Cyber Security Processes

Texaport’s approach to Cyber Security is process driven and tailored to the needs of the individual client.

Our Cyber Security Processes

There is no silver bullet to address every company’s Cyber Security requirements short of unplugging everything and conducting business in person and on paper rather than online or on computers.

As such, companies must tackle Cyber Security through a multi-pronged or disciplined approach, involving broad swathe of knowledge, skills and awareness throughout the team.

Texaport works with clients through our Cyber Security Process to cover as many relevant areas as possible, providing a broad overview and comprehensive picture of the Cyber Security risk profile and effectiveness of the organisation before addressing these in turn.

Clients will find that our processes are similar throughout our areas of involvement whether it’s our approach to Cyber Security, Compliance, Support or Project work. While the process remains similar, the individual steps and elements are tailored to the task at hand.

Scope

When considering Cyber Security vulnerability, businesses first need to identify their hardware, software, users, processes, procedures and access to data.

Texaport work with clients to complete detailed “Data Scoping” documents which help to identify, locate and “map out” data throughout the organisation. This data can take many forms and be scattered throughout the organisation so will involve a cross-department approach to complete.

Once data has been scoped throughout the organisation Texaport can work with clients to ensure compliance with regulations and standards as well as improve their security posture.

Audit

Much like a financial audit where an auditor would investigate the accounts, inventory and processes of an organisation to ensure compliance and correctness, a Texaport audit will look into the Technical capacity of the organisation.

Texaport follows a loose process which allows for flexibility of the investigation for clients working from the “outside” going “in” to the organisation.

Report

Texaport ensure clients receive the information they require as effectively as possible. During a project or support enquiry, information will be provided as it becomes available in small chunks. However, for larger projects and implementations, Texaport condense the information into reports for clients to consolidate and clarify the information in a convenient digest.

Implement

Implementations in relation to Cyber Security will normally follow the report phase, where the client will decide on the course of action and security posture to be achieved. Outside of this process, Texaport can implement Cyber Security changes for clients as a stand alone project or as an element of our “Holistic Security” package.

The implementation phase is the core of compliance as any non-conformances discovered during the audit phase will have recommended actions to rectify.

Texaport will always follow up and complete Cyber Security projects by comparing the implemented actions with the report recommendations and audit findings.

The review process is similar to the previous audit process, but is achieved much quicker as it is for verification and “error checking” to ensure that required actions have been carried out and that the client’s security posture has been improved.

Where clients are re-certifying against a previously achieved standard which was supported by Texaport, commonly the review phase forms the “scoping” element of the subsequent project.

Data Scoping

Texaport provide a “Data Scoping” document to Clients which should be completed with all company information assets including (but not limited to):

  • Supplier Data
  • Client Data
  • Employee Data

An alternative to the data scoping document could be an up to date “Information Asset Register”.

This helps clients confirm the data which they control or process on a regular basis and highlights potential vulnerabilities.

Hardware Scoping

Texaport provide a “Hardware Scoping” document to Clients which should be completed with all company assets including (but not limited to):

  • End-Points (PCs, Macs, Laptops, Desktops etc)
  • Servers
  • Network Infrastructure (Switches, Routers, Firewalls)

Clients will usually be aware of most devices, but working cross-departmentally can usually highlight devices which are unknown for the rest of the business and present potential vulnerabilities.

Service Scoping

Texaport provide a “Service Scoping” document to Clients which should be completed with all the services used by the company including (but not limited to):

  • Line of Business Software
  • Microsoft Office
  • Accounting Package
  • File Storage
  • Access Control
  • Security Software
These services can be used to control or process the data held by clients this can include financial data, client history, personal data, email communications and other sensitive data.

Access Scoping

Texaport provide an “Access Scoping” document to Clients which should be completed with all users access levels to each system and service used by the company including (but not limited to):

  • Line of Business Software
  • File Storage
  • Cloud Software
  • Accounts
  • Social Media
  • Marketing software
  • Client Services

Users should only have access to the systems and “privilege” levels which are required to perform their job. Administrator access should be limited and avoided to prevent irreversible changes and unrestricted access to company data and devices.

Initial Analysis

External Analysis

Texaport’s initial testing and analysis of the client estate is performed on the periphery of the technical controls deployed to secure and communicate.

Texaport’s Penetration Testing tools are deployed to identify external visibility and vulnerabilities of the client network and connected devices.

This will assist in providing a detailed examination of the security standing of clients.

