Information Security Consultancy
There can be little doubt that securing and protecting information is an essential requirement for organisations, irrespective of their market sector or size. The challenge for many organisations, however, is implementing and maintaining a level of information security that is appropriate to them. This can be achieved by adopting an approach to information security management that is based on continuous improvement and regular review – a management system. It is important to note that no two information security management systems (ISMS’) will be the same, due to organisational differences in the actual and perceived values of information, business goals, risk appetites, demands by customers/regulators etc.
Your ISMS should be tailored to and reflect your organisation, how you work, the terminology you use and be part of business as usual. We, at URM, are cognisant of these requirements and are dedicated to assisting you identify, achieve and maintain your desired levels of information security.
How do we achieve this?
Understanding your business goals/objectives
Our first goal is to understand what your organisation’s mission is, what your business objectives are and where information security fits into these. It is important to assess what the impact would be on your organisation if you suffered a loss of confidentiality, integrity or availability to your key information and to understand what your risk appetite is. Our approach is based on ensuring that information security is totally embedded and integrated into the day to day management of your business and is not some stand alone function.
Adopting a risk based approach
This is the area where we believe we can add the greatest value to an organisation. Since 2002, we have been developing and honing our risk assessment methodologies and software tools to enable you to identify, in a scientific but practical and pragmatic manner, where your greatest information related risks are. By adopting such an approach, you will be able to save time and money by prioritising and implementing controls (technical, people, policy and process related) which are appropriate and relevant to you and that bring the greatest benefit.
Specialists in ISO 27001, PCI DSS and Data Protection
Having been involved in implementing ISO 27001, the International Standard for Information Security, since its inception, we believe we have unrivaled insights into the Standard’s requirements and how best to satisfy them. Our own ISMS has been certified to this Standard since 2008. We strongly believe that with its risk-based approach and emphasis on continuous improvement, ISO 27001 provides an ideal and pragmatic information security framework for any organisation and the perfect internal and external demonstration that you take information security seriously. Assisting organisations comply and certify to this Standard is undoubtedly one of our distinctive competences and we have a track record of over 150 successful projects. We can offer you a service which matches your skills, resource availability, budget, timescales and aspirations. This includes full lifecycle services or assistance with specific aspects such as identifying and valuing assets, conducting risk assessments, developing policies and processes, conducting audits and developing and delivering security awareness programmes. URM also regularly holds free seminars on implementing ISO 27001. Case Studies of organisations certified against ISO 27001 and which have benefited from the assistance of URM can be found here.
In terms of our expertise with the Payment Card Industry Data Security Standard (PCI DSS), URM has been certified by the PCI Security Standards Council (SSC) as a Qualified Security Assessor (QSA) to assess organisations to comply with the Standard. Our approach means we are also ideally placed to offer advice and guidance on courses of action you can take to best meet the requirements of the Standard, in a manner which works for you. In our experience there are significant levels of confusion around the Standard and we are able to help you navigate it by understanding your current compliance status, how to achieve and validate your compliance and most importantly, how to reduce the burden of compliance.
Compliance with the Data Protection Act is another area of URM expertise. Here our team of experienced DP practitioners can not only assess your current levels of compliance with the Act and how adequate and reliable your current measures are and how to improve them, but also advise on what you need to do about Data Protection Regulation (GDPR).
A growing cyber risk for all organisations is phishing where fraudsters attempt to access valuable information such as usernames, passwords and account information by masquerading as a reputable entity or person in an email or another communication medium. Phishing can also involve sending malicious attachments or website links in order to infect computers or mobile devices.
In order to combat the threat of phishing, organisations need to adopt technical solutions backed up by comprehensive staff awareness campaigns designed to increase the likelihood of users spotting a phishing attempt and raising a security incident to enable the organisation to respond accordingly.
In order to assist organisations assess its users’ awareness and vigilance to phishing attempts and processing of incoming third party emails, URM has developed an effective methodology aimed at determining and measuring an organisation’s level of exposure.
Working closely with sponsors from the client organisation, we develop micro websites and a campaign of orchestrated emails aimed at inducing users to open the email, click on a link and provide sensitive information e.g. passwords. This involves creating initial emails and micro websites that look like the intended email/website and then responding and evolving the campaign as users begin to interact with the emails. Naturally, the potential impact to the organisation of clicking on unknown links and providing confidential information could be extremely damaging.
At the end of the exercise, through the use of its tracking software, we are able to report back on the number of users who potentially exposed the organisation to the risk of a data breach or to malicious software. Once completed, the results of the exercise can then form a very powerful component of any staff awareness programme. By referring to the actions of personnel from the actual organisation, cyber risk is no longer an abstract term but something users can practically relate to.