Security Audit & Compliance
Assess your level of compliance with a range of industry-recognised frameworks and standards to identify and address areas which require improvement.
WHAT ARE SECURITY AUDIT AND COMPLIANCE SERVICES?
JUMPSEC provides audit-based assessment services to assess compliance with a range of known best practice frameworks and standards.
Organisations are often required to undergo audit against a range of industry-specific standards as a requirement of doing business, satisfying third-party risk assessment and regulatory requirements by certifying that they adhere to certain minimum security standards.
Typically, the various frameworks and standards provide different levels of assurance:
- High-level frameworks are best practice guides which do not address controls at a technical level as they are designed primarily to assist businesses in identifying and managing risk. Example frameworks include ISO 27001, ISF, the NIST Cybersecurity Framework, and COBIT.
- Lower-level standards direct technical activities and controls required to address specific risk areas. Examples include NIST 800-53 -Security Controls for Federal Information Systems and Organizations, the CIS Top 20 Controls and Resources, and PCI DSS for payment processors.
JUMPSEC are experienced in supporting organisations looking to achieve compliance with a number of frameworks and standards, including:
The PCI Data Security Standard (PCI DSS) applies to all businesses that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data.
JUMPSEC can provide your business with actionable advice on how to meet PCI DSS requirements, including support in implementing security controls, validating architectures and verifying approaches.
JUMPSEC can audit your compliance with PCI DSS as well as delivering penetration testing to satisfy audit requirements that systems in-scope have been subject to appropriate levels of testing.
Cyber Essentials is a Government-backed and industry-supported scheme that helps businesses protect themselves against cyber threats and provides a clear set of basic controls that businesses should have in place to protect them. There are two levels of Cyber Essentials certification, differing only in whether a technical audit of the controls is carried out on systems in scope.
JUMPSEC has the expertise to help businesses quickly implement the security controls needed to achieve cyber essentials certification.
ISO 27001 is the international standard in information security management. Achieving ISO 27001 compliance demonstrates to customers, partners and regulators that your business has established processes in place for managing information security risk.
JUMPSEC provides a range of ISO 27001 consulting services including gap analysis, certification consulting, and audit support.
IT HEALTH CHECK
JUMPSEC is accredited by the National Cyber Security Centre (NCSC) to perform an ITHC under the terms and conditions of the CHECK scheme. Our service is available directly or can be procured via the Government Digital Marketplace(G-Cloud) check-service.
An ITHC provides an independent assessment of an organisation's cyber security. It provides assurance that external and internal systems are protected from unauthorised access and ensure they prevent unauthorised entry access into systems that consume Public Services Network (PSN) services. JUMPSEC perform fully compliant penetration testing to enable PSN Code of Connection (CoCo) compliance.
NIST CYBER SECURITY FRAMEWORK
The NIST Cyber Security Framework is a tiered set of best practice recommendations that organisations can use to frame and guide their cyber security control improvements. It is designed to guide organisations in managing and reducing their cyber security risks in a way that complements an organisation's existing cyber security and risk management processes.
The NIST Cyber Security Framework provides a set of high-level controls and requirements that are mapped to a wide range of overlapping best practice frameworks and technical standards.
CIS TOP 20
The Center for Internet Security (CIS) Top 20 is a set of best practices guiding the implementation of effective security controls. The CIS Top 20 comprises 20 key control groups, for which there are a number of sub-controls relating to best practice configurations and controls which are required for an organisation to operate securely. The CIS Top 20 recommends controls which are appropriate for the organisation's business profile, considering inherent cyber risks alongside threats faced to prioritise controls which will deliver the greatest uplift in security posture.
JUMPSEC often leverages the CIS Top 20 alongside higher-level frameworks to validate the technical implementation and effectiveness of documented controls featured in policy, process, procedures, and system design documentation.
WHY SHOULD YOU ENGAGE JUMPSEC FOR CYBER AUDIT AND COMPLIANCE SERVICES?
For organisations without specific compliance requirements who are looking to enhance their cyber maturity, it can be challenging to navigate the myriad of frameworks and standards. Most represent recognised best practices and therefore overlap significantly. The key difference between them is the depth within which technical security requirements are covered, and the effectiveness and implementation of controls are validated.
Unless certification with a specific standard is required for compliance reasons, a broader assessment approach can overcome a number of limitations by tailoring the level of control required to the risk posed, and only considering criteria which have a clear positive security impact, eliminating arbitrary requirements
JUMPSEC is experienced in blending frameworks and standards to create assessment methodologies which are relevant to the specific organisation being assessed, considering the inherent risks posed by their business operations, and the nature of cyber threats likely to target them.
JUMPSEC's offensive, defensive, and strategic security expertise is invaluable when identifying which controls are likely to yield meaningful advantages to an organisation in terms or reducing exposure to cyber threats. Organisations relying solely on higher level frameworks (e.g. ISO 27001) can leave themselves exposed by failing to validate the implementation and efficacy of controls. JUMPSEC can help organisations to move beyond compliance with specific criteria, using a range of best practices to ensure and demonstrate that controls deliver the intended level of risk reduction.
JUMPSEC is also practised demonstrating compliance with a range of requirements, and communicating findings using the various resources to align with an organisation's preferred framework and/or standard.
WHAT OUTCOMES WILL JUMPSEC CYBER AUDIT AND COMPLIANCE SERVICES PROVIDE?
- Achieve compliance and certification
Enabling you to meet the needs of your customer, partner and regulator due diligence.
- Avoid common pitfalls
By leveraging JUMPSEC’s accumulated experience and knowledge across offensive, defensive, and strategic security disciplines.
- Optimise security investment
By aligning security requirements with your risk profile to ensure that security controls are appropriate for your business needs.
- Increase confidence of your business
To build the trust of your internal stakeholders and external authorities, customers, and partners alike.
- Effective security operating model
Implement and leverage best practices without being constrained by arbitrary compliance requirements which are not relevant to your business.
- Drive sustainable development over time
With short, medium and long-term recommendations to deliver prioritised improvements to your security posture.
Discuss your cyber challenges?
JUMPSEC perform a staged Discovery and Gap Analysis exercise to ascertain an organisation’s current maturity level from which improvement recommendations can be made. The assessment is conducted through a documentation review and a series of interviews with senior stakeholders, key IT, data protection and security staff, the HR or Legal team (where relevant), and representatives from any managed service provider(s).
The exercise is delivered across four phases:
- Kick-off – Hold initial meetings with key stakeholders to set expectations and agree to engagement rules, sharing valuable information about the organisational structure from which interviews and workshops can be scheduled.
- Discovery – Assess the regulatory, legal and compliance environment that the organisation operates within.
- Assessment - Conduct a series of interviews with key stakeholders. These sessions focus on policies, procedures, controls, infrastructure, architecture and key indicators of good cyber security hygiene, drawn from a range of appropriate industry-accredited standards and regulations including GDPR, ISO 27001 and the NIST Cyber Security Framework. JUMPSEC will also review documentation to identify acceptable practices that the client has already put in place and uncover less mature areas and gaps.
- Reporting - Comprehensively detail the team’s findings, identifying both short term ‘quick wins’, as well as medium- and long-term activities which should be pursued, enabling sustained improvements over time, guiding the client to a level of security maturity that is appropriate for its business requirements.