Cybersecurity management

Development of Cybersecurity Management Framework

National and EU legal regulations are increasingly becoming a crucial issue that entrepreneurs must contend with. This is especially true for entities in "sensitive" sectors or those included in what is known as Critical Infrastructure. These encompass businesses in the financial, insurance, banking, energy, telecommunications, and healthcare industries.

A series of new obligations regarding the identification, analysis, estimation, monitoring, mitigation, and reporting of aspects affecting cybersecurity risk necessitate a new, unique perspective on the organization, its internal environment, and its surroundings

The experience gained from our completed projects allows us, on one hand, to take a broad view of each organization and, on the other hand, to tailor the requirements for the management framework to the scale of the enterprise, while maintaining an effective and efficient operating model.

Preparation of Adequate Risk Assessment Methodology in Cybersecurity

Our experience gained from various sectors of the economy enables us to select appropriate tools to support the methodology of managing cybersecurity risks. Our proprietary method of approaching the risk assessment process (ERAMIS - Evidence-based Risk Assessment for ICT Services) ensures consistency and full compliance with regulatory requirements, while also providing the opportunity to genuinely influence risk management processes within the organization.

The level of complexity and interplay among business processes, technology, and the business environment continues to increase. Our goal is to capture these aspects and consider their mutual interference in the risk management approach process.

Analysis of Compliance Gaps with UKSC (NIS2), EBA, SWIFT, DORA (including RTS and ITS) Requirements

Conducting an analysis of compliance gaps with UKSC (NIS2), EBA, SWIFT, DORA (including RTS and ITS) requirements. Preparing organizations for external audits (certification, security, supervisory).

For each project, we assemble a dedicated team of experts tailored to the client's needs. In every project, if necessary, individuals with experience in managing or implementing specific regulatory requirements participate, as well as individuals with legal backgrounds.

Confirmation of the knowledge and competence of our experts is evidenced by their professional qualifications and designations, including but not limited to: Lead Auditor / Implementer ISO 27001 or ISO 22301, CISA (Certified Information Systems Auditor), CIA (Certified Internal Auditor), CRMA (Certification in Risk Management Assurance). If you are interested in obtaining reliable information regarding your organization's compliance level with regulatory / industry requirements, you have come to the right place.

Conducting Cybersecurity Risk Assessment, Including Third Party Risk Assessment

Cybersecurity risk assessment focuses on several aspects. On one hand, it requires understanding the internal and external environment. On the other hand, it involves identifying threats and vulnerabilities.

The scale often necessitates setting appropriate priorities based on the likelihood of occurrence and potential impact on the organization. In the realm of cybersecurity, even a minor vulnerability can pose a significant problem for the organization and, in particularly unfavorable conditions, lead to its downfall.

Currently, increasing emphasis is placed on the risk associated with suppliers (the "third party risk" element). Their infrastructure (often less secure) frequently becomes the primary attack vector against the organization. Cybersecurity risk analysis can be integrated with ICT risk assessment (check out our ERAMIS methodology).

Conducting Digital Resilience Tests

New supervisory requirements defined within DORA impose a series of new/additional obligations on financial entities. One of them is the necessity of periodically conducting (independently) digital resilience tests. Our expertise enables us to offer our clients a service involving the conduct of such tests (either as a one-time service or as part of a long-term agreement) in compliance with DORA requirements.

Training and Workshops on Selected Aspects of Cybersecurity Management

We offer customized training and workshops on selected aspects of cybersecurity management (also designed in response to individual needs). Our proprietary training includes:

ICT Risk Assessment - ERAMIS Methodology (Evidence-based Risk Assessment Methodology for ICT Services)

Decoding DORA - RTS Risk Management Related to ICT

Impact Analysis - Criteria for Impact Assessment, Practical Aspects for Selected Impact Categories

Third-Party Risk Management

Preparation Course for the Examination Allowing for Obtaining the State Certificate of Qualification in the Free Market "Cybersecurity Management - Specialist" titled Certified Cybersecurity Specialist (CSCB).

Additionally, we offer training and practical workshops with the participation of our experts on selected aspects of cybersecurity risk management, tailored to individual needs.

ERAMIS Risk Assessment Methodology

The ERAMIS methodology (Evidence-based Risk Assessment Methodology for ICT Services) represents an innovative approach allowing the entire risk assessment to be based on FACTS.

This approach frees assessments from expert judgments often reliant on subjective intuitions and impressions. Even within structured methodologies, assessing the criticality of IT resources in complex models presents two fundamental challenges:

Simple propagation algorithms such as average or maximum tend to equalize assessments for most resources in large environments.

Standard methodologies fail to account for the particular criticality of certain environment elements (e.g., network, DNS, storage, domain controllers).

In ERAMIS, we address these methodological weaknesses by employing:

Weighting system for information security and services attributes, considering their placement in the structure of the IT environment model and protection requirements for dependent services.

"Strength" parameter for service relationships, where relationship strength rules are based on FACTS (e.g., implementation method), and the "strength" itself can vary for different attributes.

Probability assessment of threat materialization based on identified vulnerabilities and existing control measures. This approach facilitates a credible prioritization of threats regarding risk, making the risk value comparable across different areas/layers (services, infrastructure, human resources, etc.).

Evaluation of security measures in all categories (technical, organizational, legal) for adequacy and quality (effectiveness).

Risk assessment based on potential impact assessment, protection requirement indicators, service weight (in the IT environment model), and threat likelihood estimated based on threat data, analyzed vulnerabilities in two aspects, and existing security assessments.

Risk propagation to the level of business services or processes, following the principle of "weakest link" – propagating maximum risk values for a given threat.

CYBERSECURITY

MANAGEMENT

Cybersecurity management

CONTACT