SEC-IT brings you its experience feedback and guidelines to define and build the first bricks of cyber security governance, to control cyber risks, be autonomous and effective on the management of security measures.

The fundamentals consist of the following bricks:

• Initial assessment and risk analysis
• Identification of cyber stakes in your context
• Definition of global information security policy, and cyber management organization
• Definition of the user awareness program and the IT charter

• Definition of processes and key performance indicators (KPI) according to the context:

• Backup management

• Incident management

• Vulnerability monitoring and handling

• Change management in production

• Data classification

• Integration of security in project management

• Evaluation and monitoring of suppliers

• BCP/DRP

The goal is to make our customers autonomous on this first cyber foundation level. We work together, to transmit the know-how. The approach is adapted to the corporate culture as well as the initial skills of the people involved in the project.

This service is achievable in tutoring and can be combined with the training "Become a cyber team member".

Risk analysis takes identify cyber threat scenarios that relate to the business values (assets and essential processes) of the company. Once the scenarios are identified, they are categorized and prioritized, to create the risk treatment plan with the associated security measures, and the residual risks.

We conduct risk analysis taking into account our clients' business lines, to establish relevant scenarios and realistic treatment measures. We present the synthesis of the work with the objective of understanding the issues and engaging decision-makers in the implementation of the risk treatment plan.

Sometimes also called a remediation plan, the post-audit action plan seeks the best benefit-risk trade-off among all the recommendations present in an audit report.

Each vulnerability is subject to a detailed assessment in terms of technical feasibility, organizational impact, financial impact and acceptance of change. The results are pooled with internal deadlines (CIO/IT, IS teams) to establish a remediation schedule.

We also propose a follow-up of the plan over time, at defined intervals, to limit the risk of drift and help in its implementation.

Security acceptance process allows an organization board to be aware of, and to certify to the users, for a given information system, that cyber risks are controlled along with the information they handle.

Mandatory for french state administrations and services, approval is also an approach recommended by french cyber agency (ANSSI) for companies, according to the methodology for approval in 9 simple steps.

Conducted with SEC-IT as part of the process of securing an information system, it provides proof that residual risks are known and controlled.