A Cyber Security Programme is a comprehensive strategic initiative designed for organisations for whom the security of information assets is mission critical. The programme will identify cyber security measures to achieve an appropriate level of cyber resilience – the ability to identify, protect, detect, respond and recover from cyber-attacks.
You have probably already invested heavily in information security during the past decade – possibly via ISO 27001 or similar frameworks – but you know that you need to be watertight with cyber security. You want a thorough approach to assess and integrate cyber security into your business as usual activities.
The programme will address three key areas: assessing your cyber security risks; evaluating the effectiveness and extent of existing information security controls with a view to implementing supplementary measures; creating an approach to measuring success to enable ongoing assurance and improvement.
As an organisation that is highly attractive to serious hostile or criminal threat actors, you need to build cyber security into the heart of your business activities by having a robust strategy and effective implementation plan to create and maintain exceptional business resilience.
The implications of a cyber-attack are likely to be significant. Your stakeholders – customers, citizens, employees, taxpayers or shareholders – need reassurance that you have done your utmost to protect mission critical information assets. In the face of an attack, they need to know you are thoroughly prepared to detect, respond and recover from the attack, minimising any detriment to the business.
From an operational perspective, you need to avoid the high cost of recovery both financially and reputationally.
There is no ‘one size fits all’ Cyber Security Programme. Ascentor uses well-established cyber risk management principles guided by widely accepted best practice. First, we identify and prioritise risks; we focus on identifying and managing inherent risk, then calculate residual risk being mindful of the organisational risk appetite. Depending on your start point, we may use a gap analysis to create a baseline.
We then assess existing controls and augment, as appropriate, in line with the prioritised risks. As well as technical controls, we consider security governance, policies, standards, processes and procedures, and appropriate levels of awareness training for staff and users. Lastly, we develop ongoing assurance to continually measure the maturity and effectiveness of controls which minimises the ongoing cyber risks to your business.
Four internationally recognised and respected framework resources typically inform and guide our work: the US National Institute for Standards and Technology (NIST) Cybersecurity Framework; ISO 27001; the Centre for Internet Security (CIS) Top 20 Critical Security Controls; and the Cybersecurity Capability Maturity Model (C2M2).