ASSURANCE
Whether you need guidance with achieving compliance to a particular industry standard or simply want an expert opinion of your systems, policies and procedures, ECSC Assurance can help.
You may already have specific requirements to benefit from our consultancy services or you may want help in further understanding your risk position to ensure you are deploying resources and investment into protection where you need it the most.
Experienced and Qualified Consultants
All our consultants are highly qualified and our minimum consultant qualification is Certified Information Security Systems Professionals (CISSP). In addition, our PCI specialists are all Payment Card Industry Qualified Security Assessors (PCI QSA) and our ISO 27001 specialists have all passed the ISO 27001 Lead Auditor and Lead Implementer examinations.
With many organisations changing how they operate, there has been a significant move to remote working and additional reliance on technology.
Now more than ever companies are seeing the need to employ a Chief Information Security Officer (CISO). However finding a CISO in this climate is tough; they’re hard to come by and, if you can find them, can be very expensive too. The alternative is to consider the services of a Virtual Chief Information Security Officer (vCISO).
vCISO works well when you need ongoing help, but you don’t really need a full-time experienced senior manager. The service normally takes the form of regular on-site days (perhaps one or two days per month), combined with some flexible remote work where you need it and can be tailored to your particular requirements and the complexity of your IT systems.
What is our vCISO service?
The vCISO is there to provide leadership and guidance where necessary, and to assist in developing and deploying effective information security protection. This allows you to manage the increasing threats and protect your organisation’s data.
With the right specialist manager, even just part-time, you can get the advice you need to address weaknesses before a breach occurs. The guidance you receive will include technology and associated processes, but also people related (as they can be your greatest risks).
Our virtual CISO is there to assist across a wide variety of senior management activities. These can include:
- Assessing current risks
- Supplier management
- Briefing stakeholders
- Assess technical and process compliance
- Formulate policy and process
- Training and awareness
- Certification management
- Assessing new projects and technologies
- GDPR advice
- Security service scoping and supplier selection
Our service is tailored to whatever your business requires, whether you need support for a one off project or regular oversight, our service can achieve what you need.
Although not strictly a standard, the General Data Protection Regulation requires all organisations storing or processing personal data to protect it, with significant fines and potential prosecutions for failing to do so.
Although the UK is no longer part of the European Union, it has decided to continue to incorporate GDPR in UK law. Going forward, this will be known as GDPR UK.
With significant fines for failing to keep information secure, this cannot be ignored. However, GDPR doesn't contain specific technical and process requirements to help you with your cyber security, and (at the time of writing) the government has no plans to develop a specific certification to this regulation.
However, we do have something useful as a starting point. To coincide with GDPR UK, the Information Commissioner's Office (ICO) and NCSC simultaneously published a set of much more specific 'Security Outcomes'. This can be a useful development checklist, particularly for SMEs as a next step after meeting Cyber Essentials .
ECSC has incorporated the GDPR Security Outcomes as a specific focus within our wider Cyber Security Review methodology. However, compliance can be reviewed and reported as an independent exercise if you require.
What is the Cloud?
The cloud is a term used to describe a variety of services hosted externally and usually accessed across the Internet.
Cloud services present many cyber security challenges, it is a relatively new and fast-changing area of IT, with very few people using cloud services securely.
Is the Cloud safe?
As with all information solutions, this depends on the protection, monitoring and response plans you have in place. To understand how secure your cloud solution is, undertaking a security assessment would be advised.
A Cloud Security Assessment is designed to assess the cyber security critical aspects of a cloud solution, and address areas by responsibility of the cloud provider and those areas that you retain responsibility for.
ECSC Cloud Security Assessments
As part of an effective Cyber Security Management System (CSMS), ECSC’s Cloud Service Assessment helps you to assess the cyber security status of a vast range of cloud services. Where required we can help with remediation of any weaknesses or provide advice on complementary services with additional specialist ECSC cyber security cloud managed services.
An assessment may form part of a wide-ranging ECSC Cyber Security Review that also maps your compliance to the Information Commissioner’s Office (ICO) GDPR Security Outcomes. Importantly any findings are reported in a format and language that is designed for senior (non-IT) managers and organisational executives.
We recommend a Cloud Security Assessment to all organisations looking to move or having already moved traditional IT systems and services ‘into the cloud’. In either scenario it is vital that you understand the risks, and how to manage them to avoid a costly cyber security breach, which can include ICO fines, reputational damage and even loss of trading.
The ECSC methodology targets the essential elements of each type of cloud service, typically Infrastructure as a Service (IaaS); Software as a Service (SaaS); Platform as a Service (PaaS) and additionally Shadow IT. We will then provide you with a clear picture of risks, potential remediation and importantly where you are personally responsible.
Objectives and Outcomes
Our aim is to help you understand the risks associated with moving your traditional IT systems ‘into the Cloud’, and how to manage them to avoid a costly cyber security breach, which can include ICO fines, loss of trading and reputational damage.
