The National Cybersecurity Institute assists organisations manage risk through a range of information security services.
Governance is the cornerstone to strong security and a requirement for security accreditation. We specialise in governance documentation review and creation for the Australian government Protective Security Policy Framework (PSPF), Australian government Information Security Manual (ISM), ISO27001/2 and PCI DSS compliance.
A Threat and Risk Assessment (TRA) is an assessment of the threats and risks to information assets and a strategy of recommended controls to treat unacceptable risks.
To create the TRA we typically use workshops to leverage the knowledge of your staff, resulting in an improved outcome. In the workshops we go through flows and usage of information, credible threats to that information and calculate the risk of the threat. The recommended actions to treat unacceptable risks are then discussed and agreed upon. The final step is to deliver a risk management strategy using this knowledge that can be used by senior management to make informed decisions.
An internal system assessment may include:
Refer to our Penetration Testing service for more details.
Software review involves inspecting software for security flaws or weaknesses. This is a valuable service if your software team do not have a strong understanding of security or if the project plan does not include security testing as a deliverable. Software reviews are cost effective when compared to the costs of managing bugs and problems in production systems.
Annual staff education is an important aspect of cybersecurity. To make a lasting impact we focus on making the experience memorable through keeping it engaging using lots of 'war stories'.
Social engineering is a good service to use if you think your staff lack an appropriate security awareness that is exposing your information assets to undue risk. Combined with user education it is a very powerful tool in illustrating the importance of due process and proper care.
You may be surprised how far we can get with social engineering, our experience includes physically accessing server rooms to collecting passwords over the phone to log into systems remotely.