Global Cyber & Data Protection Advisory

Organisations are increasingly facing the challenge of demonstrating to clients, potential clients, investors, regulators or other stakeholders that they have robust governance processes in place to manage the security of their information assets. For such organisations the solution is to implement an independently certified Information Security Management System (ISMS) such as ISO 27001. Others may wish to adopt a framework such as the National Institute of Standards & Technology (NIST) Cybersecurity Framework in order to provide assurance to their boards or senior management that good practice is the basis of their ICT management.

We provide a full range of support services for organisations wishing to adopt such an approach, whatever their objective.

We can assist clients with developing an organisational structure to ensure the security operations role is delivered. Information security checklists, procedures and ‘runbooks’/’playbooks’ will be created specifically for the organisation and will reflect the various technology solutions, for example, ‘InfoSec’ partners and support providers, internal staff resources etc. We provide support and training to the staff that are responsible for SecOps and an ongoing review process to ensure that all checklists are being completed correctly. The generation of these checklists and the preservation of them as records of activity are important artefacts when it comes to demonstrable GDPR evidence. We can also support the organisation with incident response plan development, implementation and response management and support.

Unfortunately, incidents can occur, however, it is the reaction of an organisation that determines the result. Preparation for incidents through well-rehearsed plans is critical.

Part of a response plan is to have identified experts that can be called on and, as with most organisations, it is not always an option to have full-time incident response team. We assist organisations to put in place the escalation mechanisms ready for when an incident occurs, to ensure the minimum time loss during an incident and that expert, experienced decision makers will be available to the leadership in a time of crisis.

Waystone Compliance Solutions works with the client to update existing policies, draft new policies, draft or update standards and procedures and assist the client to embed them in the organisation. For many organisations, the most common policy document referred to is the ‘Acceptable Usage Policy’ or ‘Information and Communications Technology Usage Policy’. Many of these documents have, however, evolved over time and are effectively ignored in most organisations as they are considered to be of little relevance.

We work with organisations to completely reshape the policy structure and make the documents more relevant and more easily understood and consumed by the staff and others covered by the policies. An effective and appropriate policy schedule should underpin all decisions in an organisation and align with the culture of the organisation while at the same time, ensuring compliance with legislation and industry standards.

Classifying the many different types of data that a typical organisation stores allows for an appropriately-layered approach as to how it is best secured. This can be particularly important with regards to GDPR where instances of personal data can be identified, marked and managed in accordance with the legislation and an organisation’s own policies.

Organisations that are determined to introduce more discipline to the management of their records can face a daunting challenge due to significant legacy volumes and/or diversity of formats. We assist organisations to put in place principles and standards-based auditable and pragmatic policies and procedures that cover the entire records’ life cycle to protect against records-related risk and enable records-based opportunity.

Today, there is an increasing likelihood that an organisation will, at some point, require a digital forensic investigation to be carried out.

Our team of experts have extensive experience in carrying out these investigations. Members of the team are recognised at a national level in this area with key team members holding a Master’s and PhD degree in this field. Our relationship with you in advance of an incident is crucial when it comes to the preservation of evidentiary material for digital forensic investigations.

Statutory Instrument No. 93 of 2009 in Ireland amended the Rules of the Superior Courts and provided for the discovery of ‘electronically stored information’. This is commonly referred to as eDiscovery and has placed a significant burden on organisations dealing with eDiscovery requests.

Our team has extensive experience in assisting organisations to manage eDiscovery requests and, more significantly, in preparing for when the inevitable requests arrive. We can assist an organisation with developing the procedures and in the selection of appropriate technology

Penetration testing a new system is the ultimate validation that the design, development and deployment of that system is in-line with secure practices.

Our Penetration Testing Team continue to impress clients and developers when given access to a new system and subsequently are able to demonstrate the flaws within it. An organisation choosing to have a penetration test carried out, and in particularly a ‘Crystal Box’ one, is demonstrating maturity in the information security space. Ideally, this takes places once user acceptance testing is complete and before ‘Go Live’. This means there is still a chance to remediate any issues identified, retest to validate, and then release to the Internet.

By default, most Operating Systems (OS) that are installed ‘out of the box’ are general in nature and, by that measure, often insecure. They attempt to offer a broad range of services and with very few restrictions. Some vendors have partially addressed these issues through role-based installation and minimisation of unnecessary services. Despite these efforts, it is our opinion that the OS still requires a further layer of ‘hardening’ to be applied. Waystone can work with the organisation to determine the most appropriate hardening policy to be applied to a specific OS. Training can be provided in addition to ensure that an organisation’s own support teams understand the hardening process, the rationale for decisions on settings and problem resolution. We want the client to be self-sufficient, where appropriate, when it comes to OS Hardening. In the same way as the OS needs hardening, so too do the application layers that are installed. Whether it is a web content delivery application, a database application or some level of middleware, there is likely to be a level of hardening required. Our philosophy is that this hardening should never be dependent on one person or organisation and documenting the hardening is a key feature of our engagement.