The ECSC Cloud Assessment is designed to highlight the cyber security risks inherent in many IT cloud services and identify potential improvements.
To learn more about our Cloud Security Assessment and why we’re seeing an increase in cloud related cyber security breaches, please take a look at our brochure.
No matter how effectively you construct a security perimeter, it is likely that certain critical applications have to be visible to facilitate your operations. With the usual time pressures on software developers, and considering that most developers are not security specialists, the focus tends to be on the functionality of the software and not security elements. It is no surprise that practically all software contains holes waiting to be exploited by someone with the right knowledge, tools and intent.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the Payment Card Industry Security Standards Council in response to feedback from forensic investigations that follow breaches of card data.
As a result of increasing number of card breaches reaching $750 million between 1988 and 1998 (roughly £453 million at the time), it was evident that a focus on security was required. This was further supported by the increase in online payments in the early 2000s and additional security breaches from online transactions.
The standard focuses on security regulations for any organisation or Merchant who store, process or transmit card holder data to ensure all credit card data is protected. The standard is updated periodically, in response to changes in the methods of attack used by hackers, and to introduce security for new technologies.
PCI DSS Assessments
Through our work as Qualified Security Assessors (QSAs), our role is to:
- Help you understand your PCI DSS compliance obligations and options
- Support you through a development programme to deploy compliant systems, and remove others from scope
- Assess you against the standard, either as a Merchant reporting to your bank, or as a Service Provider
We are well placed to understand the more challenging aspects of the PCI DSS and are able to create solutions that are tailored to your particular challenges and ensure you have a smooth route to compliance. We also support clients in gaining compliance following a breach of card data.
Whether you need multiple solutions or a single solution to fill the gaps in your existing technology or expertise, our nationwide team could provide the support your business may need.
In our team we have over 10 years of experience and all consultants are QSA's qualified, as well as hold qualifications in CISSP and ISO 27001 as Lead Auditors. All of our QSA's have a background in IT and Information Security.
Our PCI Service Director is a former Chartered Engineer and Retail IT Director who understands the challenges and intricacies of PCI DSS. Prior to joining ECSC, he implemented PCI DSS within the travel industry and has maintained his membership of the Chartered Institute for IT (MBCS), meaning he is well equip to provide insight and guidance on how you could become PCI DSS compliant.
How we work
Our aim is to support any organisation regardless of size to achieve PCI DSS compliance and effective cyber security. Here are a few of the ways we do this:
- Provide expert, vendor independent, technical and security advice
- Always seek ways to reduce the scope of compliance to minimise costs and impact
- Offer solutions to complex problems, such as legacy systems
- Advise on the development of policies, procedures and standards
- Analyse complicated and varied payment systems, to identify where PCI DSS does and doesn't apply
- Aid in completing Self Assessment Questionnaires (SAQ)
- Conduct full assessments for organisations and service providers
As with all solutions, they will be specific to the organisation and as such here, at ECSC, we take a tailored approach to ensure you are achieving compliance and meeting your security obligations.
Data security and the prevention of costly breaches is a key concern for most businesses in this day and age. Organisations are increasingly being asked to provide evidence by their clients and stakeholders that they have effective information security controls in place to ensure protection of their data against loss or unauthorised disclosure.
ISO 27001 is an internationally recognised security framework which can be adopted by most organisations (regardless of size or industry) to help identify their risks, and protect their information appropriately. Its flexibility means businesses can choose the most appropriate controls, commensurate with their level of risk, and provide assurances as to the protection and availability of their information.
Certification to ISO 27001 demonstrates ongoing, independent review of your security policies, processes and controls. For many organisations, this standard is an essential component of winning new business and ensuring client confidence in their data handling, processing and storage.
ISO 27001 encourages continual improvement of your security defences, requiring you to regularly review internal and external threat factors which could pose risks to your organisation. Organisations with ISO 27001 are in much stronger position to recognise and respond quickly to security incidents and breaches.
ISO 27001 Consultancy
ECSC can help you understand your current level of compliance against the requirements of the standard. You may find through a gap analysis exercise that you already have many of the required processes and/or documentation. We can then help you to address the gaps in a manner which suits your organisation.
All ECSC's qualified ISO consultants are experienced in the successful implementation of security management systems, and can help you to navigate your way through the standard to full certification. Our support can range from initial risk assessments, policy and procedure development, recommending improvements, staff training, internal audits, and ongoing improvement activities. Our consultants can prepare you for your annual UKAS accredited certification body assessment.
Experienced and Qualified Consultants
All our consultants are highly qualified and our minimum consultant qualification is Certified Information Security Systems Professionals (CISSP). Our ISO 27001 specialists have all passed the ISO 27001 Lead Auditor and Lead Implementer examinations. In addition, our PCI specialists are all Payment Card Industry Qualified Security Assessors (PCI QSA).
