A risk assessment puts information security threats into context for your business and provides security control recommendations to manage risk to a level that is tolerable to you. We work closely with you to understand how your business functions and how you use technology. We will:

• Develop likelihood, impact and overall risk scales that make sense to your business.
• Assess risk for your key information systems.
• Identify the use of personal information and ensure you are compliant with the Privacy Act 2020.
• Develop a catalogue of security controls that are used to manage your risk, including metrics to measure their ongoing effectiveness.
• Develop risk assessment processes and templates that can be used when implementing new technologies or upgrading existing systems.

A Security Health Check provides you with a snapshot of how securely your business is operating, using recognised good practice guides and vendor supplied recommendations. The Security Health Check can quickly identify any critical weaknesses that, if exploited, may result in information being disclosed to unauthorised persons, being destroyed or being maliciously modified. The Security Health Check is not a full audit, but will provide an overview of:

• The security posture of your people, processes and technology.
• How systems have been configured (a configuration review).
• The software, firmware, and hardware versions in use, and any known vulnerabilities.
• Your access control practices, including:
  • Your management of passwords
  • Use of two-factor authentication
  • User provisioning and deprovisioning

How you respond to an information security incident can make the difference between having your business’ reputation destroyed or being able to manage the fallout allowing you to maintain your reputation and customers. We will help you to:

• Develop an incident response plan that provides clear step-by-step guidelines on how to respond to an information security incident, including who to contact if the incident cannot be managed internally, and when to contact them.
• Develop a communications plan. A communications plan will put you on the front foot and allow you to communicate confidently and accurately with your staff, clients, the media and other stakeholders.
• Work with incident response experts to effectively manage an information security incident.
• Carry out an independent post-incident review to identify what went well and what could do with improvement.
• Carry out incident response exercises involving security teams and information owners.

We will help you identify legislation, regulations and standards that may be applicable to your use of information and information systems. These may include:

• Privacy Act 2020
• EU General Data Protection Regulation (GDPR)
• New Zealand Information Security Manual (NZISM)
• The Payment Card Industry Data Security Standard (PCI DSS)
• ISO/IEC 27001 Information Security Management

We will provide a high-level assessment of your compliance to these standards and identify areas of immediate concern.

A security roadmap of activities will be developed based on our findings from previously completed tasks, such as the risk assessment or health check. The programme of work will:

• Prioritise activities.
• Provide a clear indication of milestones and target state.
• Provide an estimate of costs and required effort.
• Track progress to date.
• Assess the reduction of risk after each achieved milestone.

All staff must be aware of information security threats and the common and current methods used to trick people into performing an action that may have disastrous consequences. We will work with you to develop a Security Training and Awareness programme that will:

• Ensure staff can identify and report potential or actual information security incidents.
• Identify key staff that require specific training.
• Define information security responsibilities for all staff.
• Keep staff up to date on common and current threats, such as ongoing phishing attempts and scams.
• Conduct regular phishing campaigns against staff to ensure the Security Training and Awareness Programme is successful

We offer other security-related training courses too.

Security Operations is the continual monitoring of your security controls and ensuring that regular and ad hoc tasks essential to your security posture are completed as required. We will help you develop processes and guidelines to:

• Monitor the effectiveness of your key security controls and ensure early warning of potential issues.
• Manage and analyse system logs and alerts.
• Maintain the security of your infrastructure.Review changes and assess their impact on information security.
• Review changes and assess their impact on information security.
• Perform security investigations.
• Keep up to date on current threats.
• Perform vulnerability assessments.

We will work with you to ensure security is considered at all stages of your solution’s lifecycle, from development and implementation through to its ongoing maintenance. We will achieve this by helping you to develop processes to ensure security tasks are considered and completed as required. We will:

• Help you assess the risk to a proposed solution or change (see Risk Assessment).
• Let you know when/if penetration testing is required.
• Manage relationships with external security providers, such as penetration testers and code reviewers.
• Work with project teams to develop security requirements and to provide advice and guidance.
• Help you evaluate products, vendors and designs against your security requirements.
• Work with you to develop configuration templates and “gold” build images.

