Archives: Services

Prism Infosec has many years of experience providing the internationally recognised ISO 27001 standard for information management and have provided support to many clients on the successful application of information security including physical, personnel, policy and technical controls associated with audit and compliance and employs pragmatic consultants with  lead auditor and implementer certifications.

• Readiness for certification
• Implement an effective Information Security Management System (ISMS) that complies with the standard
• Reduce risk through effective management of information security within the organisation

Our consultants can provide support and practical advice on every element of ISO 27001 compliance to organisations of all sizes and sectors and our services include:-

• Workshops to provide guidance on compliance requirements
• Gap analysis and roadmaps to achieve compliance
• Internal audits and production of audit documentation
• Support from first meetings through to full UKAS-accredited certification (by our partner certifying bodies)
• Migration from ISO 27001:2013 to 2022 version
• Associated services including penetration testing, document production and general advice and guidance.

Prism Infosec has a team of consultants have first hand experience including responsibility for implementing ISO 27001 for employers in previous roles and also helping clients implement and then successfully manage their fledgling ISMS throughout the certification lifecycle (3 years) and see it mature to the point where good information security practices are baked in.

Staff  gain an increased willingness to identify and report security issues and also observe an increased desire to seek  information security guidance from the organisations security team. This also can be observed that projects start off on the right foot by making information security a key attribute to the delivery of a secure operational project for the business. Projects that identify security controls early can drives down those occasions where security issues are identified late in the project delivery lifecycle leading to delays in delivery with security being claimed to be a blocker.

An effectively implemented and managed ISMS supports business aims by having a clear understanding of the organisations vision and how it can support its mission goals securely. By employing pragmatic, timely and consistent risk management practices the likelihood of an information breach is reduced accordingly. The ISMS mandated information security incident management process also improves organisational confidence in those plans and their role in the event of a security incident occurring. This then reduces the likelihood and impact of an attack on the organisation.

The ISMS as a living process must also be subject to continuous review with opportunities for improvement in the organisations security posture sought out and deployed. A strong security culture endorsed by the organisations leadership demonstrates to its staff and clients alike the value of the information assets used by the business which make it successful and rank it highly amongst its peers.

Our lead auditors are able to provide an internal audit service to our clients which complies with the need to conduct scheduled audits of the ISMS to ensure that applied controls are effective and that any non-conformities are captured and remediated appropriately. Our consultants provide comprehensive audit reports which identify the relevant clause or control reference and requirement together with audit findings and recommendations for remediation.

The audit output can then be added to ISMS the remediation action plan where it can be tracked with an owner assigned through to successful remediation thus adding to the continual improvement of the organisations cyber security maturity.

We can also act as a critical friend providing advisory services including attending the initial Information Security Forum meetings to provide guidance and support. Once the ISMS is embedded within the organisation and begins to mature the client then often retains call of services with Prism Infosec as a subject matter expert resource. This provides the organisation with a contact point should any queries on the application of the standard or its continued management be raised.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

CAA ASSURE audits are required for all aviation organisations that are regulated by the Civil Aviation Authority (CAA) under the Cyber Security Oversight Process for Aviation (CAP 1753). The focus of this process is to improve the cyber security maturity of organisations by ensuring that there is proportionate and effective oversight of its cyber security risks. CAA ASSURE audits provide the following benefits.

• Ensure compliance with Civil Aviation Authority requirements
• Reduce the risk of security breaches of key Operational Technology and Process Control Networks
• Maintain continued availability of critical technology and key safety controls
• Increase visibility of areas within the organisation needing further focus

Prism Infosec is one of a small number of Civil Aviation Authority, National Cyber Security Centre and CREST-approved CAA ASSURE audit service providers. Our ASSURE team have many years of experience working with civil aviation and other transport sectors and have a proven pedigree in delivering consistent, pragmatic and safety focused audits of critical Operational Technology (OT) and Process Control Networks (PCNs).

Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE cyber audit from an accredited ASSURE Cyber Supplier such as Prism Infosec.