To minimise business risk clients should be taking a multi-layered approach to security including:

  • Gateway Protection
  • End Point Protection
  • Disabling vulnerable ports
  • User Education
  • Anti-Malware/Anti-Virus
  • Regular off-site backup of data

Internal Analysis

Normally following the “External Analysis”, Texaport’s internal analysis will identify any vulnerabilities or pathways behind the outer layer to identify and visualise the impact of a compromised network.

Texaport deploys vulnerability scanning agents to identify:

  • Assets
  • Users
  • Group Policies
  • Network Architecture
  • Ports

Other details, assets and processes will be outlined in this. Non-conformances with the initial scoping documents will be noted and brought up with the client to verify rationale, awareness and/or knowledge of the discrepancy.

In-Depth Auditing

Preparation

Texaport provides a “Preparation Booklet” to the client which is completed by the Client “Stakeholders” with knowledge and awareness of the assets, systems, processes and procedures involved. This booklet is instrumental in shaping, identifying and building security and policies for Clients. Contained within this booklet is space and guidance for completing the following information and audit steps.

File Audit

Texaport will require access to the file storage systems used by the client to evaluate the integrity and security of the structure. This will include assessing permission-based restrictions, data classifications and security measures currently in place.

Business Continuity measures will also be verified at this point along with the policy and processes used.

User Audit

Texaport will work with a sample of users throughout various business areas to identify awareness and processes used.

Texaport recommends regular user training and awareness of risks to data, hardware and business functions.

Application Audit

Texaport will use the information gathered during the infrastructure analysis and user audit to identify applications present and used on individual machines and in key business areas.

IT Management policies will be identified and verified including application management and lifecycles.

Third Party Audit

Where services are provided by third parties in respect of connectivity, applications, data management or hardware support Texaport will require direct lines of communication to identify any potential vulnerabilities and improvements.

A key component of compliance is the security and management of the entire supply chain which will ensure ongoing integrity of data, processes and systems.

Legal, Regulatory and Policy Audit

Texaport will work with the Stakeholders to locate key operational policies related to the management and protection of data, both personal and confidential. Employees and customers should be aware of these policies and this will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.

Texaport will advise Clients about standard locations and invocations of data protection statements and disclaimers. Areas to consider would be:

  • Employee Contracts
  • Supplier Contracts
  • Customer Contracts
  • Website Statements
  • Data Categorisation
  • Information Asset Register
  • Consideration of Processor/Controller relationship in ALL contracts.
  • Subject Access Requests
  • Right to be forgotten

Process Audit

Texaport will work with the Stakeholders to identify key operational processes which involve data, both personal and confidential. These processes will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.

Processes which WILL require to be implemented include:

  • Subject Access Requests
  • Secure Configurations
  • Change Management
  • Patching Process
  • Supplier Vetting
  • Privacy Impact Assessments
  • Incident Management
  • ICO Reporting
  • Business Continuity

Risk Assessment

Texaport will compile the results of the preceding audits into a Risk Assessment document for Clients which will be incorporated into the resulting report which will be produced.

The risk assessment is an important component for ISO, IASME and GDPR conformance and will provide a “baseline” to work from and update on a regular basis.

Texaport Reports

Texaport ensure clients receive the information they require as effectively as possible. During a project or support enquiry, information will be provided as it becomes available in small chunks. However, for larger projects and implementations, Texaport condense the information into reports for clients to consolidate and clarify the information in a convenient digest.

Rationale

All Texaport reports are prefaced with an explanation as to the rationale or requirement of the report. Typically the report has been curated at the behest of the client or detailing an unprecedented incident.

For Cyber Security reporting Texaport will highlight the standard(s) to which the client has been audited against and the benefits of those standards.

Findings

Presenting the information discovered during the scoping and auditing phases of the Cyber Security project for clients in a clear, concise manner with additional details being made available on request.

These findings can sometimes be lengthy and complicated to break down, however they will be addressed again in the “Recommendations” section.

Recommendations

Understanding why you are looking into your Cyber Security posture and going through the findings of the scoping and findings section can leave some organisations in a more confident position, aware of their strengths and weaknesses in Cyber Security.

With other clients, they may require assistance with improving their Cyber Security posture. For this, Texaport provide Recommendations to address any vulnerabilities or improvements which can be made within the clients’ IT estate.

Summary

Combining the information of the Findings and Recommendations sections and returning to address the Rationale section, the Summary is a succinct digest and overview of the information presented in the report.

Next steps will be advised at this point.

Post Report

Following the fully detailed report from Texaport, it is advisable that there is a discussion around the findings and recommendations.

Clients will be able to raise concerns and questions about the report as well as decide on the next course of action for both parties.

Typically this is an implementation of some or all of the recommendations of the report.

