HOME | SERVICES | ABOUT US | CONTACT

InfoSec Services - Consulting, Outsourcing and Modules

Fitzgerald InfoSec offers consulting services based around the following:

1. Business Continuity - encompassing all or selections from: Emergency Management; Crisis Management; ICT Disaster Recovery; Business Recovery and including Business Impact Analysis, Contingency Strategies (workarounds, brand/reputation protection, redundant infrastructure arrangements), and Training, Test and Maintenance

2. Risk Management - focussing on Information risk or the broader Enterprise risk and encompassing all or selections from:  Risk Analysis; Mitigation Recommendations; Risk and Mitigation Management Register

3. Human Aspects of Information Security & Assurance (HAISA) - focusses on understanding the importance of human resources in Information Security with a view to introducing and/or improving Security-aware corporate culture (may also be applied to physical environments)

4. Physical Security Reviews and Mitigation Management - provides an independant review and mitigation recommendations of the physical security environment

5. Information Security Policy, Standards and Guidelines (creation) - prepares a client-focussed set of Policy Standards and Guidelines based upon the latest international Standards

6. Information Security Policy, Standards, and Guidelines (compliance review) - reviews existing Policy Standards and Guidelines against the latest international Standards and provides gap analysis and recommendations

7. Information Security Training and Awareness - provides a series of workshops for both management and staff

Fitzgerald InfoSec offers outsourcing services to provide the following:

1. Annual (or more often if needed) Executive Mentoring and Coaching plus independent Test and Maintenance services for Crisis Management plans, ICT Disaster Recovery plans and/or Business Recovery plans

2. Disaster Management services

3. Annual Risk Analysis exercises and Risk mitigation reviews

4. Annual Physical Security reviews

5. Annual Information Security Compliance pre-audit reviews

Fitzgerald InfoSec also offers some pre-prepared Information Security modules:

1. Policies

i.   Business Continuity Policies, Standards, and Guidelines

ii.  Disaster Recovery Policies, Standards, and Guidelines

iii. Information Security Policies, Standards, and Guidelines

2. Emergency Management Procedures Guide

3. First Responder Assistance software - Speedtech

If you are interested in any of these services - consulting, outsourcing and/or modules please click here to contact Fitzgerald InfoSec

 

Consulting services

1. Business Continuity

Fitzgerald InfoSec interprets this consulting service broadly to include  all of the continuity services necessary to be activated when a significant incident impacts a business or government organization:

  

 

 

             Emergency Management;

            Crisis Management;

            Recovery Command & Control;

            ICT Disaster Recovery Management;

            Business Recovery Management; and

            Business Restoration.

Business Continuity Policy, Standards, and Guidelines will provide the foundation of management commitment to ensure the creation and maintenance of Business Continuity services and the infrastructure that supports them. In most instances, this is the organization's ICT services.

It is essential that the urgency with which recovery is required by business becomes the starting point for continuity planning. Does the business require a two minute recovery, or is it two hours, or two days, or two weeks, or even two months recovery? The planning for a two minute recovery will be quite different to that of a two week recovery. Once the urgency scale is known, then the infrastructure - for instance the ICT department - will know when it needs to recover its services by to enable the business to be ready to deliver its services to its clients.

This time line will also affect the urgency of the Emergency Services and Crisis Management teams. The shorter the time, the more pressure on performance and usually the more expensive the recovery arrangements. Because significant incidents do not occur regularly, it is wise to explore extending the recovery tolerance. Workarounds, delays, and closing down selected services are strategies that can be considered.

At the time of a disaster, and with the knowledge that a full suite of recovery plans are in place, it is easier to retain the loyalty of the organization's clients and stakeholders while returning to full services.

Fitzgerald InfoSec has completed 177 successful Business Continuity projects for clients all over Australasia since 1980. Some have included all of the above services but most have concentrated on either ICT DR Management or Business Recovery Management.

The operational heart of each plan is the Detailed Recovery Plan. Here we take a very practical approach, encouraging simple approaches and short sharp instructions. Our strong belief from long experience is that once managers and staff are placed into recovery teams, given clear performance targets, and work to a sequence of actions with responsibilities and deadlines assigned, normal work practices are quickly resumed. The major aim of the recovery plans is to reduce the panic and spread the load.

