Architecture and Process Development

ITSEC’s Architecture and Process Development portfolio is a collection of methods to help organisations design and develop frameworks for security management and establishing security baselines.

We help organisations to develop security policies and to align them with their corporate strategy, IT strategy, and governance frameworks based on industry best practices in the following areas:

Security Architecture Design

Security design is a process of problem-solving. It sets out how to position the hardware and software components in order to have an appropriate configuration which ensures overall security. It may also include how and how often these components interact with each other.

The term security architecture refers to the structure of the system that comprises hardware and software components. And it includes the externally visible properties of such structures as well as relationships between them. It also describes how all of its elements work, individually and when interacting with other components. Each component addresses the requirements and risks involved in an environment, including specifying when and where to apply and position the security controls which serve to maintain the system’s quality attributes, such as confidentiality, integrity and availability.

It is essential to deal with gaps in organisations’ security infrastructure and architecture that put their critical assets at risk. By addressing such issues, they will not get caught on the wrong foot in a fast evolving landscape of threats.

ITSEC helps organisations to identify gaps in their infrastructure security policies, architecture, and controls that put their critical assets at risk. After completing the assessment, we provide a report about the findings and make recommendations to improve their overall security posture.

Security Hardening and Baseline Establishment

Security hardening is the process of securing a system by reducing its attack surface. Vulnerabilities are decreased by eliminating redundant functionalities and setting up features securely. This allows for the creation of a baseline of system functionality and security.

Security hardening is necessary because most infrastructure providers cannot make bespoke products that fulfil the requirements of each individual company’s security positioning. Every system has its own vulnerabilities. Given the variety of systems that are used today, cybercriminals have ample opportunities to barge into computer networks.

It is possible to manipulate information systems maliciously if their underpinning software and hardware are not hardened for security. It is best practice to set and harden a system as soon as it gets deployed.

Our method for security hardening involves an assessment of organisations’ environment, configuration, and operational practices followed by technical analysis. On completion of this first step, our experts will provide an assessment report of the findings and recommendations to remediate.

After a system is hardened and deployed into an environment, it is imperative to maintain its level of security by proactively patching and updating in order to address new vulnerabilities. In a subsequent hardening process, the system should then be updated to include these new patches or updates in the baseline configuration.

Security Policies and Procedures Development

We design overall process models to enable organisations to produce integrated, operational and efficient enterprise information and cybersecurity policies.

The development of an information security policy requires more than mere policy formulation and implementation. An effective security policy should protect the systems, data, information, and personnel. It should define the security etiquettes that have to be observed and it should authorise the consequences of non- compliance. An effective policy should also determine the organisation’s position on a security baseline and compliance with the regulatory framework.

The information security policy of every organisation should be unique and based on its overarching business strategy, IT strategy, and vision.

ITSEC provides a framework for organisations to ensure that their business objectives are reflective of risk tolerance. Resulting business plans, security policies, and procedures must be accountable to a comprehensive governance framework.

ITSEC helps organisations to establish a practical framework of accountability and a practical security policy. Information security will be aligned with business objectives.

Cyber Incident Response Plan (CIRP) Development

A cybersecurity incident is a disturbing event that threatens confidentiality, integrity, or availability of organisational information assets.

Cybersecurity incidents can include an unintentional or intentional disclosure of sensitive or protected information, data breaches, data theft, acts of intrusions, such as cyber attacks, to networks, or a full-blown system compromise by external attackers or faulty operational processes getting exposed or exploited by members of own staff.

Information security incident management involves the monitoring and detection of security events on information assets and the execution of appropriate responses to those events.

A Cyber Incident Response Plan (CIRP) is a specific form of an incident management plan. Its primary objective is to define a well-understood and expectable response to cybersecurity incidents. By implementing CIRPs, businesses can be proactive about cybersecurity and prevent potential damage.

Members of staff that are most likely be dealing with the cybersecurity incidents are organisations’ IT security teams.

