Security Management

We pride oursleves in practising what we preach. To this end we wanted to at least give an indication as to how we operate. The nature of consulting services means we provide advice and guidance, we often will have access to customer sensitive data and during project activities we may have network and system access. This is a very high level view but we wanted to show that even with consulting services we have to govern and manage security.

Data in transit protection

We protect sensitive data with TLS 1.2 or greater protocols and leverage strong cipher suites.

Asset protection and resilience

We leverage hardened systems to conduct our business. Due to the nature of consulting work we separate our “lab” environment and our “production” environment.

Separation between users

Access controls are in place between users. We permission access to data and systems on a granular per project basis.

Governance framework

We conduct regular reviews of our security systems; we routinely wipe down environments to ensure they are “clean”.

Operational security

We practise good operational security (OPSEC) relevant to the line of business and nature of the project. We are security consultants, that doesn’t make us invincible, but we try to operate in a secure manner.

Personnel security

Staff and subcontractors are checked for references and where appropriate additional checks are conducted e.g., CB, SC clearance validation etc.

Secure development

We develop proof of concept and test applications in an isolated environment.

Supply chain security

We conduct due diligence on our service providers in line with the level of service. E.g., CSPs we ensure they are SOC2, ISO27001 etc.

Identity and authentication

Where available we leverage multi-factor authentication on systems. We use a least privilege model and have dedicated functional accounts (e.g., multi-account model)

External interface protection

We use firewalls and supplementary controls e.g., IDS/IPS systems to protect our networks.

Audit information for users

We leverage audit and logging capabilities to track information access.