Deliverables

  1. Business Continuity Policy, Standards, and Guidelines
  2. Business Impact Analysis
  3. Site Hardening
  4. Emergency Management
  5. Recovery Command & Control Management
  6. Crisis Management

  7. Business Recovery Management:

    a.     Contingency Strategies

    b.     Detailed Recovery Plans

    c.     Training Test and Maintenance

  8. ICT Disaster Recovery Management:

    a. ICT Services mapped to Business Services

    b. Recovery Period and Recovery Point Objectives

    c. Contingency Strategies

    d. Detailed Recovery Plans

    e. Training Test and Maintenance

  9. Business Restoration

 

Complies with:

Australian Standard: HB 221:2004

Australian National Audit Office Better Practice: Business Continuity Management

 

2. Risk Management

This project is the foundation of Information Security because it defines in detail the organisation's security problems. It creates an Information Security risk exposure profile, guides towards mitigation strategies upon which controls can be applied. Such controls can then be based upon a business case relating annual exposure cost to the annual cost of the control. To complete the deliverable a Risk and Mitigation Management Register is developed to ensure that controls are implemented and monitored for effectiveness.

Information Security Risk Management

By conducting a Risk Management exercise, investments can be made both pro-actively and according to the most potentially damaging exposure. Investments can thus be directed according to need, derived from exposures relating to information confidentiality, integrity, availability and management accountability.

The phases in this Fitzgerald InfoSec project are:

  1. Risk Analysis;
  2. Risk Profiling and Mitigation Strategies;
  3. Mitigation controls for major exposures; and
  4. Risk and Mitigation Management Register.

The Risk Analysis phase uses an Asset-Threat matrix to establish the exposure scope. It then applies an approximation approach to the Likelihood and Impact of each threat as it affects each asset. These figures are converted to an Annual Risk Exposure, enabling the matrix rows and columns to be totaled and then arranged into descending order of value.

The Risk Profiling and Mitigation Strategies phase creates the Threat Exposure and Asset Vulnerability profiles and also creates a Risk Scatter diagram. Together these interpretations of the risk exposures enable an effective Mitigation Strategy to be developed.

 Mitigation controls for major risk exposures are created from the Mitigation Strategies which are justified by relating the investment in the controls to the Risk Exposure values per threat and per asset.

A Risk and Mitigation Management Register is created as the tool which the Risk Manager uses to manage risk control implementation status, risk control performance, and risk exposure reviews.

This project is closely related to Fitzgerald InfoSec's creed; a problem well defined is a problem half solved. All too often the wrong problem is solved and solved re-actively rather than pro-actively.

Deliverables

  1. Risk Analysis report
  2. Risk Profiling and Mitigation Strategies report
  3. Mitigation controls for major exposures report
  4. Risk and Mitigation Management Register report.

Complies with:

Australian Standard: AS/NZS 4360:2004

Enterprise-wide Risk Management

Of recent times this approach has been applied to enterprise-wide risks addressing a wide range of threats and creating:

i.  Risk profiles

ii. Scatter diagrams

iii. Mitigation Strategies and Controls

iv. Risk and Mitigation Register. 

A sample list of potential threats below illustrates the scope of Enterprise Risk Management:

 Within each heading particular threat potentials are detailed and assessed using the approximation methods in a Threat-Asset Matrix created in the first workshop.

3. Human Aspects of Information Security and Assurance (HAISA)

Information security identifies humans as the weakest link in both the attack as well as the protection facets of Information Security because of their work practices and culture.

It is an unfortunate fact of life that humans will see and take the opportunity for personal gain by: taking advantage of their position of trust; taking advantage of security weaknesses; and having specific knowledge about when, what and how to attack. Such attacks can be based on logical, physical and/or personnel modus operandi.

Humans will also disregard or compromise the effectiveness of security procedures if they do not understand or respect the need for security. Clean-desk policy, password management, exit interviews for all staff are just a few of the standard security rules that require constant attention in order to remain effective.

For too long, Technical Aspects of Information Security have been the major focus. Human Aspects have to a large extent been ignored. The threats that people represent have therefore grown to become the weakest link in the security chain despite all the technological solutions available. Creating awareness of the need for an appropriate security conscious corporate culture is the major aim of this project.

After establishment and initiation, this project is ideally conducted via a series of management workshops.  However, it is also able to be conducted through individual or small group discussions which explore the topic as it applies to the organisation.

Workshop 1. Defining the problem

Human vulnerabilities in the workplace, for example: overly trusting of others; easily deceived; anger and unhappiness at work; hidden addictions; non-commitment / lack of loyalty, carelessness; family situations…the workshop will explore the relevance of these issues and many more.  What are your experiences?

