Consultancy Services
Providing Consultancy in Cyber Security since 2002
Cyber
Security Services
Cyber-Q is one of the few firms with the talent, scale and end-to-end services and solutions necessary to help clients succeed in information security holistically. Our client proximity model fosters a deep understanding of clients’ businesses and strong relationships to build best-fit innovative digital solutions, supported by our global delivery model that brings forward industry and technology expertise. Some of the general cyber services that we provide includes Security Architecture, Audit and Review, Security operations, Network/ Cloud and hybrid Security, Incident Response, Risk Assessment, Risk Management, Cryptography, Cyber Security.
Security Testing Services
Security testing is an intentional process designed to reveal flaws in security mechanisms, systems and processes that are in place to protect the assets of an organisation, such as data or intellectual property (IP). The testing is also designed to validate and maintain the correct functionality of a system or service.
Our Security testing services offers organisations the ability to review all aspects of their systems and services, the design, the infrastructure, the applications, the interaction of technologies, the processes and the people.
Our services also offer the opportunity for organisation to create a secure foundation that balances the functional needs of the business along with the need to protect the organisations assets. The services also enable organisations to proactively monitor and review new and emerging threats, apply the mitigation to prevent the exploitation of a vulnerability. Some of the security testing that we provide are listed below.
-Penetration Testing
-Security Hardening
-Vulnerability Scanning
Information Security and Assurance Services
Business is dependent on information. Information assets vary between companies and whilst the risks and regulatory controls can be sector dependent, it is vital that management understand the range of threats and vulnerabilities they face. In an increasingly interconnected business environment the risks are real even if to some they are still not necessarily apparent. Information Security is no longer simply an IT department risk. Companies have a duty of care to their stakeholders, their brand and their reputation. Responsibility needs to flow from executive management and down through a business. For information security and enterprise governance to succeed executive management need to:
- Define the strategy for reducing risk of unauthorised access to information technology systems and data.
- Ensure compliance with legal and regulatory requirements.
Companies who succeed in the above are those who can demonstrate the tangible benefits of investing in information security. Companies who are able to demonstrate that it enables rather than hinders business.
Our Assurance and Information Security consultants are able to provide consultancy and advice on information security to business across all sectors of the economy. Cyber-Q consultants hold industry recognised certifications such as: CLAS, CISSP, CISM, CISA, CMIIA, PC.dp, CRISC, CeH, Tiger, CREST, and the various CESG Certified Professional Scheme (CCP) information Assurance roles, including:
- Accreditor.
- IA Auditor.
- Security Information Risk Advisor.
- IA Architect.
- Communication Security Officer.
- IT Security Officer.
Utilising a combination of our experience, methodologies and tooling, Cyber-Q Consulting is able to deliver a comprehensive information security and assurance programme. We demonstrate the tangible benefits and introduce clients to the most appropriate standards.
Data Privacy Services
Data privacy services are concerned with the appropriate and legal use of personal and sensitive personal data throughout the data’s lifecycle. This includes how data is collected, processed, stored, maintained, protected and disposed of irrespective of the format and systems used.
Cyber-Q offer comprehensive services for all sizes of organisations to assess and advise on how they manage, protect and process the personal data of both their customers and staff in line with the organisation’s legal and regulatory obligations.
An organisation that can clearly demonstrate to its customers that it proactively addresses the individual’s data privacy concerns can inspire customer confidence. The customer will trust in their organisation that personal data is handled and protected in accordance with the organisations legal and regulatory obligations. Knowing that customers can trust the organisation offers the potential of new services being adopted by the customer base further enhancing their brand reputation.
In adopting the principle of data privacy by design organisations will:
- Understand the types of personal data they have
- Understand how they process and transfer the data (the data flows).
- Understand how to protect the data.
- Understand what legal and regulatory considerations there are.
- Respond and handle any incidents in a timely manner.
Make informed risk based decisions and assessments of:
- Existing systems
- New projects and initiatives.
- The selection of new IT products.
An organisation who has a comprehensive understanding on how they process, transfer and store personal data, will understand the risks that exist within their estate but will also have the potential to capitalise on the competitive advantage of having a proactive approach to data privacy and expand their services into new areas both locally and internationally.
Having a proactive approach also means organisations are better placed to adapt to changes in technology (e.g. Cloud ISO27018 Cloud protection of Personally Identifiable Information (PII)) as well as major legal and regulatory changes such as the new General Data Protection Regulation (GDPR).
