Audit, Risk IT and Information Security

 


Audit, Risk IT and Information Security Management

 

The use of IT to process information continues to evolve, and organisation’s dependence on information is continually increasing. Dependence on information systems and services means organisations are more vulnerable to security threats. As it becomes easier to exchange information, it also becomes more difficult to protect it. Most organisations today have become targets of attacks on their IT systems and the information they transmit.

QUALISYS Consulting's Information Security consulting services provide a structured, practical, results-oriented approach that assists organisations in all the aspects of developing, implementing or managing an Information Security Management System (ISMS) in compliance of ISO/IEC 27001.

We have extensive experience in developing security management systems in both private and public sector organisations. Some of the key services we offer include:

 

IT and IS Audit Service

The role of IT has developed into a nerve centre of most organisations. IT has become an intrinsic and pervasive component for business, used in the sustaining and extending of enterprises’ strategies and objectives. The impact of emerging technology – cloud computing, big data, mobility, consumerisation, social media and the internet of things is permeating every aspect of business. Today more than ever more and more forward looking organisations are using IT to build sustainable competitive advantages. Whist IT business enabled opportunities are huge and can separate winners and losers the risks if not checked are catastrophic. IT and IS auditing consulting has in turn evolved from checklist reviews focused on only providing audit control deficiencies and recommendations to a strategic enterprise function in achieving of business strategies and objectives.

Traditional approaches to IT assurance and advisory are no longer adequate to improve enterprise operations and add-value to business.

QUALISYS Consulting have in-depth experience and qualifications to provide risk based audit services that address IT matters affecting your specific business.

QUALISYS goes beyond traditional IT auditing check list services. Our audits are driven by an in-depth understanding of our client’s business environment and building lasting relationships with all stakeholders whilst maintaining our independence to provide value-add IT / IS audits and communicate deeper insights that grab senior management and audit committee’s attention.

  • Risk Based Compliance and Substantive Combined Review of System and Business (Manual) Input, Processing, Interface, Master Data and Output controls.
  • Business processes reviews combined with: Work flow systems reviews; Interface systems; Support systems; Middle ware
  • IT Governance and strategy reviews
  • IT Infrastructure and General Controls Reviews : IT Performance and Capacity Planning ; IT Human resources ; Business Continuity/Disaster Recovery ;Change Management;
  • Incident/Problem management ;Outsource IT environments…
  • ICT Security reviews (Logical security access controls; Governance of Identity and Access management; Toxic Combinations; Operating systems; Database reviews ; Network reviews…)

 

For more information and details in this section, Contact us.

IT RISK Management

QUALISYS Consulting can help implement Risk IT framework for any type or size of organizations to identify, govern and manage IT risk.

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.

Risk IT is also part of COBIT larger framework and it deals with risks arising from business and IT intersection. Risk IT is best for cost cutting strategies as it provides methods to focus on important risks, like late projects delivery, compliance, and obsolete IT equipment or service delivery issues.

Risk Assessment: Risk Assessment focuses on the assessment of significant IT risks to the organisation. Our Risk Assessment services will assist you to implement an IT Risk Management Framework, develop a clear understanding of your organization’s appetite for risk, compliance requirements, and the embedding of risk management responsibilities. Our approach makes provision to document the agreed-upon level of IT risks, agreeing on appropriate mitigation strategies and residual risks. This will ensure that any potential impact on your organization’s goals caused by an unplanned event is identified, analyzed and assessed. The result of the IT Risk Assessment is a risk register which is understandable to the stakeholders, and enables stakeholders to mitigate risk to an acceptable level of tolerance. Risk Management Framework: Our Risk IT service brings value to any type or size of enterprise, and is suited to customization. You will be able to define key risk indicators, build up scenarios and a risk map with risks ranking- opportunity, acceptable, unacceptable and really unacceptable. You will understand how to use an existing control to manage identified risks. Most managers choose to implement the framework because of its integration with the overall risk and compliance structures within the enterprise and so you obtain a common language for IT professional, managers and auditors.

 

For more information and details in this section, Contact us.

Information Security Management and Governance

Information Security Management System (ISMS) ISO 27001 Assessment: The QUALISYS Consulting ISO/IEC 27001 assessment service is structured to provide a high level and independent review of the content and quality of the Information Security Management programme and documentation.

The approach, tailored to your organisation’s needs, is applicable to organisations of different sizes, and whose Information Security processes vary in maturity.

Through a combination of desktop research, and structured interviews, our experienced consultants conduct an assessment of your ISMS plans and documentation. The reviews are conducted by comparing the ISMS programme and documentation against the ISO/IEC 27001 Information Security standard.

The assessment results will provide you with opportunities to make enhancement to the ISMS, based on the ISO/IEC 27001 standard.

 

ISMS ISO 27001 Implementation: QUALISYS Consulting's approach to ISMS implementation support is based on the ISO/IEC 27001 Information Security Standard. The ISO/IEC 27001 Standard effectively comes in two parts:

 

ISO/IEC 27001:2005 is a standard specification for Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.

ISO/IEC 27002:2007 is the standard code of practice and can be regarded as a comprehensive catalogue of good security actions.