ASSURE Cyber Professionals are each accredited in one or more, of the following three specialisms (all specialisms must be present for an ASSURE Cyber Audit):

• Cyber Audit & Risk Management;
• Technical Cyber Security Expert; and/or
• Industrial Control Systems/Operational Technology Expert

Prism Infosec can also support smaller organisations to provide a virtual Responsible Security Manager (vRSM) on a fixed term flexible basis to assist aviation organisations to complete their Cyber Assessment Framework (CAF) forms.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

To validate our ASSURE accreditation, visit the CREST website.

Prism Infosec is an award-winning PCI-DSS Qualified Security Assessor (QSA) organisation and has many years of experience with providing support to its clients on network architecture, policies, procedures and other security controls associated with complying with PCI Security Standards Council requirements.  Meeting the PCI-DSS compliance requirements will help your organisation to identify and manage risks associated with processing payment card data as part of your business processes.

• Ensure compliance with Payment Card Industry (PCI) requirements
• Reduce the risk of security breaches of cardholder data
• Avoid fines and proceedings from payment brands

Our PCI-DSS Qualified Security Assessor consultants can provide support and pragmatic advice on every element of PCI compliance to all merchants and service providers and our services include: –

• Payment Card Industry workshops to provide guidance on compliance requirements
• Gap analysis and roadmaps to PCI compliance
• QSA audits and production of Report On Compliance (ROC) and Attestation On Compliance (AOC) documents
• Associated services including PCI-approved penetration testing, document production and general advice and guidance

We offer support to organisations appropriate to their merchant level, providing compliance consultation relevant to the risks around the organisations payment card transaction quantity, payment methodology, applied processes and the complexity of their payment cardholder data environment (CDE).

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

Threat and impact analysis serves as an important part of the risk assessment process, as well as to ensuring effective business continuity and disaster recovery. Without a proper understanding of the impact of data loss and the possible nature of the threats to the data, it is difficult to understand the risks involved and to properly determine how it can be most effectively managed. The ability to identify risks and apply proportionate and pragmatic controls to mitigate those risks are fundamental to effective risk management.

• Identify and catalogue information and physical assets within the organisation
• Understand potential threats to the organisation’s assets
• Determine the impact of loss to the business using quantitative or qualitative analysis
• Ensure effective readiness for the risk assessment process

Prism Infosec’s experienced security and information risk advisors assist organisations with the identification of key business assets and to explore the relative threats to them. Additionally they will identify the associated impacts of data loss, should any of the assets’ confidentiality, integrity or availability be breached.

We will use an agreed approach to effectively classify the threats and impacts, which may use an in-house scheme or an off-the-shelf method from industry recognised sources. Our consultants will hold a series of workshops with key business stakeholders to identify the relevant assets and to explore the associated threats to them and the impacts of loss.

Prism Infosec shall then produce a threat and impact analysis report and provide electronic information where required which describes the results of the analysis and that can be used as the input into an upcoming risk assessment process.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Prism Infosec prides itself in the delivery of pragmatic, risk focused cyber security advice to organisations of all sizes. We have established long term relationships with organisations in both the public and private sector. With our support your organisation will increase its ability to effectively manage information securely with the following benefits.

• Identify the latest cyber threats that could affect your organisation or project
• Recognise any inherent gaps in the organisation or service delivery
• Understand the risks associated with working online and providing Internet services
• Ensure compliance with legal and regulatory requirements
• Manage and plan effective security controls to minimise cyber risk

Cyber risk

Cyber risk is increasingly one of the most serious threat to businesses with demand for supporting insurance increasing year on year.

Over recent years a series of high profile organisations have been subject to devastating cyber-attacks that has resulted in extensive exfiltration of data.

The business impact of this varied depending on the organisation but common outcomes have included reputational damage to the organisation (affecting the bottom line), class action from customers and employees and regulatory fines from bodies including:

• The Information Commissioner’s Office (ICO) in the United Kingdom
• Federal Government in the United States and
• The global Payment Card Industry (PCI) Security Standards Council (SSC).

Output

Prism Infosec provide the latest cyber security and threat advice to organisations which typically in the form of a workshop. Our experienced cyber security consultants will work to understand’ client requirements and offer tailored support and guidance on where the current cyber threat landscape may affect them.

We articulate cyber risks to your business recommending practical controls to mitigate them to a level acceptable to the organisation.

