Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with ever increasing speed and…
An ICT environment is a minefield. Most businesses no longer have full control of their systems, data, applications and their users.
The edge of an ICT environment is no longer the network perimeter, but different components like user identity, 3rd party and vendor access management, cloud applications and BYOD devices. In some instances the list is mighty.
It is important that a business understands the gaps in its security, the control of those gaps, or lack thereof, and the risk the business incurs by not addressing those gaps.
We provide both cybersecurity and risk assessments of your environment to identify the security gaps, score the risk of those gaps to your business and deliver solutions using processes, toolsets and services to mitigate and control those risks.
Cyber Security assessments
A cybersecurity assessment is delivered by one of our certified cyber security auditors over a specified period of engagement.
In it’s simplest form, the main purpose of the assessment is to identify the security gaps within an organisation focusing on the confidentiality, integrity and availability of data, users and systems in the environment. The auditor will look at how confidentiality is maintained by observing how authorised and unauthorised access attempts are dealt with, and how data and user information confidentiality is maintained. The auditor will also look at how the business maintains the integrity of the environment by observing different processes like the levels of privileged data and assets, how they are controlled, and by whom. The auditor will then look at how data is made available by the business and how secure that availability is to different users of that data.
The Auditor will also assess the different services within the organisation and any other service such as cloud solutions where data may reside.
Once the assessment is concluded, the auditor will summarise what has been discovered and provide the business with the results where there are gaps identified and where the business is protected. The assessed gap may be scored on a High/ Medium / Low impact basis. The auditor may also be asked to provide solutions to minimise or control the gaps found.
A risk assessment takes the cyber security assessment gap findings and a risk score is added to the findings. The risk portion of the assessment is usually based on the following calculation.
RISK = ([Means+Motive] x Opportunity) x Business Impact / Controls
Once the risk value of the gap is scored using the calculation, the auditor will further assess the risk by integrating the risk score into a risk matrix which has been agreed to by the EXCO members of the business.
We usually recommend a 5×5 risk matrix which is then customised to each individual engagement based on the business’ risk appetite.
This is known as a qualitative risk score and is used for most engagements, however, some businesses want to understand the financial impact of the risks identified.
A quantitive risk assessment is concluded to determine all the costs that would be incurred by a business if a gap identified were to be exploited. This type of risk assessment is usually the most time consuming and arduous.
Once the assessed business understands it’s gaps and their inherent risk, the business will decide whether to mitigate, transfer, avoid or accept the risk based on the business’ risk appetite which is usually determined by the board or EXCO members.