All staff must use information systems responsibly and must protect company information. We will work with you to develop pragmatic and concise information security policy that can be adopted by all staff.

We will keep your key stakeholders up to date on the current state of information security within your company. This will be done through:

• Regular reporting of activities completed and the progress of key security initiatives.
• Attending board meetings / steering committee meetings as required.

Reporting on the effectiveness of your key security controls, showing trends over time.

ZX Security has extensive experience building systems that implement security controls for our clients. This knowledge allows us to identify shortcomings in customer designs and highlight these issues before the solution moves to the implementation phase, saving our clients time and re-design effort.

We provide our customers with assurance that a design has been reviewed from an information security perspective and that any identified security issues have been appropriately highlighted.

We also have a breadth of knowledge in understanding various security frameworks (NZISM, NIST CSF, ISO/IEC 27001) and the underlying controls that need to be implemented for differing information security classifications.

At the conclusion of an engagement we present the client with a detailed report. This report presents the identified security issues in an easily digestible format with a focus on the risk and impact to the business of a particular vulnerability being realised.

The Institute of Directors have highlighted the importance of boards paying close attention to cyber security risk.

They say “the principles behind cyber-risks are no different to other areas of risk. Boards must graps the specific risks, determine risk appetite and take actions to deal with cyber-risk”.

Engaging an external and independent advisor can help your board understand and address these risks. Our Cyber Strategy and Risk Team work with senior leaders and boards by reviewing the current state of a company’s cyber security and assisting boards to understand the technical issues in a business-focused context. We advise on what risks could be accepted and which need treating, and can propose a prioritised plan based on your risk appetite, available budget, and business operating context.

We can work with you on a retainer basis to regularly brief you on current threats and risks, and to review reports from your IT team or third-party vendors to ensure you are making decisions based on clear and independent advice.

These are some of the most significant financial decisions a company can make, whichever side of the transaction you are on. A thorough assessment of a company’s cyber security posture can ensure that this is considered when determining the appropriate valuation, and when considering Warranty and Indemnity insurance.

ZX Security has deep experience in assessing the cyber security of a business, across all facets of their People, Processes and Technology.

Where the transaction involves bespoke software or code, we can conduct a comprehensive review of the code to:

• determine the quality of the code and how well deployment is managed
• identify security vulnerabilities that may leave you exposed
• understand where open-source software may have been included and associated license obligations and conflict analysis.

Understanding and building your maturity across the four Protective Security Requirements (PSR) domains of Governance and Information, Personnel, and Physical security should not only be for the mandated government agencies. All organisations that work with government information, including private companies, should consider assessing themselves against the PSR. This enables you to demonstrate to your government clients that you are meeting the same standard that they are required to meet.

Depending on your needs, we will work with you to assess your maturity across all four areas of the PSR or will perform a more targeted assessment against one or more of the areas.

Following the assessment, we will work with you and your senior leadership to determine appropriate target maturity levels and develop a tailored roadmap to support you achieving these.

We can also support with the implementation of the roadmap. This could include:

• Development of policies and processes.
• Project/programme management.
• Progress reporting.
• Periodic reassessment.

Increasingly, organisations are being asked by stakeholders to prove the effectiveness of their information security practices through certification against standards such as ISO 27001.

Achieving this can seem like a daunting task for many organisations. Our experienced ISO27001 consultants can help you to go from nothing, to ready for certification. To support your alignment to ISO 27001 we will:

• Conduct a readiness assessment to determine the gap between your current state and achieving certification.
• Work with you to implement the standard, including conducting risk assessments, development of policies and processes, and documenting control design.
• Conduct internal audit assessments to assess control effectiveness and overall effectiveness of your ISMS.