We pride oursleves in practising what we preach. To this end we wanted to at least give an indication as to how we operate. The nature of consulting services means we provide advice and guidance, we often will have access to customer sensitive data and during project activities we may have network and system access. This is a very high level view but we wanted to show that even with consulting services we have to govern and manage security.
Data in transit protection
We protect sensitive data with TLS 1.2 or greater protocols and leverage strong cipher suites.
Asset protection and resilience
We leverage hardened systems to conduct our business. Due to the nature of consulting work we separate our “lab” environment and our “production” environment.
Separation between users
Access controls are in place between users. We permission access to data and systems on a granular per project basis.
We conduct regular reviews of our security systems; we routinely wipe down environments to ensure they are “clean”.
We practise good operational security (OPSEC) relevant to the line of business and nature of the project. We are security consultants, that doesn’t make us invincible, but we try to operate in a secure manner.
Staff and subcontractors are checked for references and where appropriate additional checks are conducted e.g., CB, SC clearance validation etc.
We develop proof of concept and test applications in an isolated environment.
Supply chain security
We conduct due diligence on our service providers in line with the level of service. E.g., CSPs we ensure they are SOC2, ISO27001 etc.
Identity and authentication
Where available we leverage multi-factor authentication on systems. We use a least privilege model and have dedicated functional accounts (e.g., multi-account model)
External interface protection
We use firewalls and supplementary controls e.g., IDS/IPS systems to protect our networks.
Audit information for users
We leverage audit and logging capabilities to track information access.