Information Security Management
Information Security Risk Management is a structured process aimed at identifying, assessing, mitigating, and monitoring risks that could compromise the confidentiality, integrity, and availability of an organisation’s information assets.
Below are a comprehensive set of activities that Actaeus can support you with.
Information Security Management
Establishing Governance and Leadership
- We help you define the Information Security Management System (ISMS) scope.
- Support and mentor an Information Security Officer or equivalent role.
- Advise and support the establishment of an Information Security Policy approved by senior management.
Risk Management
- Advise and conduct risk assessments to identify threats and vulnerabilities.
- Help you determine risk treatment options and implement appropriate controls.
- Design and advise on how to maintain a risk register and review it regularly.
Asset Management
- Help you create and maintain an asset inventory (hardware, software, data).
- Classify information assets according to sensitivity and criticality.
- Advise on how you can apply ownership and accountability for each asset.
Access Control
- Provide support on how you can implement role-based access controls.
- Advise on enforcing least privilege and need-to-know principles.
- Help you implement and regularly review and revoke unnecessary access rights.
Physical and Environmental Security
- Secure premises with access restrictions and surveillance.
- Protect equipment from environmental hazards (fire, flood, etc.).
- Implement clear desk and clear screen policies.
Operations Security
- Establish change management procedures.
- Implement backup and recovery processes.
- Monitor systems for unauthorised activities and anomalies.
Communications and Network Security
- Advising on the use of encryption for data in transit and at rest.
- Best practices when segmenting networks and how to apply firewalls and intrusion detection.
- Providing advice on managing remote access securely (VPN, MFA).
Supplier and Third-Party Management
- Assess suppliers for security compliance.
- Include security clauses in contracts.
- Monitor third-party performance and risk exposure.
Incident Management
- We advise, develop and maintain your incident response plan.
- We can train staff on incident reporting procedures.
- We can conduct post-incident reviews and provide a report on which controls to update.
Compliance and Audit
- Advise on compliance with regulatory, and contractual obligations.
- We can advise and perform internal audits of the ISMS.
- We can help you prepare for external certification audits (e.g., ISO 27001).
Human Resources Security
- Advise on how you could conduct staff employment checks where appropriate.
- We can help you provide security awareness training for all staff.
- Advise on things to consider when defining responsibilities in employment contracts.
Continuous Improvement
- We help you review and update policies and procedures regularly.
- Advise and support you when conducting management reviews of ISMS performance.
- Advise on how you can Implement corrective and preventive actions based on findings.