As the regulatory and compliance landscape has evolved in recent years, the responsibility has shifted to organisations to ensure that their systems and supply chains are performing as expected.
Our team has developed a number of audit solutions for this scenario:
A Strategic approach to ICT security
Organisations face the challenge of demonstrating to clients, potential clients, investors, regulators or other stakeholders that they have robust governance processes in place to manage the security of their information assets. For such organisations the solution is to implement an independently certified Information Security Management System (ISMS) such as ISO 27001. Others may wish to adopt a framework such as the National Institute of Standards & Technology (NIST) Cybersecurity Framework in order to provide assurance to their boards or senior management that good practice is the basis of their ICT management.
We provide a full range of support services for organisations wishing to adopt such an approach, whatever their objective.
Building a security operations function
We assist clients with developing an organisational structure to ensure the security operations role is delivered. Information security checklists, procedures and ‘runbooks’/’playbooks’ will be created specifically for the organisation and will reflect the various technology solutions, for example, ‘InfoSec’ partners and support providers, internal staff resources etc. We provide support and training to the staff that are responsible for SecOps and an ongoing review process to ensure that all checklists are being completed correctly. The generation of these checklists and the preservation of them as records of activity are important artefacts when it comes to demonstrable GDPR evidence. We can also support the organisation with incident response plan development, implementation and response management and support.
Critical incident response
Unfortunately, incidents can occur, however, it is the reaction of an organisation that determines the result. Preparation for incidents through well-rehearsed plans is critical.
Part of a response plan is to have identified experts that can be called on and, as with most organisations, it is not always an option to have full-time incident response team. We assist organisations to put in place the escalation mechanisms ready for when an incident occurs, to ensure the minimum time loss during an incident and that expert, experienced decision makers will be available to the leadership in a time of crisis.
Policy development and review
Waystone Compliance Solutions works with the client to update existing policies, draft new policies, draft or update standards and procedures and assist the client to embed them in the organisation. For many organisations, the most common policy document referred to is the ‘Acceptable Usage Policy’ or ‘Information and Communications Technology Usage Policy’. Many of these documents have, however, evolved over within organisations and may be considered to be of little relevance.
We work with clients to completely reshape the policy structure and make the documents more relevant and more easily understood by all staff and others covered by the policies. An effective and appropriate policy schedule should underpin all decisions within an organisation and align with its culture, while at the same time, ensuring compliance with legislation and industry standards.
Data classification/data marking
Classifying the many different types of data that a typical organisation stores allows for an appropriately-layered approach as to how it is best secured. This can be particularly important with regards to GDPR where instances of personal data can be identified, marked and managed in accordance with the legislation and an organisation’s own policies.
Establishing records management
Organisations that are determined to introduce more discipline to the management of their records can face a daunting challenge due to significant legacy volumes and/or diversity of formats. We work with clients to put in place principles and standards-based auditable and pragmatic policies and procedures that cover the entire records’ life cycle to protect against records-related risk and enable records-based opportunity.
Digital forensic investigations
Today, there is an increasing likelihood that an organisation will, at some point, require a digital forensic investigation to be carried out. Our team of experts have extensive experience in carrying out these investigations. Members of the team are recognised at a national level in this area with key team members holding a Master’s and PhD degree in this field. Our relationship with you in advance of an incident is crucial when it comes to the preservation of evidentiary material for digital forensic investigations.
eDiscovery and planning
Statutory Instrument No. 93 of 2009 in Ireland amended the Rules of the Superior Courts and provided for the discovery of ‘electronically stored information’. This is commonly referred to as eDiscovery and has placed a significant burden on organisations dealing with eDiscovery requests.
Our team has extensive experience in assisting organisations to manage eDiscovery requests and, more significantly, in preparing for the inevitable requests when they arrive. We can assist clients to develop the procedures and to select appropriate technology solutions for eDiscovery.