Prism Infosec consultants create a report following the workshops outlining client requirements.  This includes information on the current threats and the range of measures discussed during the engagement.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Prism Infosec are experienced in the delivery of compliance framework assessments against all major compliance frameworks including NIST CSF, NCSC CAF and NIS. The compliance framework adopted by your organisation may be predefined by your sector, contractual requirements or preference. Regardless of framework our cyber security consultants conduct compliance framework assessments advising organisations on the preparation for, delivery of and subsequent reporting of compliance maturity against all major frameworks. Compliance reports can be delivered via electronic or physical means with a verbal debrief as required.

Our comprehensive reports include framework requirements, findings and recommendations in the form of a remediation action plan. Thus armed  the organisation is able to implement recommendations  which will help them to demonstrate compliance and continue to mature their cyber security in a planned and measurable way.

• NIST CSF
• NCSC CAF
• GovAssure
• CAA ASSURE
• NIS
• PCI-DSS

Our cyber security consultants are Lead auditors and implementors who have years of experience supporting organisations in both the public and private sector of all sizes. Whether aviation industry, Operational Technology (OT), PCI-DSS support to securely manage payment card transactions or reviewing international organisations cyber security against the NIST Cyber Security Framework (CSF) we can help.

We can assess your implementation of  cyber security controls in accordance with framework requirements in order to assess compliance and improve cyber security maturity across your organisation in support of business needs.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

GDPR and Data Protection Compliance is an essential component of any organisation processing the personal data of EU citizens as part of its business processes. Applying good data management principles will ensure that you maintain control of such data and reduce the likelihood and impact on individuals should a data breach occur.

• Review organisational compliance
• Identify gaps in the organisation’s approach to privacy and data protection
• Maintain an action plan for compliance
• Minimise risks associated with a lack of compliance with the UK Data Protection Act 2018 and the EU GDPR 2018

The General Data Protection Regulation (GDPR) was implemented by the European Commission May 2018 to further improve data protection laws. GDPR applies to any organisation which has an economic interest within the EU or uses Personal Identifiable Information (PII) of any EU citizen. This now makes it easier for individuals to make private claims regarding their data privacy and the way their information has been handled by organisations.

Compliance Review and Gap Analysis

Through a combination of client workshops, information transfer, observational reviews and conducting or viewing the output from technical assessments, our consultants will conduct an extensive assessment of the organisation’s approach to GDPR and data protection compliance and the protection of personal information. The assessment will take into account policies, processes, procedures, the legal and regulatory environment and physical and logical security controls.

The output from the assessment shall be a report containing an initial management summary describing the key findings of the review, including any root cause analysis. The report includes a narrative description of the assessment that was conducted and provide a series of recommendations and accompanying action plan that details key tasks and milestones to support organisational compliance.

Ongoing Support

Our consultants can work with you as you maintain compliance with GDPR and data protection regulations. We can tailor the necessary time required to fit your requirements, ranging from a weekly calls or onsite meetings to support your internal privacy teams, through to acting as your internal Data Protection Officer (DPO).

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

eCommerce Risk assessments can identify risks around your eCommerce processes before they can be exploited. eCom sites are in the front-line for global attacks and are often vulnerable to determined attackers. This service will accurately profile the current level of IT risk exposure for the business and the brand and provide recommendations to reduce risk.

• Assess IT risk of an eCom platform to the business
• Identify any regulatory or compliance issues
• Identify opportunities to reduce IT risk and address compliance issues

Attackers focus on eCom sites because, historically, they’ve been easy prey and the attacks easy to monetise. Weak infrastructure controls, inadequate patching and poor awareness of what is ‘risky’ from an IT point of view have facilitated many attacks.

With many years of experience of evaluating eCom site security though eCommerce risk assessments, penetration testing and prioritising remediation activities, Prism Infosec is ideally placed to offer this short and competitively priced eCom Risk Assessment Service.

The Service is designed to be delivered in less than a week, with an on-site visit to discuss with the eCom teams or third parties:

• Platform/technologies is use (hosting, network and software)
• Effective management of any third parties
• Resilience of eCom platform
• Sensitive data stored, processed or transmitted, compliance obligations
• eCom code and content development, testing and deployment
• Logging/monitoring, testing and assurance

The main deliverable is a short report highlighting areas of IT risk identified and prioritised and pragmatic recommendations for reducing this risk.