Our other services includes the following
Security Architecture
Our consultants hold industry recognised qualifications and have experience of designing security architectures to enable business. Our service offers organisations the chance to engage professionals who understand the importance of balancing the requirements of the business with then need to reduce risk to the organisation. This will ultimately deliver an architecture that will be of long term benefit to the organisation.
Benefits
The engagement of a security architect early enough in a project lifecycle has numerous advantages. The organisation can benefit from a robust and detailed requirements gathering exercise so requirements and design decisions can be tracked and traced through to go live. This will mean organisations will better understand the risks they face.
A security architect delivers several other benefits: –
- An understanding of the interdependencies across the organisations estate.
- A standardised approach across the estate meaning better interoperability.
- An understanding of the advantages and disadvantages of cloud based solutions, and how to integrate with the existing estate.
- An understanding of risk management, benchmarking and best practice, financial implications and legal and regulatory obligations.
- The most significant benefit of engaging a security architect is that by taking an enterprise view and approach the security architecture can be cost effective and affordable and provide a strategic platform for future re-use and growth.
Engaging a security architect late in the day however is not the end of the world. An experienced security architect will be well positioned to understand the weaknesses in a design, qualify the risks for an organisation and recommend and implement a remediation plan for the organisation to mitigate the risks.
Our Services
Our architects hold industry recognised qualifications and have experience of designing security architectures to enable business. Our methodologies cover the early phase of a project lifecycle from requirements gathering to design and through to build and run. We can utilise either general security architects or technical specialists who have experience of designing and building detailed solutions, for example identity and access management solutions and cryptographic solutions.
Our consultants use industry standards and reference architectures wherever possible. They are familiar with cloud technologies, agile methodologies, and can review an estate and provide advice on secure solutions in line with industry best practice.Our security architects can be engaged either individually or as a team to lead large scale systems integration projects, transitional and transformation programmes, or augment existing teams.
We can offer expert professionals who can: –
- Provide an independent validation and review of proposed security architectures.
- Understand and map to industry standard methodologies e.g SABSA, TOGAF.
- Design and implement Identity and Access Management solutions.
- Deliver Network and Infrastructure designs
- Deliver Application designs.
- Manage project transitions and systems integrations using traditional or agile approaches.
- Design and deliver Big data and analytics solutions.
- Chair or participate in an organisation Technical Design Authority (TDA)
- Deliver SOC and SIEM Solutions.
- Deliver Gateway and boundary architectures. (PSN etc.)
- Deliver PCI-DSS compliant solutions.
- Deliver Cryptographic and Cryptographic key management solutions.
Audit and Review
Cyber-Q Consulting are a highly experienced Cyber Security Consultancy for the delivery of Audit and Review, delivering , services to both the public and private sectors. We offer clients both technical and process and procedural audits against international standard and proprietary standards. We perform internal reviews, and we can review your third party service providers who are frequently the weak link in an organisation’s control framework. In addition to the audit and review we provide clients with pragmatic suggestions as to areas of non-compliance can be addressed or suggested areas for improvement. We are also able to produce meaningful audit metrics for clients that can be integrated into their wider risk management.
Cyber-Q Consulting have a modular audit capability across each of our service lines. This allows the most appropriate service to be sourced separately from other services with qualified consultants.
We provide a fully comprehensive security audit service, addressing all or a selection including Security Standards & Policy, Security Controls, Information Security Management System and Physical Security.
Benefits
Audit and review can deliver many benefits to an organisation and is integral to an organisation’s wider risk appreciation and risk management.Audit and review not only ensures you and your suppliers are complying with their contractual and legal and regulatory obligations, but also validate the effectiveness of the controls an organisation has implemented to mitigate risk. Audit and review can identify risk before the risk becomes a significant problem for the organisation. Audit and review can qualify areas of risk within an organisation but it can also highlight trends across third party suppliers that could indicate issues with how the suppliers have been commercially engaged and are operating.
It should be used to effectively monitor progress within an organisation. For example, an audit and review could be performed at the start and end of a project. This can not only help teams to demonstrate progress in the project but can also demonstrate tangible returns on investment made in the project.
Our Services
We can perform technical system audits (infrastructure, application) as well as audits against operational processes and procedures. Looking at security policy and standards, security controls (including physical security), and organisations Information Security Management System (ISMS). The balance of technical and consulting skills that our professionals possess means we can deliver very detailed and insightful audits and reviews, also providing pragmatic recommendations to consider. This makes the Cyber-Q Audit and Review service a very valuable proposition for organisations.
