Consulting and governance

Creating the cyber foundations

SEC-IT brings you its experience feedback and guidelines to define and build the first bricks of cyber security governance, to control cyber risks, be autonomous and effective on the management of security measures.

The fundamentals consist of the following bricks:

  • Initial assessment and risk analysis
  • Identification of cyber stakes in your context
  • Definition of global information security policy, and cyber management organization
  • Definition of the user awareness program and the IT charter
  • Definition of processes and key performance indicators (KPI) according to the context:

  • Backup management

  • Incident management

  • Vulnerability monitoring and handling

  • Change management in production

  • Data classification

  • Integration of security in project management

  • Evaluation and monitoring of suppliers

  • BCP/DRP

The goal is to make our customers autonomous on this first cyber foundation level. We work together, to transmit the know-how. The approach is adapted to the corporate culture as well as the initial skills of the people involved in the project.

This service is achievable in tutoring and can be combined with the training "Become a cyber team member".

Risk analysis

Risk analysis takes identify cyber threat scenarios that relate to the business values (assets and essential processes) of the company. Once the scenarios are identified, they are categorized and prioritized, to create the risk treatment plan with the associated security measures, and the residual risks.

We conduct risk analysis taking into account our clients' business lines, to establish relevant scenarios and realistic treatment measures. We present the synthesis of the work with the objective of understanding the issues and engaging decision-makers in the implementation of the risk treatment plan.

Global Information Security Policy (GISP)

The GISP gives a framework, objectives to be achieved to meet the cyber challenges and risks facing your organization. The added value of SEC-IT is to adapt existing standards to set realistic objectives, in line with the maturity of your teams, and understandable by decision-makers.

Designed as a collection of requirements, the GISP is accompanied by an action plan over a nominal cycle of 1 to 3 years.

Information Security Assurance Plan (ISAP)

The ISAP lists the objectives and security measures, technical and organizational, on which the company relies to ensure the security of the products and services it offers. It is, most of the time, requested from the response phase to a call for tenders.

The ISAP is in practice structured to refer to a standard (ISO27001 or NIST for example) in order to facilitate the reading and understanding by the company's customers.

Action Plan - Remediation

Sometimes also called a remediation plan, the post-audit action plan seeks the best benefit-risk trade-off among all the recommendations present in an audit report.

Each vulnerability is subject to a detailed assessment in terms of technical feasibility, organizational impact, financial impact and acceptance of change. The results are pooled with internal deadlines (CIO/IT, IS teams) to establish a remediation schedule.

We also propose a follow-up of the plan over time, at defined intervals, to limit the risk of drift and help in its implementation.

Information systems acceptance

Security acceptance process allows an organization board to be aware of, and to certify to the users, for a given information system, that cyber risks are controlled along with the information they handle.

Mandatory for french state administrations and services, approval is also an approach recommended by french cyber agency (ANSSI) for companies, according to the methodology for approval in 9 simple steps.

Conducted with SEC-IT as part of the process of securing an information system, it provides proof that residual risks are known and controlled.

Resilience and business continuity

The ability to recover from a cyber-attack is an indispensable measure to ensure disaster recovery. On a "Pre-Detect-React" approach, SEC-IT supports you in the definition and implementation of the following elements:

  • Business Continuity and Disaster Recovery Plan (BCP/DRP)
  • Data backup policy
  • Management setup for security incidents (detection, analysis, processing)
  • Action sheets for the most frequent attacks (e.g. ransomware, phishing)