Organizations looking to gain competence in governance and managing their risk in line with global standards will look to our Business Security Team. Mile2 has a highly skilled team of experienced Business Security Specialists who are passionate in assisting organizations meet their goals. Our growing team includes a Senior Security Specialist working with and supporting our clients at all levels of their security management journey.
-Information Security Governance Services
Protecting information should be a top priority for all organizations. As technology advances, there is more information to protect and more ways for information to become vulnerable. It is therefore essential that information security policies and practices be addressed from a high-level business perspective rather than being seen as an IT specialization. Information Security must be seen as a business issue as well as a technical issue.
Mile2 works with all the different levels of an organization to either develop or assist to develop a robust security management framework. This framework is then incorporated into an organization’s corporate governance program to ensure the seamless integration of security practices into the everyday management and operational procedures. Our consultants have comprehensive skill sets enabling them to address information security governance from both a technical perspective and a business perspective.
Several risk assessment methodologies and frameworks may be used depending on the objectives and requirements of the organization. We can follow our internal risk assessment and management methodology which is based on ISO 27001, or the NIST Risk Management Guide for Information Technology Systems.
Risk Management is a comprehensive approach to reducing risk and is a key component of business continuity management. Risk Management programs involve risk assessments and analysis and the development, implementation and maintenance of management controls. Mile2 has assisted many organizations to perform risk assessments and developed risk management frameworks to ensure that clients have both an acceptable level of risk and a practical and complete management program.
Business Continuity Management
We do not focus on dealing just with a disaster, but with all levels of incident or disruption. These may range from external threats such as a terrorist attack, a natural disaster, or a pandemic, through to localized and more common incidents such as loss of key IT systems or specific skill sets within a department.
An effective business continuity management program has the following key elements:
- A governance structure establishing authorities, roles and responsibilities for the program.
- An impact analysis to identify and prioritize the organization’s critical services and assets.
- Plans, measures and arrangements to ensure continued availability of critical processes.
- Activities to monitor the organization’s level of overall readiness.
- Provision for the continuous review, testing and audit of business continuity plans.
Our BCP services have a focus on three complementary features:
- Risk reduction with the management of risks to prevent an incident and/or disaster. This is done by identifying and assessing the risks faced by our clients at their premises that could result in an incident and/or disaster.
- An emergency plan. This is achieved through crisis management of the incident when it occurs (Incident Management) to prevent it from developing into a disaster, and to lessen its impact.
- A Business Continuity Plan. This plan is the fast, efficient resumption of essential business operations by directing the recovery actions of specified recovery teams. It has three elements to consider that include office services, information technology, human and other resources.
The key tasks Mile2 considers when building BCPs are to:
- Identify the operations and supporting activities that need to be restarted after an incident and/or disaster, the maximum acceptable time limits by which they must restart, and the resources needed to restart them.
- Identify contingencies or the required resources including alternate approaches to operations.
- Select a cost-effective strategy for resuming normal operations.
- Develop the BCP to guide and direct the resumption of operations.
- Test the BCP, train staff in how to use it, and maintain the plan.
Organizations who invest in business continuity are providing the necessary plans, policies and procedures to allow the business to continue to operate during incidents or disruptions.
-Business Impact Analysis
Business Impact Analysis projects identify the potential vulnerabilities and threats to corporate department functions, applications or systems. The analysis covers the nature of the threat and the impact each identified potential threat would have on the vulnerable areas within the business. This process also identifies the amount of acceptable risk a business can tolerate.
This type of project includes:
- identification of the maximum threshold or impact that each business process can sustain without significantly damaging the business units;
- analysis of the results to determine critical systems, applications and business processes to deliver against agreed maximum acceptable outage and application recovery time objective (RTO) values; and
- Provision of a business impact analysis report based on the criteria, data collection and analysis of the information.
-Outsourcing Information Security Managers and Specialists Roles
Information Security is a critical component of good business practice. However it is difficult for many organizations to devote the necessary resources and skills required to ensure this is done effectively. Mile2 assists its clients to address this important need by providing those specialized skills, tailored to suit the needs and size of the business. The specialists fit within your existing organizational structure and act as part of your organization to assess and help you manage your risk.
Why would this service be valuable to your organization?
Simply, the high cost and difficulties in attracting and retaining people with the necessary skills. This role requires a diverse range of skills to identify and address risks across all parts of the business, a range of capabilities difficult to find in a single individual. Our service addresses these issues by creating a partnership between your business and our skills.