Over recent years the move to ‘DevOps’ and other rapid development and deployment methodologies has, in some cases, led to a quality issue in terms of information security vulnerabilities being introduced. These may not be caught until the next major penetration test, and by then, the damage may have been done and a breach may have occurred. By carrying out source code reviews, and in particular, automated ones, many of these issues can be caught before code is ‘dropped’. We are able to provide a range of source code review options for clients, with the most popular being Static Application Security Testing (SAST). This automated process can save huge amounts of developer time and business frustration.

Organisations are at varying levels of maturity when it comes to software (or ‘application’) development. Delivering secure systems, that need minimal remediation at the application penetration and security testing stages prior to going live, can dramatically save time and cost.

We are able to facilitate the Static Application Security Testing (SAST) of source code that can achieve this objective and we are experienced in introducing the concepts of developing secure code all the way through to designing embedded steps in DevOps for automated static code analysis during code drops.

The Open Web Application Security Project (OWASP) is an internationally-recognised standard for the development of online systems.

Our team of experts has extensive experience with OWASP and the implementation of the principles at both design and development stages. We work with an organisation to ensure that the principles of OWASP are integrated at all levels in the design and delivery of any new service. This greatly reduces the likelihood of any future issues.

The familiar idea that ‘security has many layers’ is as relevant today as it has ever been. Organisations must, however, still ensure that clear and present dangers with regards to their network perimeter are clearly understood and that mitigations are in place.

While conducting security reviews of firewalls and network perimeters we consider each client’s technical and functional requirements. We also ensure that each client’s specific threat surface and attacker Techniques Tactics and Procedures (TTPs) are considered. This is often achieved by assessing specific attack scenarios and using the identified cyber kill chain of these scenarios to realise mitigating TTPs that the client can implement.

As a key building block of most organisation’s systems, it is critical that Active Directory is configured to provide a solid foundation for the desired security posture. There is a vast array of parameters that can be set and many of the default settings, while simplifying administration, are not necessarily the most secure.

Ensuring that staff are alert to the potential threats an organisation may face is a vital non-technical defence. An educated workforce complements all the technical defences that an organisation has put in place to provide effective security.

We have developed programmes to sensitise staff to their role in protecting their organisation’s ICT security. ‘InfoSec Awareness Training’ (Basics and Advanced) sessions are key to the empowerment of staff to make smart and informed decisions when it comes to potential ‘cyber’ threats.

These sessions are tailored to the specific industry sector, risk appetite and culture of an organisation.

‘Phishing’ and social engineering assessments for an organisation can be used as metrics in the measurement of the level of awareness amongst staff of information security threats. By repeating the assessments, the effectiveness of awareness and training sessions can be demonstrated.

We have experience of explaining the evolution of legislation in this area and enabling staff to recognise issues of personal data protection. Data protection basics, data protection specialists and data protection champion awareness training and customised mentoring sessions are training sessions that are tailored to a client’s particular circumstances.

These can transform the level of awareness when it comes to managing the personal data that an organisation is processing. These are more than just GDPR training courses and go to the heart of privacy.

Data classification is a foundation principle to all good data governance. If an organisation’s staff members are aware of their organisation’s classification scheme and how to use it in a practical and efficient manner, the effectiveness of data governance is transformed. Particularly with the move to cloud and Software as a Service solutions, data classification, data marking and appropriate technical controls are vital.

We can assist you with training and awareness in this area and ensuring that staff understand the implications of over and under classifying data.

Our team of highly-experienced system designers and procurement specialists have assisted many clients over the years by outlining the options available and the pitfalls to be aware of when developing or selecting any size system. Our team has extensive experience in the area of procurement including RFT/ITT creation, publication, response evaluation, contract award and delivery oversight in both the public sector where it is mandated and also in the private sector for those organisations that value procurement processes.

ISO 27001 is an internationally-recognised standard for information security and defines a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS). Organisations are increasingly facing the challenge of demonstrating to clients, potential clients, investors, regulators or other stakeholders that they have robust governance processes in place to manage the security of their information assets thereby ensuring their business continuity as a strategic supplier or operator within their sector.

We provide a full range of support services for organisations wishing to achieve the ISO27001 certification. This may begin with a gap analysis assessment which provides the basis for a pragmatic programme to address the gaps identified. A similar gap analysis can be completed ahead of an impending audit to ensure continued certification.

‘New’ (which can include significant changes to an existing activity) data processing activities are subject to certain requirements under the GDPR. Article 25 calls for “data protection by design and by default” in all instances and if the processing represents a “high risk” for the data subjects or is listed as such by the Data Protection Commission, Article 35 requires that a Data Protection Impact Assessment (DPIA) must be undertaken. The documentation from either of these exercises would evidence, in line with the “Accountability Principle”, that you have approached the new processing activity in a compliant fashion. We have experience in assisting clients to undertake both of these exercises.

