We develop our Clients' cyber resilience posture across their whole organisation, & within the context of the threats they face.
Any maturity / risk assessment that CYSIAM conducts begins with a threat assessment. Threat intelligence is key in understanding the context of the assessment we are undertaking, and prioritisation / criticality of the resultant planning. We don’t omit any assessment criteria in our reviews, we use threat intelligence to gain increased focus on certain areas in the same way that an attacker would.
Ensure adequate Incident Response and Business Continuity planning is in place;
Understand the threat, baseline required security controls, and identify maturity pathways;
Implement, operate, and continually improve protective security controls;
Implement an intelligence-led continuous monitoring and intrusion detection capability;
Efficiency-test preventive security controls and intrusion detection capabilities.
Ensure adequate Incident Response and Business Continuity planning is in place;
Understand the threat, baseline required security controls, and identify maturity pathways;
Implement, operate, and continually improve protective security controls;
Implement an intelligence-led continuous monitoring and intrusion detection capability;
Efficiency-test preventive security controls and intrusion detection capabilities.
We assess your organisation against combined international standards, providing detailed metrics on your current risk profile and level of maturity. Our consultants help you to identify critical weaknesses that could be exploited by attackers, whilst our bespoke platform generates detailed reports with actionable recommendations.
Cyber-risk should be treated like any other business risk and should have board level ownership. This review will evaluate the approach to cyber-risk, how it defines roles and responsibilities, and if critical business dependencies have been identified along with the threats posed to them.
Appropriate documentation and working practices provide the necessary underlying foundation on which the correct business decisions can be made, whilst demonstrating compliance to relevant legislation and standards. Our review will evaluate existing policies and identify gaps in documentation and working practices that can be addressed to reduce cyber-risk.
Technology should comply with, and support, the security policies of an organisation. ICT teams (internal or outsourced) are usually focused on maintaining availability of the technology's functionality, and this can lead to mismanagement of technical security controls. We assess the 'real-life' approach against policies to identify any gaps (vulnerabilities). To this end, we can conduct vulnerability scans of the organisation's external and internal network and devices as part of a policy compliance assessment.
Understanding the data that is processed is crucial not only for establishing and implementing the correct security controls, but also for legal compliance (GDPR). This review will confirm whether an organisation has identified the data it processes, transmits, and stores, and whether it has the necessary security in place to protect it.
People can be a critical weakness in cyber security but also a key aspect of defence. Understanding levels of awareness within an organisation and its workforce helps to identify areas of strengths and weakness and where to focus programmes of improvement. Culture plays an important role in the security of an organisation and our assessment will evaluate if cyber security awareness and understanding is embedded at all levels.
We look here at how physical access to an organisations ICT infrastructure is controlled, from server rooms to network access points to individual devices. Often the simplest method of attack is best and stealing or cloning an employee's door pass can gain vital access to sensitive areas of buildings. This is where digital and physical risks overlap, and we always advocate a holistic view of security.
Critical suppliers and third parties can introduce vulnerabilities to an organisation's business resilience and security. Due diligence should be carried out on critical suppliers and third parties to identify any risks associated with them or the services, products, or systems that they provide. The review will ascertain the level to which supplier risk is addressed within the organisation.
Whilst the CYSIAM Pathway framework is bespoke, it does cover the key aspects of several industry leading standards and regulations such as:
► NCSC Cyber Essentials & Cyber Essentials Plus
► ISO 27001
► NIST Cyber Security Framework (CSF)
► GDPR
► PCI DSS (only used if relevant to business)
“CYSIAM's key strengths would be industry experience and technical skills; across the board the CYSIAM team is really powerful in those areas.”