 

 

Our ISMS implementation service could involve consulting assistance with one or more of the following aspects:

 

Phase 1: Plan (Establish the ISMS)

 

  • Define the scope of the ISMS
  • Define the ISMS Policy
  • Define a systematic approach to risk assessment
  • Identify the risks
  • Assess the risks
  • Identify and evaluate options for the risk treatment
  • Select control objectives and controls
  • Prepare a statement of Applicability
  • Obtain Management Approval

 

Phase 2: Do (Implement and Operate the ISMS)

 

  • Formulate a risk treatment plan
  • Implement the risk treatment plan
  • Implement all selected control objectives and controls
  • Implement the training and awareness programme
  • Manage operations

 

Phase 3: Check (Monitor and review the ISMS)

 

  • Execute monitoring procedures
  • Undertake regular reviews of the effectiveness of the ISMS
  • Review the level of residual risk and acceptable risk
  • Conduct internal ISMS audits
  • Undertake management reviews of the ISMS on a regular basis
  • Record all events that have an effect on the performance of the ISMS

 

Phase 4: Act (Maintain and Improve the ISMS)

 

  • Implement the identified improvements
  • Take appropriate preventive and corrective action
  • Communicate the results to all interested parties
  • Ensure that the improvements achieve the intended objectives

 

ISMS Policy and Procedure Development: ISO/IEC 27001 implementation requires the development and implementation of a variety of Information Security controls. We provide consulting services, toolkits and templates aimed to assist you in developing the required Information Security policies, procedures, practices, organizational structures and other controls required to achieve ISO 27001/IEC compliance.

 

ISMS Risk Assessment: Within the ISMS programme, a Risk Assessment focuses on the threats that jeopardise the confidentiality, integrity and availability of important information and data of an organisation.

Our Risk Assessment services will assist to determine your information security requirements through a methodical assessment of your information security risks.

The Risk Assessment service is tailored to assist you to:

  • Identify and adopt a suitable risk assessment methodology,
  • Develop criteria for accepting risks
  • Identify acceptable levels of risk
  • Assess potential threats and vulnerabilities
  • Ensure that risk assessments produce comparable and reproducible results.
    The results of the Risk Assessment would guide and determine the appropriate management action for managing security risks and for implementing controls selected to protect against these risks.

 

ISMS Control Selection: Our information security controls selection and development services assist our clients to prioritise, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process, as appropriate to the organisation’s operations.

 

These services are aimed to assist you with the selection of appropriate controls that will reduce the level of risk to the organization’s information security to an acceptable level.

Our approach makes provision to analyse the controls that have been implemented, or are planned for implementation, by the organisation to minimise or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability.

It may not be practical to address all the identified risks, so we assist you to give priority to the threat and vulnerability pairs that have the potential to cause significant mission impact or harm.

 

ISMS Awareness and Training Programmes: Employees represent the most cost-effective counter measure against security violations. Our Information Security Awareness programme services assist organisations to develop workable programmes aimed to ensure that your employees are aware of the importance of their information security activities and the way they participate in meeting the ISMS objectives.

 

Our approach and methodology to Information and IT security awareness programme design makes provision for three major steps: Designing the program (including the development of the IT security awareness and training program plan); Developing the awareness and training material, and Implementing the program. We believe that even a small amount of IT security awareness and training can go a long way toward improving the IT security posture of, and vigilance within, an organisation.

Regulatory or Legislative Compliance : The security requirements relating the set of statutory and contractual requirements that an organisation, its trading partners, contractors and services providers have to satisfy, should be documented in an ISMS. We offer consulting to assist organisation to identify the legal statutory and contractual requirements related to the organisation’s information assets.

 

For more information and details in this section, Contact us.

PCI DSS Compliance Services

If your organisation is a merchant or service provider, QUALISYS can help you to improve your cyber security and comply with the requirements of the PCI DSS in the shortest timeframe and for the minimum cost.

We can help with any or all of the following stages of a PCI DSS implementation project:

  1. PCI DSS scoping and gap analysis
    First, the gap analysis stage compares where your organisation currently stands with where it needs to be in order to meet the full requirements of the Standard. We will identify where cardholder data is stored, processed or transmitted within your environment, and determine your cardholder data environment (CDE) – your ‘scope’ for PCI DSS compliance. At this early stage we can work with you to reduce the scope, ultimately resulting in reduced resources and expenditure.
  2. Implementation and remediation
    When the gap analysis stage has been completed, we can assist in the design and implementation of a PCI DSS project team within your organisation, which will ultimately be responsible for undertaking the remediation work to achieve compliance. This will save you having to contract external remediation consultants. Of course, IT Governance can be on hand to attend regular checkpoint meetings to ensure that the project remains focused and on track. We can also provide support with the creation of the relevant documentation required for compliance (e.g. policies and procedures).
  3. PCI compliance audit and Report on Compliance (ROC)
    IT Governance will undertake a QSA audit to conduct a thorough assessment of the controls you have implemented and to establish whether they meets the requirements of the PCI DSS.
  4. Maintenance and continual improvement
    We can also offer support to help you maintain and continually improve your PCI compliance, whether with penetration testing, documentation templates or staff training. See below for links to our other PCI DSS services.

 

For more information and details in this section, Contact us.

Business Continuity Management (BCM)

QUALISYS Consulting Business Continuity Management offers a range of consulting services that assist organisations in implementing Business Continuity Programmes that safeguard the interests of their key stakeholders, by managing to build resilience and the capability for effective responses to potential impacts that may threaten the organisation.

These services are aimed to assist organizations to effectively develop and implement a BCM policy, BCM strategies and BCM Plans.

QUALISYS Consulting’s approach to BCM implementation support is based on the standards: ISO 22301.

Our implementation approach involves the following phases

 

Stage 1 : Understanding your business Business
Impact
Analysis
Stage 2 : Develop the BCM Strategies
Stage 3 : Devoloping and Implementing BCM Response
Stage 4 : Devoloping BCM Culture
Stage 5 : Exercise , maintain and Audit

 

For more information and details in this section, Contact us.