A CIRP should at least describe:

  • The types of incidents or crisis situations that trigger its activation.
  • A framework for the required actions to mitigate and control the impact during and after the incident.
  • The details of an incident response team, including clearly defined roles and responsibilities of each person performing those actions.
  • A communication plan, including communication procedures, messaging intervals, contact lists of the stakeholders.
  • An event log to record information, decisions, actions, and evidence that is taken during an incident.
  • A set of recovery goals and objectives.

ITSEC has profound expertise in helping organisations develop customised CIRPs. Our experts can guide enterprises in understanding exactly which pieces to put together to produce a CIRP that serves as a framework for response and recovery efforts.

Business Continuity Plan (BCP) Development

Business Continuity Planning (BCP) is a subset of the organisational business risk management. It is an overarching and more comprehensive approach in comparison to a Disaster Recovery Plan (DRP).

The main purpose of a BCP is to create recovery systems in relation to potential threats to a company.

By having a BCP in place, organisations seek to protect their mission-critical services and give themselves their best chance of survival. This type of planning enables them to re-create services to a fully functional level as quickly and smoothly as possible.

A BCP aims at the restoration of systems to full functionality under a variety of damaging conditions that businesses face from time to time. The focus of a BCP is to sustain an organisation’s critical processes including IT security during and after a disruption. It entails the processes and procedures that are carried out by them to ensure that essential business functions continue to operate during and after a disaster.

A BCP generally covers most or all of an organisation's critical business operations.

BCP and Cybersecurity

It is increasingly important for a BCP to cover cybersecurity.

Cyber attacks can result in a loss of reputation and public ridicule, besides a loss of business opportunity and the threat of potential litigations. A breach in security can create temporary or permanent damage to organisations. Mitigation measures, along with BCP reviews, can protect technology assets, prevent hacking, and ensure business continuity. Therefore, cybersecurity is critical to business continuity planning.

The information security aspects of a BCP policy aids by decreasing the risks of potential disasters and recovery.

Business continuity planning and associated documentation is done prospectively and can include preventative measures. A business impact analysis is often required in order to distinguish critical and non-critical organisational functions. Functions are crucial if they are necessary by law or if their disruption is unacceptable. After defining recovery requirements, a cyber threat and risk analysis should be carried out in order to collect and list the different threats and their recovery steps. Impact scenarios should be conducted to support a business recovery plan, including BCP testing. Once the business and technical impacts are analysed, the requirements for the solution design, implementation, testing, and periodic maintenance are assessed.

Even if an organisation’s cybersecurity incident response plan is efficient, it is good practice to align it with the business continuity plan rather than having two different response models.

All organisations—large and small—require a BCP.

ITSEC’s expertise helps organisations in formulating security compliant BCPs conforming to the industry best practices. We can assist enterprises to develop a bespoke strategy around business continuity with an emphasis on security.

Disaster Recovery Plan (DRP) Development

A majority of organisations are unlikely to recover from a cyber attack if it occurred today.

Disaster Recovery Plans (DRP) have always been the basis for business continuity in the event of natural, environmental or other man-made disasters.

DRPs define and comprehensively document processes of actions required to protect and recover a business’ IT infrastructure in the event of a disaster.

The primary objective of a DRP is to describe the procedures for moving to an alternate processing site and returning to the primary site within a minimal time frame whenever any disaster occurs in the information systems.

A DRP generally consists of technical plans ready to bring systems back up after a crisis and typically includes:

  • Artefacts on how to restore critical systems.
  • Failover system details.
  • Teams and vendor details to expedite system restoration.

Although there are some similarities, disaster recovery is not the same as cybersecurity recovery. The former focusses on business continuity after a disruption, and the latter seeks to salvage the information assets after a breach.

When drafting a DRP, cybersecurity often gets overlooked even though it is a critical point in the risk management process.

The elements of threats within security recovery plans are more frequently observed than within DRPs. They can be quite destructive and require security recovery plans to describe how to respond to such risks.

A DRP should factor in all potential interrupters. A business impact analysis study should be conducted in order to state the priorities of business continuity without ignoring cybersecurity and recovery time.

ITSEC’s expertise helps organisations in formulating security compliant DRPs conforming to the industry best practices. We can assist enterprises to develop a bespoke strategy around disaster recovery with an emphasis on security.