We undertake audit and assurance reviews against any international standard, act or regulation including but not limited to:
- NIST
- COBIT
- ISO27001/2
- PCI-DSS
- PSN, PSNP and Security Principles
- Product standards
- UK Data Protection Act
- General Data Protection Regulation (GDPR)
- Cyber Essentials
- ISO9001
- ISO27017 & ISO27018
- ISO22301
- ISO 11568 (Banking Key Management)
- ISO 11770 (Security techniques – Key management)
We also provide services to clients assessing against proprietary policies and standards that they have developed. We have developed an Audit and review of organisations cryptography solutions, focusing on the cryptographic hardware or software and the associated cryptographic key management. This specialised audit and review can be conducted for financial institutions, payment card producers and retailers who rely on e-commerce.
We can automate and analyse audit reviews of an organisation’s third party providers. This can be detailed or initially high level with the advantage that Cyber-Q can analyse and present the initial findings to an organisation. This tends to highlight areas for more in depth investigation meaning organisations can make informed choices as to which third party providers need a more in depth on-site visit audit and review.
Based on our experience we have developed a number of tools that can be used to generate audit metrics, track remediation activities, and highlight trends both for an organisation and their suppliers. The tooling also maps controls across standards to allow organisations to be assessed in a like for like manner.
These tools are utilised as part of our standard engagements by our professionals and are available to organisations if required. The output from these tools is frequently used in conjunction an organisation’s risk management tooling.
Security Operations
Our Security Operations Centre (SOC) offerings consists of two key elements depending on an organisations requirement. Experienced consultants to either lead or augment existing teams in the selection and implementation of a SOC solution. If you are looking for a managed SOC, we can provide a cost effective and flexible SOC solution.
Benefits
The main benefit to an organisation is that their estate is under continuous protective monitoring 24/7 365. This enables organisations to be kept abreast of security threats in real time and can react and manage them accordingly. Their estate is protected and the assets and those of the organisations customers.
Our Services:
Our industry experienced professionals of designing operating and managing SOCs for organisations, or as part of an organisations customer service offerings. We fully understand the complexities of a SOC and the need for robust designed processes and procedures to operate at an optimal level delivering the most value to our customer.
We can assist organisations in several ways by providing consultancy to:
- Assist in the ICT design or operations of a SOC.
- Review and assist in the selection of SOC solutions.
- The creation of relevant policies, processes, standards and guidelines.
- Leading project managing or augmenting teams in the implementation of a chosen solution
- We can provide an organisation a cost effective SOC solution which includes:
- Security Incident and Event Management (SIEM).
- Intrusion Detection / Prevention.
- Cyber Intelligence.
Network Security
Our consultants have Network level design experience. They are experienced in the design of onsite, wide area and cloud based networks, or in the review of the configuration and capacity of existing networks. Our consultants also have experience in the design of network resiliency and business continuity and disaster recovery.
Benefits
Many of the benefits of Network Security tie closely with all other benefits of information security in protecting the assets of a company and of those of their customers.
Network Security professionals have a good oversight of an organisation and understand how network components interact and depend on each other. In the event of problems occurring the Network Security professional is often well placed to investigate and propose fixes to resolve the situation.
Some of the challenges companies face with Network Security is finding the appropriately skilled resources to run and manage their network. A further challenge is ensuring that key members of that team, e.g. administrators are adequately trained and that their skill levels are and remain up-to-date.
Our flexible engagement model means the offering is cost effective for many companies who cannot afford to mobilise an entire network operations team. The organisation also benefits from utilising resources who are highly trained and whose skills and qualifications are up-to-date.
Our Services
Our consultants have network level design experience and implementation experience.
If you have experienced a security incident you need to investigate it. You may need assistance to establish what information has been compromised and in order to prevent future breaches, how the system has been compromised. We can investigate and assist, utilising our experienced forensic consultants. They can examine your networks for data loss, as well as recovering lost, hidden or password protected data. Investigations can be carried out quickly and discretely.
We can also complete Code of Connection (CoCo) implementations and reviews together with advice and, if required, an audit to confirm that your network meets the requirements for the Public Service Network (PSN), Government Secure Intranet (GSI) and the Police National Network (PNN).
Our network services include: –
- Device set up configuration and review
- End point device administration
- Codes of connection (CoCo) e.g. Public Service Network (PSN), Government Secure Intranet (GSI) and the Police National Network (PNN)
- Device Integration
- Patch Management
- Disaster recovery and business continuity planning and testing.
