisations. However, if you are starting to move more data and applications into the cloud. Or if you are developing more of your own code or software, then these are areas to consider.

• Web App Firewall
• DDoS Prevention
• Breach Simulation
• Threat Intelligence
• CASB
• SOAR
• DSAT