A further optional on-site presentation of the key findings and recommendations can also be provided, if required, which can facilitate interactive discussion of key points with internal teams.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Frequently Asked Questions

Cyber Incident Exercising allows your organisation to test preparedness for a real attack in a managed and controlled environment. Cyber Incident Exercising will improve your cyber incident response teams cohesiveness and confidence in the effectiveness of its cyber security incident plans before they are needed in a real attack.

• Confirm organisational resilience to cyber incidents
• Improve stakeholder confidence and understanding
• Protect your brand, business and reputation
• Demonstrate application of good information security controls
• Support PCI DSS, ISO 27001 and GDPR compliance

Why conduct a Cyber Incident Exercise?

As the frequency and sophistication of cyber-attacks are increasing, it is important for organisations to detect and respond rapidly to an evolving cybersecurity incident in order to reduce the operational, financial or reputational impact. Organisations should consider both the potential impact and the likelihood of an incident occurring when designing their Cyber Incident Plans.

Well rehearsed plans ensure they are fit for purpose, alongside raising key staff awareness lead to effective incident management in the event of a cyber-attack. Well implemented cyber incident plans can also positively impact an organisation’s reputation with customers, supervisory authorities and media commentators, as well as minimise business disruption, client attrition, consultancy costs and penalties from regulators

Cyber Incident Exercise Structure

Prism Infosec will help to assess your organisation’s preparedness and ability to successfully navigate a cyber incident using guidance from authorities such as the NCSC on Cyber Incident Response. A typical engagement is structured as follows: –

Phase 1

In consultation with the customer a simulated cyber incident will be designed which plays out over a given period. The output of this phase will include the creation of supporting materials for use in the tabletop exercise. Examples include PowerPoint presentations, social media posts, news stories and media or regulatory body

Phase 2

The team will receive guidance from a Prism Infosec cyber security expert, who will;

Conduct a workshop, assemble the key stakeholders at the agreed location (onsite/remote) and play out the cyber incident scenario in an accelerated timescale;

Assess the team’s ability to execute the cyber incident plan and whether the approach will:

• Follow the defined process, usually documented within a Incident Response Plan (IRP)
• Identify the cause of the incident and quantify its extent (types and volumes of data affected)
• Affect the incident containment
• Affect the ability to operate
• Impact reputation and customer attrition
• Align with legal or contractual reporting and evidence preservation requirements

Debrief session with initial feedback and the opportunity for questions and answers

Deliverables

The output from the cyber incident exercise will be a gap analysis of the organisation’s cyber incident processes against industry standards and best practices. The post exercise report will:

• Identify good practices
• Ensure that key observations and lessons are identified
• Provide associated recommendations
• Remedial actions allocated to relevant business stakeholders
• A summary of participant feedback

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.

Secure architecture design review is an essential aspect of network security. Whether implementing a traditional internal or Internet-facing IT service delivery, or provisioning a platform on a cloud-based infrastructure, it is essential to ensure that a strong underlying network architecture is in place.

• Implement an effective security architecture
• Ensure network architecture provides suitable defence-in-depth
• Minimise the likelihood of a widespread security breach
• Demonstrate due care of information security assets

Prism Infosec’s experienced information security architects secure architecture design review can design or review the network design and architecture to support the service. We work with our clients’ internal stakeholders, including the project, security, system and network teams to design, implement or review a security architecture that will ensure strong protection of systems and information assets.

Being product agnostic, Prism Infosec will work with client project teams to understand existing support skillsets to identify and recommend technologies and solutions that can be properly managed, implemented and fully supported over time.

The architecture will account for key requirements such as the provision of suitable network protection which would limit the extent of any information security breach across all elements of the architecture. The design will incorporate core elements, including service provision, customer and management authentication, remote support, backup requirements, business continuity, disaster recovery, monitoring and event management.

The output of the engagement shall be the provision of requisite documentation such as high level and detailed architecture designs and ongoing advice and support on the implementation of the architecture.

Email Prism Infosec, complete our Contact Us form or call us on 01242 652100 and ask for Sales to setup an initial discussion.