IT Security is not an absolute; that is to say that no organisation can be completely secure. Further measures can always be taken to improve the security of an organisation, and to minimise the risk to that organisation of an IT security breach. However not all security measures represent a good investment of IT resources. IT security is therefore a risk management process, which aims to reach a delicate balance between required functionality, security and cost. Following ISO/IEC 27001:2015 & 27002:2015 “to the letter of the law” may not achieve this practical approach to security so the standard needs to be taken in context to the functionality, security and cost requirements of the organisation.
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organisation’s business and consequently deserve or require protection against various hazards.
Assets are subject to both deliberate and accidental threats while the related processes, systems, networks and people have inherent vulnerabilities. Changes to business processes and systems or other
external changes (such as new laws and regulations) may create new information security risks.
Therefore, Given the multitude of ways in which threats could take advantage of vulnerabilities to harm the organisation, information security risks are always present. Effective information security reduces these risks by protecting the organisation against threats and vulnerabilities, and then reduces impacts to its assets.
Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organisation are met. We take a holistic, coordinated view of the organisation’s information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system.
Many information systems have not been designed to be secure in an modern internet connected world. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. A successful ISMS requires support by all employees in the organisation. It can also require participation from shareholders, suppliers or other external parties. Specialist advice from external parties can also be needed.
In a more general sense, effective information security also assures management and other stakeholders that the organisation’s assets are reasonably safe and protected against harm, thereby acting as a business enabler.
It is essential that an organisation identifies its security requirements. There are three main sources of security requirements:
– The assessment of risks to the organisation, taking into account the organisation’s overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and
likelihood of occurrence is evaluated and potential impact is estimated;
– The legal, statutory, regulatory and contractual requirements that an organisation, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment; and
– The set of principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organisation has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.
Our MethodologyWe conduct the audit in conformity with Standards Australia ISO/IEC 27001:2015 & 27002:2015 – Information Technology – Code of practice for information security management. The basis for this is that the standard provides a common basis for developing organisational security standards and effective security management practice as well as providing confidence in inter-organisational dealings.
ISO/IEC 27001:2015 & 27002:2015 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation. The objectives
outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27001:2015 & 27002:2015 contains best practices of control objectives and controls in the
following areas of information security management:
– Security policy;
– Organisation of information security;
– Asset management;
– Human resources security;
– Physical and environmental security;
– Communications and operations management;
– Access control;
– Information systems acquisition, development and
maintenance;
– Information security incident management;
– Business continuity management;
– Compliance.
The audit consists of an interview with your organisation’s key staff and a questionnaire is then completed by your IT support staff or provider. Once all information has been gathered a comprehensive
report is provided which includes the findings, a rating based on the business risk for any issues found and recommendations for resolution of those issues and where needed, recommendations for improvements to your current practises.
Wordpress Website Protection and Maintenance Package
Our WordPress Website Protection & Maintenance Package covers essential tasks and checks performed on a monthly basis. Like all software, your WordPress site needs regular and ongoing attention.
Includes:
Hosting – your website is hosted on our servers in a secure Tier 3 data centre and redundant sites. All of our servers are monitored 24×7 and maintained to the highest technical standard. Our primary data centre is the most certified in Australia and is also certified to Global standards with redundant power, internet links, oxygen suppression systems, redundant heating and cooling.Digital SSL (https) Security CertificatesTo remove web browser warnings and to make your site secure in transit we recommend the installation of digital SSL certificates. Renewal and installation of these certificates is included. We use and recommend certificates from Let’s Encrypt or Digicert.
Backup – Your site is backed up hourly and backups are stored for a minimum of 30 days.
Malware, spyware and ransomware scanning – We scan your website for malware, spyware and ransomware and report issues found and advise you of the issue and make recommendations for rectification/removal.
WordPress Theme and Plugin Assessment/Reporting – Many WordPress websites are developed with more attention to design and with little or no thought to security and functionality. Poor quality design, poor quality themes and poor quality plugins, not to mention the use of too many plugins all increases the risk factors for WordPress. Some developers still “develop” whereas others simply purchase a plugin to do the job for them. Many plugins are chosen for their functionality without any attention being given to the truly important issues such as is the code behind the plugin updated regularly for security, is the plugin safe – i.e. not full of malware, how much has it been used, what is its score rating, does it slow down the speed of your website in turn attracting bad scores from Google? We review your themes and plugins and report back to you information regarding required updates, if poor quality themes or plugins or issues are found.
We reduce security risk by checking for vulnerabilities, and by reporting the latest recommended WordPress security practices and techniques. We use a security points grading system to measure how well your site is protected based on the security features activated. Security monitoring sends alerts to our support team if there is attempted unauthorised access or unauthorised system file changes. Issues are then investigated and reported to you. These checks cover such areas as:
•User accounts security •User login security and monitoring •User registration security •Database security and monitoring •File system security and monitoring •File system changes •.htaccess configuration •Blacklist implementations •Firewall recommendations •Brute force login attack prevention •Security scanner •Comment spam security •HTTP content checks including HTTPS Mixed content issues •PageSpeed Insights •Lighthouse power usage checks •301 Redirects •.htaccess checks