Audit and Advisory Services

Our services

CISO as a service

CISO as a service Datasheet EN

If your company does not have a chief information security officer (CISO) role that oversees the overall information security governance or management, the responsibility for information security is covered by another role, such as the CTO. The problem with this scenario is, that the main responsibility of CTO is ensure smooth operation of enterprise IT. Therefore, there might not be enough time and resources allocated to information security and in some cases there may be a conflict of interest between the security objectives and the IT operations objectives.

Reasons you may need CISO as a service:

  • Lack of resources to employ full time CISO
  • Bridging the period into the employment of the new CISO
  • Advisory and training of a less experienced existing CISO
  • Compliance with regulatory and normative requirements

Get the most out of our CISO as a service by tailoring it to your specific needs. CISOs from IstroSec can help you with the following activities:

  • Overall governance, strategic management and direction of the information security program
  • Ensure compliance with regulatory, normative and contractual requirements
  • Development and implementation of security processes, policies, guidelines and procedures
  • Planning and conducting education and awareness raising
  • Cyber security exercises
  • Information security asset management
  • Physical security
  • Management of information security and third-party risks
  • Access control
  • Security of IT operations
  • Information security incident management
  • Business continuity and disaster recovery
  • Security testing
  • Preparation for internal or external audit
  • Security in software development

Why IstroSec?

  • Combined experience of more than 70 years
  • Access to experts in all domains of information security, including penetration testers, forensic analysts, malware analysts, trainers and more
  • Systematic improvement of information security according to frameworks enriched with the experience of IstroSec experts with advanced security incidents
  • Ensuring compliance with security standards and legislation - IstroSec experts have been operating in public administration (NIS Directive, GDPR and others) as well as in the private sector (ISO 27001, NIST, HIPAA and others)

Experience and knowledge

IstroSec specialists have experience in implementing and managing information security according to the majority of information security frameworks. They know the tactics, techniques and procedures of attackers and have the necessary knowledge to implement information security processes into your business processes effectively and smoothly.

Expertise in information security management

IstroSec specialists have expertise in information security management and many other areas, such as incident response, forensic analysis and world-class malware analysis, which they have repeatedly demonstrated while dealing with state-sponsored cyber-attacks, attacks on FORTUNE 500 organizations, as well as the participation of three IstroSec experts in the winning team of LockedShields 2016 exercise.

IstroSec experts are also holders of internationally recognized certificates in these areas. We hold certificates such as Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), and more.

Implementation of information security management processes

Implementation of information security management processes Datasheet EN

Specialists from IstroSec have many years of experience in information security management both in public administration and in the private sector. From our experience, we know that information security requirements vary across the different types of organizations. Therefore, there is no one-size-fits-all solution to adequately meet these requirements at a reasonable cost given the value of the assets.

Our approach to implementing information security in organizations is therefore characterized by the following attributes:

  • Individual approach
  • Alignment of information security objectives with business objectives and their support
  • Risk-based implementation of security controls
  • Leveraging experience with many advanced security incidents during implementation of controls

We are ready to implement information security management processes in accordance with regulatory and normative requirements, including:

  • ISO / IEC 27001 and ISO / IEC 27002
  • NIST Cybersecurity Framework
  • IASME
  • 69/2018 Coll. - Cyber ​​Security Act
  • Act on Information Technologies in Public Administration
  • GDPR
  • HIPAA
  • FISMA

Implementation process:

  • Identification of all security requirements
  • Determining the scope of implementation
  • Assessment of existing security measures
  • Risk assessment
  • Creating an implementation plan
  • Implementation of security measures and processes
  • Measurement, monitoring, review and continuous improvement
  • Preparation for certification

Why IstroSec?

Experience and knowledge

IstroSec specialists have experience in implementing and managing information security according to most security frameworks, know the tactics, techniques and procedures of attackers and have the knowledge necessary for effective and smooth implementation of information security processes into your business processes.

Expertise in information security management

IstroSec specialists have expertise in information security management and many other areas, such as incident response, forensic analysis and world-class malware analysis, which they have repeatedly demonstrated while dealing with state-sponsored cyber-attacks, attacks on FORTUNE 500 organizations, as well as the participation of three IstroSec experts in the winning team of LockedShields 2016 exercise.

IstroSec experts are also holders of internationally recognized certificates in these areas. We hold certificates such as Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), and more.

Information Security Audit

Information Security Audit Datasheet EN

Information systems security audit is a key element of ensuring and verifying compliance with security requirements. It is a tool to verify that security measures are adequate, effective and working as expected. It is also a way to ensure continuous improvement and adjusting the security controls to a dynamically changing environment and security threats.