Typical employee and ex-employee crimes, for example: fraud and embezzlement; theft of information files, money, equipment, other desirables; internal hacking; misuse of corporate computing – gambling, games, music, pornography… What are your experiences?

What are the personal situations that might have caused these experiences? By understanding this, the mitigation strategies will become more obvious.

 

Workshop 2

What has the organisation done to contribute to this situation? For example: ignorance of the potential risk; management and staff not treated with respect; sloppy technical security administration; security not recognized as important in the culture; low morale ignored… What are your experiences?

What are the mitigations that will address these problems? Firstly build a corporate culture which includes an appropriate level of security. This will include policies “with teeth”, training regimes, employee assistance, team building, social events.... The workshop will explore these and many more. Secondly review the effectiveness of care, and encouragement, rewards and discipline, as appropriate, in every step of the staffing life cycle. Implement improvements where needed in the corporate culture. How do you rate the organisation’s performance in the staffing life cycle? How would you describe the current corporate culture?

 

 Establishing the milestones and effectiveness measurements Formally recorde where the organization is now, where it wants to be and in what timeframe, and create the milestones and effectiveness metrics of the migration towards achieving the target workplace.

Deliverables

  1. Defining the problem – appreciating human vulnerabilities and consequent actions
  2. Creating the solution – cultural workplace solutions around the staffing life cycle, change management focus, and effectiveness metrics.

4. Physical Security Reviews and Mitigation Management

Information Security must encompass logical, personnel, and physical aspects of its environment. By ignoring any one of these aspects, the security coverage will have significant weaknesses.

A Physical Security Review is not intended to be an exhaustively detailed and technical project. It is an independent investigation by an experienced outsider covering all of the major infrastructures of the organisation. In this way alerts concerning major physical security weaknesses and potential weaknesses can be captured and ranked in order of mitigation urgency. Mitigation strategies and agreed solutions are also recorded in a Physical Security Exposure and Mitigation Register.

These projects are usually conducted working with the Building Facilities Manager and the Information Security Manager and/or Business Continuity Manager. The project consists of three phases following project establishment and initiation:

  1. Detailed on-site inspection

    a. Overview of the Physical Environment
    b. Building Layout
    c. Locale, Neighbourhood and Buildings
    d. Physical Access prevention, detection, alarm, maintenance, and testing
    e. Prevention, detection,  alarm,  maintenance, and testing  of infrastructure services related to:

      1. fire

      2. water

      3. power

      4. communications

      5. air-conditioning

  2. Creation of a Physical Asset Exposure Profile
    All security exposures are ranked in order of priority after considering potential impacts

 

  1. Development of Mitigation Strategies and agreed solutions

  2. Creation of a Physical Security Exposure and Mitigation Register

Deliverables

  1. Site Inspection Report
  2. Physical Asset Exposure Profile
  3. Mitigation Strategies and agreed solutions
  4. Physical Security Exposure and Mitigation Register

5. Information Security Policy, Standards and Guidelines - Creation

The development and popularisation of an Information Security Policy containing Standards and Guidelines creates a solid foundation to guide management and staff to the best practice of information security and its ability to be audited. The other essential building block is the existence of an annual Risk Analysis/Assessment accompanied by a Risk and Mitigation Register.

The focus of Information Security must be defined as encompassing information confidentiality, integrity, and availability protected from physical, logical, and personal based threats.

AS/NZS 7799.2:2003 and BS 7799.2:2002 are internationally accepted standards now updated by AS/NZS ISO/IEC 27001:2006. This new standard is based upon:

  1. Establishing an Information Security Management framework including the conduct of a Risk Assessment and selection of Control Objectives;
  2. Implementation of the Control Objectives
  3. Establishment of the detailed controls within an Information Security Policy, Standards, and Procedures Manual

To create an Information Security Policy, Standards, and Guidelines Manual which both complies to these standards and is suited to the organisation requires the following:

  • Conduct of a Risk Assessment, if not already current, to assist in establishing the scope and objectives of Information Security;
  • Establishment of, or review of, the Information Security Management system;
  • Creation of a suitable Information Security Policy;
  • Creation of suitable Information Security Standards and Guidelines encompassing:
    Security organisation and infrastructure applicable to both internal and external parties where appropriate and including Information Security Awareness training;
    Asset classification and control;
    Personnel security;
    Physical and environmental security; 
    Communications and operations management;
    Access control;
    Systems development and maintenance;
    Compliance; and
    Business Continuity.

