Expertnet provides a range of services towards the creation of customer centric Information Security Management Systems (ISMS). These services are aligned with international standards and best practices and involve the following:

• Business Impact Analysis
• Risk Assessment / Management
• Security Policy Development
• Business Continuity Planning
• Information Security Management System development

Business Impact Analysis

Business Impact Analysis (BIA) determines the impact from the realization of a security incident, in terms of loss of data confidentiality, integrity, or availability. The results of a  BIA process are the following:

• Business Function Description
• Critical assets – information resources identification
• Dependencies identification
• Threat identification – possible security incidents identification
• Impact category identification
• Business impact from the realization of a threat

BIA is the first step towards a cost effective security solution that is aligned with business objectives. Results from BIA are used as an input when choosing the appropriate information security management controls.

Back to top  

Risk Assessment / Management

The Risk Assessment process is an important tool that can be used as part of the information security decision-making process, regarding risks determination, the evaluation of policies effectiveness, the selection of mitigation controls and information security requirements determination.
Risk assessment is conducted at all levels of the business - organizational, operational and technical levels and provides an assessment that examines the level of security provided by the majority of information systems, networks and applications. It also examines the effectiveness & completeness of information security controls (either technical or procedural).
The main objective is to identify all the vulnerabilities which when exploited can exercise a threat. Vulnerabilities may be either technical weaknesses or may result out of the absence of a technical or procedural control.
Risk is defined as the possibility to exploit a vulnerability towards the realization of a threat. During a risk assessment process, risk levels are calculated, according to which risks are prioritized.
Finally, by combining the results of risk assessment and business impact analysis, Expertnet supports the decision of an organization in selecting the appropriate countermeasures for risk reduction leading to a cost-effective security solution (risk management).

Back to top 

Security Policy development

A Security Policy (SP) is an irreplaceable part of the overall security architecture for any information system. A well written security policy serves as a solid foundation for an organization’s information security plan. The security policy contains the terms and rules and procedures set by an enterprise to safeguard the security of its information system.
A security policy is the official corporate document that instructs and informs corporate personnel regarding official procedures in handling all of the security incidents ranging from minor to severe.
A security policy specifies the procedures that need to be followed in case of an emergency and the responsible personnel that will implement it. It is a dynamic document that changes when it reaches the end-of-life period or due to critical changes made on the corporate information system.
The development of the security policy by Expertnet is based on the international standard ISO/IEC 17799 “Information Technology – Code of practice for information security management”, which is based on the principles of the BS7799 standard of BSI (British Standards Institution). BS7799 was published in 1995, revised and improved in May 1999. ISO 17799 was initially published in December 2000 by JTC1 (Joint Technical Committee – Information Technology), while its latest version was published on 2005.

Back to top  

Business Continuity Planning

A Business Continuity Plan (BCP) provides the guidelines to continue perform business transactions after a critical incident, which may have disrupted the standard functionality of the corporate information systems.

• Scope of the coverage
• Backup and Recovery Sites
• Telecommunications
• Contact and deployment plan
• Budget
• Testing Plan
• Corporate personnel Management

The Business Continuity Plan also covers environmental incidents, deliberate and un-deliberate and incorporates a full disaster recovery plan within it.

Back to top  

Information Security Management System development

The framework that is used for the administration of information security is called Information Security Management System (ISMS) and combines the results of business impact analysis, risk assessment and management, as well as controls the information security policy and business continuity plan. Expertnet creates ISMS according to the international standard ISO 27001, which describes the requirements for the creation of such systems.
The ISMS created by Expernet implements a life cycle that consist of four phases: the Plan phase, the DO phase, the CHECK phase and the ACT phase. These four phases, constitute a complete approach according to which information security is planned, implemented, monitored and improved according to the specific needs of each organization.

Back to top