Many organisations are embracing the opportunities presented by public cloud computing – whether Infrastructure (IaaS), Platform (PaaS), or Software as a Services (SaaS). Each of these service models shares the responsibility for information security between the Cloud Service Provider (CSP) and the Cloud Service Customer. These customer organisations must ensure they take the time to fully understand and implement the security capabilities of the cloud services that they consume. For example, SaaS services such as Microsoft’s Office 365 or Google G-Suite incorporate a wide range of controls to help organisations meet their data protection and other legal, regulatory or technical compliance demands. In many cases these capabilities are available at no extra cost as part of the customer’s existing subscriptions, however, if they are not using such functionality the customer may not be realising the full benefits of their cloud service expenditure.

Our team is regularly called on to assist organisations that have been compromised by assuming that default settings were adequate for their security objectives. Our Cloud Audit Service is designed to assist organisations to identify and implement risk-appropriate security controls within their chosen cloud service.

Where organisations are reliant on the supply of key products or services from third-party suppliers, it is important to assess the appropriateness of those suppliers’ information security arrangements. Where sensitive data forms part of that product or service, the risk of fraud, data compromise and revenue loss can be significant.

External suppliers are a vital component of business operations. Suppliers may have access to a wide range of information and once shared with a supplier, direct control of this information is lost, regardless of sensitivity or value.

Our team has extensive experience in performing supplier security reviews on behalf of clients. Our audit methodology provides the framework for detailed analysis that provides a comprehensive evaluation of a supplier’s ability to secure your data.

The EU’s General Data Protection Regulation (GDPR) makes it clear that organisations are accountable for data breaches caused by third-party service providers, therefore third-party supply chain assessment is key to ensuring compliance with the GDPR.

Organisations operating as data controllers should have rights to conduct audits of their data processors if they have an Article 28 compliant agreement in place.

We undertake such audits to provide assurance to a data controller that there are adequate controls in place and provide a report that could be used to evidence that they are discharging their responsibilities as a data controller.

When the EU’s General Data Protection Regulation came into effect in May 2018, many organisations, particularly those in the public sector, found themselves being mandated to have a DPO. The specific requirements in terms of both competency and independence from conflicting roles in an organisation make this a particularly difficult role to fill internally.

Our senior consultants hold a variety of data protection qualifications and are members of data protection organisations such as the Association of Data Protection Officers and the International Association of Privacy Professionals (‘IAPP’).

In this scenario, we work with the client to determine an appropriate amount of onsite time over a defined period, typically 12 months, based on an initial baseline assessment and gap analysis. This feeds into an agreed work plan that sets specific information security improvement objectives. It also provides the organisation with a flexible and ‘on-demand’ access to a CISO without the costs of a full-time solution.

All our CISO resources have a minimum of 15 years information security experience and have held senior information security roles in public or private sector organisations. The CISO as a service subscription also provides emergency access to the Critical Incident Response Team.

Our consultants regularly work with clients to design, build and implement enterprise-class security systems aligned with corporate business and technology strategies. Our independence provides assurance and confidence to clients that the design proposed is the best fit for them. We do not sell any information security technology components such as firewalls, anti-malware or encryption products.

We undertake an analysis of an organisation’s current situation against an appropriate benchmark to assess its current status. From this, we can develop a sustainable and pragmatic programme to close any gaps that are identified.

‘Information security’ is the term most commonly used to describe the controls around your Information and Communications Technology systems (ICT) that protect your organisation’s digital information assets. We can assess your current position against a number of standards, most typically ISO27001, in order to identify opportunities to strengthen your position and manage any risks in your environment.

‘Data Protection’ is the term most commonly used for the governance of personal data to ensure that an organisation can comply with all the relevant GDPR or ePrivacy legislation at a minimum or even exceed it, in order to offer customers additional assurance as to the safety of their personal data.

Many organisations are taking a more structured approach to the management of their records. This can be for reasons of regulatory compliance, corporate reputation or because of the clear business benefits to being able to release the data captured in dispersed records stores for future business development. Our team can assess current practices against recognised standards (e.g. ISO 15489). This will produce a roadmap that points out the practices and principles that need to be developed in order to achieve a more structured approach to the ownership of key records.

Our team regularly assist boards, board audit committees and senior management teams to assess their organisation’s compliance with data protection legislation.

Our team of experts regularly undertake audits of an organisation’s management of personal data and its compliance with the relevant legislation, for example GDPR/Data Protection Acts, ePrivacy Directive as implemented in different Member States. Our reports contain pragmatic advice on how gaps can be closed in a fashion that can be maintained on an ongoing basis.

Where an organisation has grown rapidly or has been subject to significant change, it is easy to be unaware of all instances of the processing of personal data within the meaning of the current legislation.

Our team of experts is experienced in unearthing data flows and reflecting them in records of processing activities, a key requirement under the GDPR.

The GDPR has imposed an accountability obligation on organisations processing personal data. This involves maintaining documented policies and processes and written agreements with any suppliers processing such data on your behalf.

Our team has extensive experience in reviewing and developing data processing agreements as well as joint controller arrangements and data sharing agreements.