ZX Security


Cyber Strategy and Risk

We can help you identify and assess the security posture of your systems and people.

Background

The ZX Security virtual Chief Information Security Officer (vCISO) offering is unique in the marketplace. We differentiate ourselves from the competitors in a number of ways:

  • Our vCISO team has been there and done that. They come from operational backgrounds and have worked their way through the industry as technical and business leaders.
  • We can accurately gauge how much effort is involved to complete a task based on our own experience.
  • We provide guidance based knowledge acquired with major NZ and international customers. The team has experience with a wide range of business sizes and industry sectors, from 2 up to 1,200,000 seat companies, across government, health, energy and technology sectors.
  • You aren’t just getting one person when you sign-up for the vCISO offering, you are receiving access to the whole ZX Security consultancy team.
  • We won’t write pages and pages of policy documentation that you will never read. We will produce a clear, concise plan that will assist you in meeting your security objectives.

We provide a wide array of services under the vCISO banner that will be of use to your business depending on where you are in your security journey. Typically, we will work with you to identify a manageable number of activities that, once implemented, will improve information security within your business.

If you think it is time to improve the security of your business this may be an opportune time to engage with ZX Security.

Services

  • Risk / Privacy assessments

    A risk assessment puts information security threats into context for your business and provides security control recommendations to manage risk to a level that is tolerable to you. We work closely with you to understand how your business functions and how you use technology. We will:

    • Develop likelihood, impact and overall risk scales that make sense to your business.
    • Assess risk for your key information systems.
    • Identify the use of personal information and ensure you are compliant with the Privacy Act 2020.
    • Develop a catalogue of security controls that are used to manage your risk, including metrics to measure their ongoing effectiveness.
    • Develop risk assessment processes and templates that can be used when implementing new technologies or upgrading existing systems.
  • Security Health Check

    A Security Health Check provides you with a snapshot of how securely your business is operating, using recognised good practice guides and vendor supplied recommendations. The Security Health Check can quickly identify any critical weaknesses that, if exploited, may result in information being disclosed to unauthorised persons, being destroyed or being maliciously modified. The Security Health Check is not a full audit, but will provide an overview of:

    • The security posture of your people, processes and technology.
    • How systems have been configured (a configuration review).
    • The software, firmware, and hardware versions in use, and any known vulnerabilities.
    • Your access control practices, including:
      • Your management of passwords
      • Use of two-factor authentication
      • User provisioning and deprovisioning
  • Incident Response / Disaster Recovery

    How you respond to an information security incident can make the difference between having your business’ reputation destroyed or being able to manage the fallout allowing you to maintain your reputation and customers. We will help you to:

    • Develop an incident response plan that provides clear step-by-step guidelines on how to respond to an information security incident, including who to contact if the incident cannot be managed internally, and when to contact them.
    • Develop a communications plan. A communications plan will put you on the front foot and allow you to communicate confidently and accurately with your staff, clients, the media and other stakeholders.
    • Work with incident response experts to effectively manage an information security incident.
    • Carry out an independent post-incident review to identify what went well and what could do with improvement.
    • Carry out incident response exercises involving security teams and information owners.
  • Regulatory Support

    We will help you identify legislation, regulations and standards that may be applicable to your use of information and information systems. These may include:

    • Privacy Act 2020
    • EU General Data Protection Regulation (GDPR)
    • New Zealand Information Security Manual (NZISM)
    • The Payment Card Industry Data Security Standard (PCI DSS)
    • ISO/IEC 27001 Information Security Management

    We will provide a high-level assessment of your compliance to these standards and identify areas of immediate concern.

  • Security Roadmap / Programme of Work

    A security roadmap of activities will be developed based on our findings from previously completed tasks, such as the risk assessment or health check. The programme of work will:

    • Prioritise activities.
    • Provide a clear indication of milestones and target state.
    • Provide an estimate of costs and required effort.
    • Track progress to date.
    • Assess the reduction of risk after each achieved milestone.
  • Security Training and Awareness

    All staff must be aware of information security threats and the common and current methods used to trick people into performing an action that may have disastrous consequences. We will work with you to develop a Security Training and Awareness programme that will:

    • Ensure staff can identify and report potential or actual information security incidents.
    • Identify key staff that require specific training.
    • Define information security responsibilities for all staff.
    • Keep staff up to date on common and current threats, such as ongoing phishing attempts and scams.
    • Conduct regular phishing campaigns against staff to ensure the Security Training and Awareness Programme is successful
  • Security Operations

    Security Operations is the continual monitoring of your security controls and ensuring that regular and ad hoc tasks essential to your security posture are completed as required. We will help you develop processes and guidelines to:

    • Monitor the effectiveness of your key security controls and ensure early warning of potential issues.
    • Manage and analyse system logs and alerts.
    • Maintain the security of your infrastructure.Review changes and assess their impact on information security.
    • Review changes and assess their impact on information security.
    • Perform security investigations.
    • Keep up to date on current threats.
    • Perform vulnerability assessments.
  • Software Development Life Cycle (SDLC)

    We will work with you to ensure security is considered at all stages of your solution’s lifecycle, from development and implementation through to its ongoing maintenance. We will achieve this by helping you to develop processes to ensure security tasks are considered and completed as required. We will:

    • Help you assess the risk to a proposed solution or change (see Risk Assessment).
    • Let you know when/if penetration testing is required.
    • Manage relationships with external security providers, such as penetration testers and code reviewers.
    • Work with project teams to develop security requirements and to provide advice and guidance.
    • Help you evaluate products, vendors and designs against your security requirements.
    • Work with you to develop configuration templates and “gold” build images.
  • Security Policy Documentation

    All staff must use information systems responsibly and must protect company information. We will work with you to develop pragmatic and concise information security policy that can be adopted by all staff.

  • Reporting

    We will keep your key stakeholders up to date on the current state of information security within your company. This will be done through:

    • Regular reporting of activities completed and the progress of key security initiatives.
    • Attending board meetings / steering committee meetings as required.

    Reporting on the effectiveness of your key security controls, showing trends over time.

  • Solution Design Review / Control Framework Alignment

    ZX Security has extensive experience building systems that implement security controls for our clients. This knowledge allows us to identify shortcomings in customer designs and highlight these issues before the solution moves to the implementation phase, saving our clients time and re-design effort.

    We provide our customers with assurance that a design has been reviewed from an information security perspective and that any identified security issues have been appropriately highlighted.

    We also have a breadth of knowledge in understanding various security frameworks (NZISM, NIST CSF, ISO/IEC 27001) and the underlying controls that need to be implemented for differing information security classifications.

    At the conclusion of an engagement we present the client with a detailed report. This report presents the identified security issues in an easily digestible format with a focus on the risk and impact to the business of a particular vulnerability being realised.

Approach

We start with an initial meeting where we will:

  • Understand what your business does and where the key areas of risk are
  • Discuss the services that we deliver under the vCISO offering
  • Determine whether an initial light risk assessment or Security Health Check are necessary
  • Document a scope for the engagement which covers
    • The services you wish to subscribe to
    • How often the vCISO will work with you to meet your objectives.

The amount of time we spend working with you will differ from client to client, the most common engagement options are:

  • Casual - On site or remotely one to two days per week
  • Dedicated - On site for a longer period of time (typically a few months) to build a programme of security
  • Ad-hoc - we bill you a minimum of eight hours per month and you have the ability to call us for any security related matters