Implementation of Cyber Security recommendations

Implementations in relation to Cyber Security will normally follow the report phase, where the client will decide on the course of action and security posture to be achieved. Outside of this process, Texaport can implement Cyber Security changes for clients as a stand alone project or as an element of our “Holistic Security” package.

The implementation phase is the core of compliance as any non-conformances discovered during the audit phase will have recommended actions to rectify.

These elements can involve third parties and inter-departmental action being necessary including:

  • Policies
  • Software deployment
  • Hardware Upgrades
  • Legal Disclaimers
  • Processes
  • Technical Engineering

Hardware Upgrades

Texaport advises clients to implement a “rolling replacement” cycle into organisations to anticipate refresh cycles and prepare budgets accordingly.

Where this has not been implemented previously can be highlighted during the Cyber Security process, requiring hardware upgrades, replacements or refreshes.

Software Deployment

Most Cyber Security engagements with Texaport will result in one or more software agents being deployed on client machines either for compliance, security or reinforcement of policies.

The most common software deployment is for anti-malware or password management software to secure client devices and access.

Policy Work

One of the biggest weaknesses in Security posture for clients can be their employees and policies. Ensuring that companies have the required policies in place throughout the business is important for many standards including Cyber Essentials and GDPR compliance.

Common policies we have assisted to implement are: Acceptable IT Use and Privacy policies.

Disclaimers and Statements

Some policies require additional disclaimers or statements to be made by the company publicly such as the Privacy policy, which can include the company’s position in relation to Personally Identifiable Information under the GDPR.

Texaport work with clients’ HR and Legal teams or third parties to ensure a consistent, acceptable approach to these.

Process Work

Deciding on company policies and making public statements on the company’s position are essential in many cases, but worthless if the organisation does not reinforce policies with processes.

Processes will also help clients adhere to the standards which they have achieved or are working towards, providing a clear step by step guide for employees, contractors and third-party organisations.

Technical Engineering

Along side purchases and implementations, policy work and processes an element of technical engineering is usually required to achieve compliance or improve the Cyber Security posture of a client organisation.

This could be locking down user access, securing the network and company services or more technical work depending on the recommendations of the report.

Review of Cyber Security Measures

Texaport will always follow up and complete Cyber Security projects by comparing the implemented actions with the report recommendations and audit findings.

The review process is similar to the previous audit process, but is achieved much quicker as it is for verification and “error checking” to ensure that required actions have been carried out and that the client’s security posture has been improved.

Where clients are re-certifying against a previously achieved standard which was supported by Texaport, commonly the review phase forms the “scoping” element of the subsequent project.

Review

External Review

Texaport’s review testing and analysis of the client estate is performed on the periphery of the technical controls deployed to secure and communicate.

Texaport’s Penetration Testing tools are deployed to confirm that changes have limited external visibility and mitigated vulnerabilities of the client network and connected devices as agreed with the client.

Internal Review

Following the “External Review”, Texaport’s internal review will verify that action has been taken to mitigate vulnerabilities and secure pathways behind the outer layer preventing compromise of the corporate network.

Non-conformances with the implementations and recommendations will be noted and brought up with the client to verify rationale, awareness and/or knowledge of the discrepancy.

In-Depth Review

File Review

Texaport will review access control to the file storage systems used by the client to ensure the integrity and security of the structure. Texaport’s assessor will assess permission-based restrictions, data classifications and security measures enforced or implemented by Texaport.

Business Continuity measures will also be verified at this point along with the policy and processes implemented and already in place.

User Review

Texaport will refer to the initial audit’s sample of users throughout various business areas to verify actions have been implemented to secure access and users.

Following this, Texaport recommends regular user training and awareness of risks to data, hardware and business functions.

Application Review

Texaport will refer to the information gathered during the infrastructure review and user review to verify the security and control of applications present and used on individual machines and in key business areas.

IT Management policies will be verified and referenced including application management and lifecycles.

Third Party Review

Where services are provided by third parties in respect of connectivity, applications, data management or hardware support Texaport will ensure any potential vulnerabilities and improvements have been addressed and/or mitigated to an acceptable level as agreed.

Legal, Regulatory and Policy Review

Texaport will work with the Stakeholders to verify key operational policies related to the management and protection of data, both personal and confidential. Texaport will ensure that the client has made Employees and customers aware of these policies to ensure compliance.

Process Audit

Texaport will work with the Stakeholders to verify key operational processes which involve data, both personal and confidential. These processes will be verified with employees during the “User Audit” to ensure compliance.

Risk Assessment

Texaport will compile the results of the preceding reviews into a dated Risk Assessment document for Clients which will form the basis of any subsequent scoping documents.

Ready to make your IT work for you?

It all starts with a conversation…