Criminals, hackers, terrorists, vandals will all try to test your security controls in one way or another. They will spend time looking for weaknesses and, if they find any, exploit them. For real effectiveness, all security controls should be validated and assessed giving you the chance to find and fix problems before the bad guys do. Our security consultants can help you plan & execute a wide range of assessments as well as helping you understand the results and manage any risks. See our testimonials.
The fundamental objective of a security assessment is to give you assurance that effective security controls are in place. This can range from making sure that your security guards are alert & properly trained, to ensuring your swipe card readers are functioning, to making sure that your software applications are properly coded to prevent malicious attacks and hackers.
Security assessments are very closely related to audits and can often be used in conjunction with a formal audit to give you a snapshot of the security situation at any given time. The main benefit of using a security assessment is that it allows you to go beyond the usual audit scope and probe for security weaknesses before the criminals and hackers have the chance.
All our services are driven by your needs and we are always willing to tailor what we offer around your requirements. At a very high level, we offer the following categories of security assessments:
All our security testing is carried out with your knowledge and prior agreement. We will never conduct a security assessment without your explicit permission and our assessments will never go beyond the agreed scope. Contact us to find out more about how our security assessment services can improve your organisational security assurance.
At the start of our engagement, we will work with you and any stakeholders you want involved to determine the scope of the assessment. This is certainly the most important stage and will set the boundaries for how we will conduct ourselves for the duration of the testing.
During this stage, we will need you to make decisions around key aspects of the assessment - for example, do you want us to announce ourselves to the facility at the start or would you prefer we carry it out as "mystery shoppers?" The process and conduct of the assessment will be agreed with you in advance and can cover our appearance, methodology and testing tools. The more we can agree prior to the assessment, the greater the end value will be.
To make sure there is a clear understanding and agreement, we will document the scope of assessment and look for your written approval before we begin testing.
If you want to start the process of planning and scoping a security assessment for your facility, then get in touch with our security consultants and we will be happy to assist you.
During the actual assessment, we will keep a log of any noteworthy activity and remain in contact with you throughout. In the event that a serious security vulnerability is identified, we will look to notify you as soon as practical and, depending on the nature of the vulnerability, we may suspend testing. If this happens, we are happy to reschedule and recommence at a time that suits you. If we are carrying out supplier assessments, we will also normally notify the supplier of their security vulnerability. Non-critical vulnerabilities will be reported on completion of the assessment.
We will never exploit vulnerabilities any further than agreed during the planning and scoping phase.
Although the exact testing will depend on the agreed scope, our normal process will be to carry out a study of the location, or electronic research for technical assessments. This is followed by a review of any relevant security documentation such as architectural plans, network diagrams, security instructions etc. Then, when we have identified the most significant areas of risk, we will carry out a practical assessment to verify the control efficiency.
Unless you specify otherwise, on completion of our testing we will announce our presence to the facility being tested (if we haven’t done so already) and will seek out the senior on-site security person for a hot debrief of our findings. If this facility is not your primary location, we will also provide a verbal summary of the testing to yourself or nominated representatives.
Our post-assessment reports, verbal and written, will include a summary of the observed findings (with evidence as required) and recommendations for how you can best risk manage them. Our normal methodology is to provide up to four risk treatment options (treat, transfer, terminate, tolerate) but we can modify this as needed.