Deliverable

An Information Security Policy, Standards and Guidelines Manual complying with AS/NZS ISO/IEC 27001:2006 and applicable to the organisation

6. Information Security Policy, Standards and Guidelines – compliance review

In this project, an independent review of the client's adherence to the Information Security Policy, Standards, and Procedures they have created is reviewed.

The Information Security organisation, objectives and focus are reviewed including the status of the Risk and Mitigation Register.

The Policy, Standards, and Guidelines document is reviewed for completeness to ensure that all aspects of Information Security have been addressed including third party and outsourced services and personnel.

The organisation’s Information Security performance against the following policy standards will be assessed through formal evidence:

  1. Asset classification and control
  2. Personnel security
  3. Physical and environment security
  4. Communications and operations management
  5. Access control
  6. Systems development and maintenance
  7. Business continuity management compliance

Deliverables

A review report will be produced in draft for management review and finalised after presentation.

7. Information Security Training and Awareness

Achieving significant improvements  in Information Security can be achieved through increasing the awarenes and improving the understanding of responsibility for security within an organisation. This type of project can be the first step in changing the attitude of the workforce towards Information Security.

Following discussions with management responsible for Information Security, acceptable Information Security targets are established and programmes designed to assess, measure, and achieve security performance goals. A series of workshops with staff will establish the necessary understanding and support to reach these security performance goals.

Deliverables will focus on clearly understanding the current Information Security performance, establishing future goals, and using training and awareness programs specifically designed to achieve and maintain the security performance goals. 

 

Outsourcing

1. Test and Maintenance

Over the last decade or so it has been observed that there is great difficulty within organisations to justify the position of "Business Continuity Manager". The major role of this position is to ensure that the recovery plans - crisis, ICT DRP, and BRP, are regularly tested and maintained. Fitzgerald InfoSec can take on this role as an outsourced service.

This outsourced role will conduct tests of each plan, ideally individually as well as combined to test the effectiveness of each plan as well as the co-ordination/integration of the plans working together. Both individual and collective test reports will be recorded from an independent point of view and the maintenance of all plans will be carried out to allow sign off by the team leaders.

2. Risk Management

Annual Information Security Risk Analyses are effective means by which the level of security can be maintained to high assurance standards. Where this level is expected by stakeholders and customers, such exercises can be carried out by Fitzgerald InfoSec in annual workshops focussing on the Availablility, Integrity, and Confidentiality of information and encompassing logical, physical and human based threats.

Annual Risk Profile reports will be produced and trends analysed to reveal improvements and failures. 

3. Physical Security

Annual, independent physical security reviews will be conducted to ensure that physical security is being maintained and improved.

Reports will encompass analysis of the effectiveness of physical access, fire protection, water protection, and the availablility of power, communications,  and air-conditioning.

4. Information Security Compliance

Annual, independent compliance with AS/NZS ISO/IEC 27001:2006 Information Security Policy, Standards, and Guidelines is provided. Formal organisation documents are reviewed and a detailed report provided with recommended improvements necessary to achieve compliance.

Modules

Fitzgerald InfoSec also offers some pre-prepared Information Security modules for organisations planning to  improve, expand or embellish their Information Security services:

1. Policy, Standards, and Guidelines  

i.   Business Continuity Policies, Standards, and Guidelines  - 93 pages covering policy, standards and detailed guidelines

ii.  ICT Disaster Recovery Policies, Standards, and Guidelines - 90 pages covering policy, standards and detailed guidelines

iii. Information Security Policies, Standards, and Guidelines - to be completed

2. Emergency Management Procedures Guide

In Storyboard format, covering: Staffing for Emergencies; Emergency Management Resources; and Emergency categories - Electricity Loss, Fire, Disorderly Behaviour, Violent Assault, Robbery/Burglary/Break-in, Gas Emissions, Unidentified Bags or Packages, Suspect Mail, Serious Accident or Fatality, and Local Environmental Incident

3. First Responder Assistance software - Speed-Tec.

In an emergency, what happens in the first hour after an incident is discovered is absolutely crucial . This PC based, stand-alone software package is designed to protect the safety of life, preservation of assets, and protection of the environment within a building. It provides assistance to both in-house and external emergency responders during a major incident and can be used at any location. It provides instant access to Emergency Procedures and Site and External Agency contact details. Most importantly it also includes detailed floor plans containing the precise location of major assets, hazardous materials, fire equipment, evacuation routes, and photographs of technical equipment. This detailed information can be transmitted to all responders at the click of a mouse.

For further information on any of these services - consulting, outsourcing and/or modules,  click hereto contact Fitzgerald InfoSec.

 

^ Return to top