Security Strategy: Information Security
Eurotek NS has specialist experience on developing a security strategy with plans to mitigate business risks while complying with legal, statutory, contractual and policy requirements.
A defined strategy will serve to ensure a standard methodology of risk management throughout an organisation, providing transparency of risk metrics at an enterprise as well as at a localised and technical security level.
Typical steps include the definition of control objectives, a baseline level of protection, risk assessment and selection of mitigating controls, followed by the implementation of benchmarks and metrics, and ongoing audit and review.
The level of protection should match the value of the resources being protected.
Security costs can vary greatly, too high a level of security relative to the value of the information is an unnecessary expense, while too low a level of security relative to the value of the critical asset results in inadequate security.
Compliance and audit professionals provide guidance and review for enterprise wide audit programs for internal and externally managed platforms, we perform pre audit security reviews to ensure that the organisation are aware of any issues prior to formal audit. We formulate, through a risk based approach a structured audit plan over 12 months and ensure that all external reviews, audits, assessments and tests are performed in-line with the requirements of the annual program. We liaise with external auditors, bank representatives and clients in addition to internal staff to position the current status and risk profile of the organisation and to ensure that any imposed remedial actions are appropriate and in line with enterprise risk appetite and do not represent a conflict with existing remediation projects or initiatives.
Find out more
The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.
Objective—The information security management audit/assurance review will:
- Provide management with an assessment of the effectiveness of the information security management function
- Evaluate the scope of the information security management
- organization and determine whether essential security functions are being addressed effectively
- It is not designed to replace or focus on audits that provide assurance of specific configurations or operational processes.
Scope—The review will focus on:
- Information Security Management—Processes associated with governance, policy, monitoring, incident management and management of the information security function
- Information Security Operations Management—Processes associated with the implementation of security configurations
- Information Security Technology Management—Processes associated with the selection and maintenance of security technologies
To ensure a comprehensive audit of information security management, it is recommended that the following audit/assurance reviews be performed prior to the execution of the information security management review and that appropriate reliance be placed on these assessments:
- Identity management
- Security incident management
- Network perimeter security
- Systems development
- Project management
- IT risk management
- Data management
- Vulnerability management
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed.
We perform baseline analysis of costs of existing IT and security spend and perform cost benefit analysis of existing solutions and protection mechanisms against alternative solutions. Forecasting of technology refresh for security solutions helps us to advise clients of return on investment and return on security investment of the security budget. Our security consultants perform product comparison and review against threat profile of the business to ensure that the controls chosen, in addition to providing value for money are protecting against the threats the organisation is vulnerable to. Security consultants review the license, maintenance and contract costs of all security, communications and IT spend and provide guidance for ongoing budget.
Find out more
Eurotek NS strategic planning and forecasting services deliver benefits that go straight to your bottom line. Budget control involves audits, deploying products, services, practices and processes to not only keep within planned budgets, but to also reduce current costs and expenditure within the IT and Security departments.
Eurotek NS security consultants perform analysis and requirements for every product and service within the IT infrastructure, and perform cost comparisons based on the results of analysing business requirements, sourcing and migrating to cost effective alternatives without compromising an acceptable level of quality and service whilst still serving business requirement.
LIABILITY RISK ASSESSMENT
Eurotek NS assists clients with gaining understanding and visibility of the organisation's and directors personal liability to information loss. We perform scenario based liability assessments, reviewing corporate information governance requirements and liaise with internal, and external third parties to review contractual obligations and responsibilities. Existing and legacy audit reports are reviewed to ensure that there are no high priority known exposures that have not been dealt with and manage the process of annual reporting to shareholders, investors and the markets. Formal risk assessments are performed for the business and also for the directors individually.
Find out more
Liability Risk Assessment
Eurotek NS provide expert targeted support for those organisations needing specialist risk consultants or an objective review of current programs. In these increasingly litigious times, your company's officers and board of directors may be targets of financially crippling lawsuits. With personal accountability around risk escalating, it is vital to have a robust system of checks and controls in place within your organisation. Directors are exposed to increased risk based on the qualities for which you hired them – initiative, vision and business strategy –, making it difficult to recruit top-tier talent. Eurotek NS Liability Risk Assessment is an efficient way to manage that risk and reduce personal exposure for directors, officers and senior managers.
With Eurotek NS Liability Risk Assessment, you benefit from industry recognised experts with no conflicts of interest to impact upon your current arrangement.
By improving your risk management focus your business will experience:
- Greater awareness and focus on the full cost of risk
- Reduced liability exposure to business Managers/Directors
- Objective support for audit requirements
- Reduced business uncertainty
- Establishment of realistic goals and objectives
- Competitive insurance premiums
- Availability of additional insurance market alternatives
- An improved workplace for your people
- Enhanced staff morale
BUSINESS CONTINUITY MANAGEMENT
Development of business continuity strategy; we help organisations define what assets and information sets are important to them and put in place threat based scenarios that could impact business operations. Eurotek NS assist clients by engaging with internal and external security teams and facilitating Business Impact Analysis, performing compliance reviews to the latest BCP standards (ISO 22301) and by integrating with the crisis management teams to ensure the appropriate people and teams are on hand in the event of a security breach.
Find out more
Business Continuity Management
Today most organisations have set business continuity and disaster recovery plans in order to comply with regulatory and industry standards in addition to maintaining core business processes, practices and needs and ensure normal activities can be resumed as quickly as possible in the event of a breach.
Business Continuity Planning & Management practices involve the commitment of the Board to shareholders and stakeholders to ensure the survivability of the business during a crisis or disaster. The processes towards creating a Business Continuity Plan include:
- Risk Assessments — Operational, Security, Reputation, Terrorism, Geo-Political
- Business Impact Analysis
- Crisis and Disaster Recovery Planning and Exercises.
A crisis takes away the focus of senior management from normal business activities — for example, the sudden loss of key personnel, large scale fraud, or kidnapping of key personnel.
A disaster, such as fire, flood, explosion or other calamity, stops production, or halts export of product.
As a member of relevant international institutes, EPS provides expert services to assist clients in managing business risk.