• Secure product or system reviews (health-checks to full design)
• Security risk analysis & assessment (structured)
• Network (& Internet) security & architecture design or get well analysis
• Security policy produced in light of legislation, and standards (BS7799 / CESG)
• Secure product / service agreement specification
• Business continuity planning
• Secure operating procedures
• Product or system security evaluation planning (ITSEC, Common Criteria)
• Tender evaluation
• Security implementation strategy
• PKI design and implementation

Do you need information security? Well, how strong and appropriate is your current security? Who tells you it is secure and how do they know? Do you know what security breaches are costing now? Is it flexible enough so that it does not limit the business? Think of information availability:-

Appropriate availability (entitlements)

Should all your employees see everything? Is everyone you communicate with entitled to see all the information on your network? Does your business hold personal data? Can your competitors see it? Can you assure appropriate protection to partner organisations?

Correct information available (integrity)

Do clients and business partners rely on that information being correct? Why do they trust your business? What if your information is corrupted, will your business notice - in time, can you correct it. How much time and effort will it cost? Will you lose business, pay penalties, and what about your reputation? What other business processes are disrupted? In e-commerce can you show they really made that electronic order? Is that really the right person or server?

Timely availability (availability)

How much will it cost the business if it's not available for an hour, a day, or a month? What about clients? How patient are they?

When you ask who could help, think about what security means to you. The clear definition of your security objectives in light of your business trust environment is key. Without this, IT security becomes a minefield of salesman claiming their product as the wonder palliative to the latest publicised threats.

Many consultancies sell products, with their staff being little more than product installers. Other advisers (often auditors) will happily derive a risk assessment and security policy with no experience of the operational costs or risks of developing the implied security architecture. Often they run through elaborate security risk methods which obscure the reasoning. This also makes the assessment difficult to cater with changes in the objectives, threats or vulnerabilities.

Thus, to review information security or conduct a re-useable risk assessment and devise the security architecture requires:

• Operational and technical development experience
• Security evaluation experience
• Policy and risk assessment experience in government or commercial fields
• Unbiased advice

Depth and breadth

For the depth of experience we have developed software systems that have met extremely high reliability needs (Non-Stop and clustered architectures) together with X.400 message handling systems using kernel software and Transaction Processing middleware for high performance scalable systems.

This involved an in-depth understanding of software and systems together with all the networking layers. This has been complimented with n-tier system architecture work to develop security architectures for distributed high user systems. Different topologies have covered centralized networks as well as Extranet and Intranet IP architectures, together with legacy systems and leased lines. PKI security objectives and solutions have been devised for clients that both need their own Certification Authority and others whose needs can link with third party CAs.

Business areas

We have covered the following, which involve a variety of risk philosophies:

• Finance (international) - Information providers (international) - Media Telecommunications - Government (& Research) - Police and Utilities.

The scale of organisations covered is also wide ranging through:

• Tri-national projects - 2 man partnerships - FTSE100 - International finance organisations.

For larger client organisations the above choices have been synthesized and explained leading to approval by Management committees. This involves derivation of security policies, objectives and associated risk assessments appropriate to business drivers.

Security evaluation

Our staff helped form the first ITSEC licensed evaluation facility in the UK which independently evaluates security systems and products against internationally agreed criteria. Furthermore our principle helped in the DTI working groups that developed the latest Common Criteria standards as well as the only standard world-wide for security management: BS7799.