Key features of the Information Security Specialist Service:
- Strategic Information Security management.
- Operational security skills.
- Specialist technical security knowledge.
- Information security governance.
Five important benefits of our Information Security Specialist Service:
- The value of this partnership revolves around the ability to place the right specialist skills and knowledge into your organization when they are needed.
- You select the combination of services that best suit your business needs.
- You know the exact cost of this support for the year, making it easier to budget.
- We provide you with independent advice and guidance with no bias towards specific vendors or products.
-Information Security Policy Services
Employees and other users need an Information Security Policy to guide how they use and manage information.
Did you know that every publicly listed company must have a Security Policy, or be held liable? Even if you are not a publicly listed company you should still have an effective Information Security Policy, otherwise you are putting your organization and even yourself at great risk.
Key Features of an Information Security Policy
- The policy needs to fit within the organization’s culture.
- It should be easy to understand, written in simple language.
- It should have enough detail to ensure that all users understand what is expected of them.
- Good policies must address your legal and regulatory requirements, and your business needs.
- Good policies must be usable. If they are not practical, they will not be used.
The disclosure of sensitive data into the public realm can often result in severe financial loss and reputation destruction. Information that may be exposed could include trade secrets, credit card numbers, health records, financial data, customer details and other types of sensitive information. This information can be used by competitors to commit crimes or to engage in unethical business practices. In addition, for many organizations the disclosure of certain information may breach regulatory guidelines and result in penalties being levied.
We can work with you to classify your information. Information Classification will help an organization understand the type of data they own and identify the risks and threats to this information. Certain types of data will have a higher sensitivity and consequently will require additional controls and processes.
Information Classification projects can help an organization:
- Identify the information they own.
- Understand the risks inherent in owning information.
- Prevent inadvertent information disclosure both internally and externally.
- Train staff in procedures and protocols to correctly handle information.
- Identify who should have access to data and review who actually does have access.
- Identify the owner/custodian who has responsibility for the information.
- Identify the contexts in which the information can be used.
- Further classify new and archived data.
- Choose technology solutions to help facilitate appropriate secure communication and data loss prevention.
- Develop methods to mitigate the possibility of data loss.
- Comply with regulatory requirements.
The key benefits of Information Classification are:
- A clear understanding of information assets and how they need to be protected.
- Designated responsibility for information assets.
- Clear processes and procedures to protect information assets.
- Significantly reduced risk of information leaks.
-Incident Management Program
It is important that an organization has the capability to manage all incidents (malicious or accidental) that affect its operations. An Incident Management Program helps manage incidents ranging in severity from minor incidents (such as an email server going off-line) through to major incidents (such as the loss of access to an entire building). An Incident Management Program helps ensure that Business Continuity Plans and IT Disaster Recovery Plans are used effectively.
Key Areas of the Incident Management Plan.
A sound Incident Management Program provides assistance throughout the entire life cycle of an incident. At a minimum, it should cover the following key areas:
- definition of an incident;
- escalation procedures;
- roles and responsibilities;
- assessment procedures;
- integration with Business Continuity Plans and the IT Disaster Recovery Plan;
- containment procedures;
- communication procedures;
- remediation actions; and
- Learnings from the incident.
It is important that incident management procedures and outcomes of actual incidents are regularly reviewed as part of a continuous improvement process.
The benefits of an Incident Management Program include:
- Providing guidance to management and staff to effectively respond to an incident or crisis.
- Providing assurance to stakeholders and clients that an incident will be managed effectively.
- Minimizing the impact and consequence of an incident.
- Maximizing the effectiveness of existing Business Continuity and Disaster Recovery Plans.
- Minimizing the exposure and risk to staff.
- Providing a coherent, enterprise-wide approach to incident management.
- Providing a coordinated response to events that are unforeseen in nature.
People can be your weakest link. Human nature often compels us to give and receive help from others. ‘Social Engineering' is a technique employed by attackers to gain access to information, a premises or information systems by manipulating this natural human behavior.
A social engineering review will perform a number of non-technical attacks designed to manipulate human nature. The review will perform ‘Social Engineering' attacks against a nominated site in an attempt to gain unauthorized access to systems.
Benefits of social engineering
Social Engineering reviews can help an organization identify:
- information security policies deficiencies;
- people related risks; and
- weaknesses in security policy awareness