- Elements of this service can overlap with and compliment the Bridewell Security Architecture service offering.
Incident Response
The Bridewell Incident Response & Management service offers organisations the opportunity to engage with experienced consultants to better understand how their organisation would handle and deal with a major incident such as a cyber breach. The service helps organisations mitigate the risks they face by implementing and testing the processes needed to be able to manage such a security incident.
Benefits
Having an executive level endorsed incident response and management process means organisations are better placed to respond to and minimise the impact, financially and reputationally, to their organisation in the event of a major incident.
Being able to identify and prevent the propagation of an incident in a timely manner will significantly mitigate risks to an organisation and reduce the risk of future incidents occurring.
With an effective incident response plan, you will be able to detect incidents at an earlier stage and develop an effective defence against the attack.
Services
Our industry recognised consultants have years of experience of designing organisations incident management processes and procedures as well as working with organisations in managing and investigating major incidents and conducting lessons learned and process improvements.
We can help organisations to
- Design and implement their incident response and management processes.
- Assess their operation against or to achieve certification against ISO27035 Information Security Incident Management.
- Mitigate the damage of ongoing incidents.
- Recover from security breaches.
- Investigations, lessons learned and process improvements.
- Integration with of Business continuity and disaster recovery planning and testing.
- Understand the level of risk they face.
Being able to affectively respond and manage incidents is a prominent requirement of the new General Data Protection Regulation (GDPR). (Refer to our GDPR Readiness Service for more information).
Risk Assessments
Cyber-Q’s experienced professionals can undertake both qualitative and quantitative risk assessments for organisations depending on requirements and what is the most beneficial to the organisation.
Our service can help identify the threats and vulnerabilities facing an organisation and assist them to make informed cost effective decisions regarding investment in information security and technology. This can be done at an organisation wide level, or the service can be delivered focusing on individual projects or initiatives.
Benefits
The way business is conducted is continually changing. There are major developments in technology and a greater reliance on outsourcing and third parties. The expansion of traditional network boundaries has created interconnected supply chains resulting in an increase in the number of threats and vulnerabilities. These risks should not be ignored and need to be qualified and quantified before flexible and adaptive risk management processes and procedures can be put in place.
This process should be part of an organisation wide risk assessment that recognises information and technology risk as no less important than traditional financial risk. An all-encompassing view of the importance of this should be a key focus of executive management.
Organisations who recognise this and understand the intrinsic link between the various types of risk are best placed to manage risk, respond to incidents, demonstrate legal and regulatory compliance and inspire trust in their organisation that the assets of the organisation and that of their customers are safeguarded appropriately.
This can have a financial benefit for organisations as they will be better positioned to expand into new business opportunities thus giving the organisation a competitive advantage.
Our Services:
Our Industry experienced consultants have helped organisations in all sectors of industry to understand the nature and number of risks they face. The following are examples of assessments we regularly perform: –
- Business Impact Assessments
- Privacy Impact Assessments
- Third party Risk Assessments
- Cyber Security Risk Assessments
- HMG Risk Assessments
- Code of Connection Assessments e.g. PSN
- PCI DSS Assessments
- ISO Standards Assessments
The assessments can be conducted at an organisational wide or on a project level basis, and against whatever standard is required.
Our risk assessments can be performed for large and small organisations and we have experience of conducting and managing risk assessments for organisations who operate in multiple countries.
Our methodologies also allow us to undertake risk assessments of third party suppliers in a cost effective and efficient way offering an initial online risk assessment service that can be used by organisions to decide if a further more detailed investigation of the third party is required (See Audit and Review service offering).We can help organisations to define risk assessment strategies and integrate these into their risk management approach but also integrate the strategy into the wider IT and Business strategies.
Our Cyber-Q professionals working on client engagements utilise the latest risk assessment software to improve the quality and agility of our assessments. The software is used by our professionals on engagements and is also available as a managed service to organisations if required.
The advantage of the Cyber-Q risk assessment tool is that it ensures that risk assessments are carried out in a repeatable consistent manner and it provides organisations with a dash board highlighting the main areas of risk to the organisation. The tooling has the added benefit in that it can demonstrate to organisations the evolution and reduction of risks, which can demonstrate successful returns on investment and provide tangible evidence of the effectiveness of risk management.
