As the regulatory and compliance landscape has evolved in the recent years, so too has the responsibility shifted squarely to organisations to ensure that their systems and supply chains are performing as expected. ISAS has developed a number of audit solutions for these very scenarios
A strategic approach to ICT security
Organisations are increasingly facing the challenge of demonstrating to clients, potential clients, investors, regulators or other stakeholders that they have robust governance processes in place to manage the security of their information assets. For such organisations the solution is to implement an independently certified Information Security Management System (ISMS) such as ISO 27001. Others may wish to adopt a framework such as the National Institute of Standards & Technology (NIST) Cybersecurity Framework in order to provide assurance to their Boards or senior management that good practice characterises their ICT management.
ISAS provides a full range of support services for organisations wishing to adopt such an approach whatever their objective.
Building a Security Operations function
ISAS can assist a client organisation in developing an organisational structure to ensure the Security Operations role is delivered. Information Security checklists, procedures and 'runbooks'/'playbooks' will be created specifically for the organisation and reflect the various technology solutions, 'InfoSec' partners and support providers, internal staff resources etc. ISAS will provide support and training to staff responsible for SecOps and also an ongoing review process to ensure the checklists are all being completed correctly. The generation of these checklists and the preservation of them as records of activity are important artefacts when it comes to demonstrable evidence in the GDPR era. ISAS can also support the organisation with Incident Response Plan development, implementation and response management and support.
Critical Incident Response
Unfortunately, incidents will occur….. However, it is in the reaction of an organisation when an incident does occur that marks out well run and prepared organisations. Preparation for incidents through having plans that are well rehearsed, and kept current is key. Fail to prepare, prepare to fail……
Part of a response plan is to have identified experts that can be called on, as for most organisations, it is not an option to have full-time incident response teams. Engaging with ISAS and having the escalation mechanisms in place when an incident occurs will ensure the minimum time loss during an incident and that expert, experienced decision makers will be available to the leadership in a time of crisis.
Policy Development & Review
ISAS can work with the client to update existing policies, draft new policies, draft/update standards and procedures and assist the client to embed them in the organisation. For many organisations, the most common policy document referred to is the "Acceptable Usage Policy" or "Information and Communications Technology Usage Policy". However, many of these documents have evolved over time and are effectively ignored in most organisations as they are considered to be of little relevance.
ISAS can work with an organisation to completely reshape the policy structure and make the documents far more relevant for the organisation today and also more easily understood and consumed by the staff and others covered by the policies. An effective and appropriate policy stack should underpin all decisions in an organisation and align with the culture, or ethos, of the organisation while at the same time ensuring compliance with legislation and industry standards.
Data Classification/Data Marking
Classifying the many different types of data a typical organisation is storing allows for an appropriately layered approach as to how it is best secured. This can be particularly important in the era of GDPR where instances of personal data can be identified, marked and managed in accordance with the legislation and an organisation's own policies.
Establishing Records Management
Organisations determined to introduce more discipline to the management of their records can face a daunting challenge due to significant legacy volumes and/or diversity of formats. ISAS can assist with putting in place principles and standards-based auditable and pragmatic policies and procedures that cover the entire records’ life cycle to protect against records-related risk and enable records-based opportunity.
Digital Forensic Investigations
It is an unfortunate fact of life that incidents will occur, and there is an increasing likelihood that an organisation will at some point require that a Digital Forensic Investigation is carried out.
ISAS has been carrying these out for clients for many years and members of the team are recognised at a national level in this area. Key team members have achieved Masters and PhD degrees in this area. Having a relationship with ISAS in advance of an incident occurring makes all the difference when it comes to the preservation of evidentiary material for Digital Forensic Investigations.
eDiscovery and Planning
Statutory Instrument No. 93 of 2009 in Ireland amended the Rules of the Superior Courts and provided for the discovery of “electronically stored information”. This is commonly referred to as eDiscovery and has placed a significant burden on organisations dealing with eDiscovery requests.
ISAS has extensive experience in helping organisations deal with eDiscovery requests, but probably more importantly, preparing for when the inevitable requests arrive. ISAS can assist an organisation in developing the procedures and selection of appropriate technology solutions for eDiscovery.
The independence of ISAS ensures that our client can always be assured that they are getting advice regarding technology and procurement with no vested interests.