Security Design and Implementation

Whether you are starting a new operation and recognise that effective security is cheap early, expensive late, or you are improving your existing position, Calamity can help your organisation by developing systems which work to improve security, reduce cost and manage risk. We are highly technically capable however are not confined solely to technology and infrastructure. Rather, we adopt an end-to-end approach which addresses policies, infrastructure, procedures and people, across your whole enterprise.

The security of any environment is only a strong as its weakest link

A well designed, expensive IT security program can be rendered worthless by a single staff member giving away their password or not following well-known policies. Our approach ensures such areas are addressed and enforced so you can be assured of real security, not merely a sense of it.

Each project is custom designed to meet specific client requirements and we can begin at any stage of the project lifecycle. In general, we follow these steps.

Asset Identification

We look at your operations and identify assets and their value. Unlike physical assets, Information assets are often not assigned a value. However, were they to disappear or be compromised, your business could suffer dramatically. We determine the relevant sensitivity of material and its exposure, the 'owner' of each asset who is directly responsible for it, its location and other relevant details.

Threat and Risk Assessment

We conduct a Threat and Risk Assessment (TRA) across the information assets identified in the earlier step. This process would:

  • Identify threats to each of the previously identified assets based on historic data and our experience of related environments including credible threats, both external and internal - a frequently overlooked area, deliberate and accidental
  • Identify any vulnerabilities which might be exploited by the previously identified threats and in what manner
  • Identify the consequence should any given threat occur. This would include the impact on your organisation's operations of a loss of Confidentiality, Integrity or Availability of those information assets
  • Determine the realistic probability - likelihood, of a threat being realised.

Based on this assessment of threat, likelihood and consequence, Calamity can determine the risk levels and develop an appropriate view, on which decisions for treating risk can be based. We can then identify and help you consider relevant controls, for the management of this risk. A gap-analysis may be appropriate where existing systems are in place to see what is working, what can be improved and any 'quick wins' for a rapid return on your investment.

This formal, proven approach ensures there are no weak links - areas you may have missed - and that all risk-treatment controls are developed in the most cost-effective manner.

Calamity has developed a highly efficient threat and risk assessment methodology based on AS/NZS 4360:2004 and HB 436:2004 which has been tested under fire and prevailed in numerous independent certifications.

Information Security Design

Now that we know both what we are protecting and how it is to be protected, Calamity can help your organisation by designing a smart means of managing your risk. We have reviewed a wide variety of different environments, with low, medium and high security requirements. We bring this experience to your organisation and can help you meet best-practice. This includes technical and non-technical controls such as:

  • Firewalls, Intrusion Detection Systems and System Security Monitoring
  • Anti-Virus, Anti-Malware, Border Screening
  • Encryption and Laptop Protection
  • Virtual Private Networks and Network Security
  • Information Security Policies, Email Policies, Web Policies
  • Training of Staff (including security management as well as general duties personnel)
  • Internal Review and Audit Programs

A more specific list can be provided based on your environment. For larger organisations, Calamity can also assist you to develop business cases, management presentations and tender documentation.

Strategy and Implementation

We can fully manage implementation or more commonly, work with your internal resources to achieve completion. Best results occur when an organisation assumes ownership of its own security and develop internal capability. This ensures that security culture and awareness transcend frequent changes in technology and becomes a normal part of everything you do. Calamity can help you rapidly reach a level of excellence in this regard.

Ongoing Review and Maintenance

It is important that your organisation continually review its security to ensure risks are suitably controlled. This includes identifying new threats as well as taking into account new growth or systems within your environment.We will help you to develop your own regular internal audit and review programs, which we highly encourage, Calamity can offer a full range of independent Information Security Review services to help identify problems you may have missed. The combination of internal and external review makes for a very solid system.

References

The list of clients we have worked for reads like a who's who of organisations who take their security seriously. It includes private sector, state and federal government departments, health, utilities, banking and education. We would be happy to provide details of work in similar environments to yours. We are proud of our work as are our clients.