Risk Management
Risk Management includes the evaluation and/or establishing current and proposed security controls for asset protection and how well they identify or protect against threats, vulnerabilities, and likelihood of loss. The Cyber-Q risk management service can be utilised in several ways by organisations. Cyber-Q can provide an Information Risk Management service and integrate it with the operational and business risk teams. We also work with companies to better understand their risk tolerance levels and define the strategy and frameworks for on-going risk management. Or we frequently provide expert consultancy to help organisation interpret and understand the numerous sources of threat intelligence, vulnerability scanning, penetration test results, and risk assessments they may have accumulated. The Cyber-Q risk management offering is comprehensive and has something for all organisations.
Benefits
With the greater interconnectivity of organisations operations and systems, and the closer integration of organisations with their suppliers and customers, the impact and effect of a cyber incident to organisations can have wide reaching and lasting consequences both financially and to the reputation.To avoid this risk management must be an integrated organisational function that equally considers and assesses business, operational, and information and technology risk. This requires fully understanding the interactions and dependencies across the business, fully understanding the nature and value of the company assets, and the potential impact in the event of a vulnerability being exploited.
Having a comprehensive view of risk across an organisation means you are better placed to apply pragmatic and cost effective risk reduction strategies. You will be better placed to adopt new standards and legislation that apply to your line of business and seamlessly adapt to new business strategies. You will be well positioned to manage the consequences of changing risk levels and develop appropriate continuity plans. You will also be able to demonstrate to customers and investors that your organisation manages risk in a competent manner which could lead to new market opportunities.
Services
Our consultants have many years of experience in risk management and our approach continues to evolve in line with changes in how business is conducted, advances in technology, and in line with new and emerging threats to organisations. Our professionals undertake engagements with organisations of all sizes (large international companies, SMEs etc.) and in all sectors of industry both public and private.
We offer full teams, resources to augment existing teams, or we can simply provide subject matter strategic advice, helping organisations: –
- To create or deliver against risk management strategies and programs. Define policies.
- Develop risk tolerance guidelines.
- Develop business continuity and resilience plans.
- Interpret Risk Assessments, benchmarking and threat intelligence applying it to your organisation.
- Provide education awareness and training on risk management to the organisation.
- Standardise risk management across all third party suppliers.
- Help organisations to manage and pragmatically reduce risk.
Most organisations realise the importance of risk management and related risk assessments; however, they quickly discover that the task is more involved than anticipated. The Cyber-Q service is designed to help establish a comprehensive risk management program with standards and guidelines that will mitigate the probability of loss and its impact to organisations. Many organisations can be daunted by the challenge of risk management. Cyber-Q can help guide organisations on the road to successful and beneficial risk management.
Cryptography Services
Cryptography services are not just about the mathematics of the algorithms used in the cryptographic hardware and software solutions but how these solutions are architected, implemented, run and audited within an organisations estate. Cyber-Q offer a range of cryptographic consulting and delivery engagements to organisations to help them understand how to implement new solutions or to validate the integrity of existing cryptographic services. The Integrity of Cryptographic solutions must be maintained throughout its entire lifecycle and this is a key area where we can assist.
Benefits
Being able to demonstrate the trust and integrity within a cryptographic key management solution means that the integrity of the services that rely on the cryptographic solution can be demonstrated, whether it is a software or a Hardware Security Module (HSM) based cryptographic solution. This enables trust that the service is safeguarding the assets and information it was designed to.
Finding cryptographic key management specialists with the relevant skills and practical experience can at times can be difficult, and to maintain key management teams within organisations can be an expensive exercise. Using experienced consultancy services in this field can assist organisations to either augment their teams, or seek independent advice and guidance as to the status of their cryptography services.Having a better understanding of your existing services can help you develop new business and service opportunities.
Our Services
Cyber-Q consultants have many years’ experience of designing, implementing, running and decommissioning cryptographic key management systems and services for both public and private sector clients. This experience has been developed over the past 20 years implementing card payment networks, implementing payment scheme certificate authorities, implementing PCI-DSS compliance commerce cryptographic solutions, and implementing HMG cryptographic services.
Our cost effective and flexible engagement model for cryptographic consultancy services means we can assist customers in a number of ways: –
- Audit and assurance reviews of existing cryptographic services.
- Design and implementation of key management services.
- Implementation of Cryptographic Key Management Solutions. E.g. Thales and IBM etc.
- Implementation / updating key management processes and procedures in line with requirements of
- Visa
- Mastercard
- NIST
- ISO 11568 (Banking Key Management)
- ISO 11770 (Security techniques – Key management)
- PCI-DSS
- Decommissioning of Key management systems and services.
- Installation and implementation of Hardware Security Modules (HSM) E.g. Thales, IBM etc.