Experts from IstroSec have many years of experience in performing security audits in public administration as well as in the private sector. We perform external cybersecurity audits against Act no. 69/2018 Coll. on cybersecurity, and internal security audits according to the following legislative and normative requirements:

  • ISO / IEC 27001 and ISO / IEC 27002
  • NIST Cybersecurity Framework
  • IASME
  • 69/2018 Coll. - Cyber ​​Security Act
  • Act on Information Technologies in Public Administration
  • GDPR
  • HIPAA
  • FISMA

IstroSec performs external audits according to Act no. 69/2018 Coll. on Cyber Security and on Amendments to Certain Laws. Our certified auditors meet the qualification requirements set by NBU Decree no. 436/2019 Coll. on the audit of cyber security and the auditor’s knowledge standard.

Essential service providers are required to carry out such an audit at least every two years and after any change that has a significant impact on security measures.

An internal audit from IstroSec will allow you to:

  • Prepare for external or certification audit
  • Fulfill regulatory and normative requirements on internal audit
  • Identify non-conformities with security requirements
  • Identify opportunities for improvement of controls
  • Set priorities for security investments

Auditors from IstroSec follow these principles when performing an audit:

  • Impartiality, independence and objectivity
  • Due diligence and professional care
  • Confidentiality and non-disclosure
  • Risk-based approach
  • Professional ethics
  • Competence and professional development

Security audits from IstroSec are performed in the following steps:

Planning

  • Determining the subject of the audit
  • Identification of audit objectives
  • Determining the scope of the audit
  • Pre-audit
  • Identification of information sources

Audit fieldwork

  • Documentation review
  • Interviews
  • Collection and evaluation of evidence

Reporting

  • Audit evaluation
  • Preparation of the final report
  • Presentation of results
  • Follow - up and evaluation of corrective actions

Security Awareness Raising

The security of human resources is a key element in building resilience to cyber security incidents. Increasing the security awareness of your employees significantly reduces the attack surface and reduces the probability of successful exploitation of the human factor.

The security of human resources should be seen as an investment which deserves the same attention as other security measures.

Experts from IstroSec have many years of experience in training employees in public administration as well as Fortune 500 companies. We are ready to increase the maturity of your security awareness program by applying knowledge from a large number of advanced attacks. We also ensure the the effectiveness of this program by measurement and testing.

We know that basic annual security training is no longer enough to prevent standard cyber threats. There are several indicators to tell that your training program is not adequate for your needs:

  • Employees do not report suspected security incidents
  • Security is a topic that only the IT department is interested in
  • Responsibility for the training program is a secondary or tertiary priority of a single employee
  • Employees feel that ensuring security is not their responsibility
  • Security is not a regular topic in internal communication
  • There are no goals and metrics set to evaluate effectiveness
  • Education is conducted exclusively in the form of annual in-person training
  • The educational content is more static than dynamic and does not flexibly reflect current trends in tactics, techniques and procedures of attackers.

Unfortunately, many organizations have not yet found the optimal setting for their education programs. At IstroSec, we are aware of these shortcomings, as they regularly appear in our findings from security audits and are proven by 100% success rate of our simulated phishing attacks. Therefore, the goal of systematic cyber security awareness program from IstroSec is to create an environment in which:

  • Employees know they are the target of attackers
  • Everyone knows what to do in case of an incident
  • Employees are interested in security, and they suggest improvements
  • Employees also apply good security practices at home
  • Managers are actively involved in improving the level of security
  • Individual organizational units try to compete and improve

The scope of the awareness program is tailored to the needs of your organization and responds dynamically to current tactics, techniques and procedures of attackers. By default, we cover the following areas:

  • The role of the employee in the system of information security
  • Authentication and password security
  • Security incident response
  • Phishing and social engineering
  • Malware
  • Web browsing
  • Mobile devices
  • Cloud security
  • Encryption
  • Security policies and procedures

The form of education is also an important factor in success in raising awareness. Boring presentation, sandwiches and a smartphone under the desk are not ideal KPIs. The information security awareness program from IstroSec includes:

  • Demonstrations and examples of real attacks
  • Phishing detection workshops
  • Security tip of the week by email
  • Gamification, rankings and prizes
  • Phishing simulations
  • Social engineering tests
  • Monthly security briefing
  • Experienced lecturers and ethical hackers
  • Efficiency measurement and reporting