+44 (0)7492 061234

Pontefract, West Yorkshire WF9

Call on expertise where and when you need it

Vulnerability Management

Managing vulnerabilities in an organisation is a never-ending task. There are various challenges involved  


I've written and deployed a vulnerability management process that included scanning, treatment and senior management review and action plan for discovered vulnerabilities. This was all based on NIST best practice and NCSC guidance.


Risk Analysis & Assessment

One of my passions is risk management, and clearing up confusion in how to do this. Using the ISO27001 standard / controls, and NIST framework for risk management I have previously improved risk management in information and cyber security.


One of my ambitions is to be formally certified by ISACA as a CRISC (Certified in Risk and Information Systems Control).


I embrace risk management as a business requirement that ensures IT, information security and privacy are central to an organisation’s technical and information operations, using the NIST control family as ‘main risks’ to ensure that all areas of compliance are covered.

Policies, Processes & Procedures

Policies, processes and procedures are the 'how to' part of any organisation. Without security policy, it's not clear what the organisation expects in terms of acceptable use of its assets, and minimum security requirements such as password policies and how to safely serve the objectives and interests of the business with the minimum of disruption to its operations.


I have twelve years experience of policy writing and assessment. Based on the objectives of your organisation, policies are written in accordance with what management want. Some consultants and even security managers working directly for some organisations introduce generic policies and associated processes and procedures that are a 'one size fits all' solution - which ultimately isn't a solution at all.


All policies and associated procedures are done in collaboration with teams working to meet the needs of the organisation's mission, and agreement reached before placing the individual policy before the board of directors for approval. It's important to ensure everything is included in a policy, as it could be quite some time before another version of it is approved. 



Incident and Recovery Management

sdfe 

  • Devises innovative incident management strategies that included Business Continuity.
  • Involving the entire business from CEO to those on the 'coal face' who keep the business running - tasking every team member with their role in a cyber incident and recovery from it.
  • Recommends, prepares, implements detection and analysis, containment, eradication, recovery and post-incident activity strategies for response to information security incidents.
  • By building and recommending playbooks, reasonable guides can be produced that ensure an appropriate response to any type of incident can be formulated, minimising down-time and getting everyone back to work in a timely manner. 
  • Responds to serious information security incidents invoking new strategies
  • Using lessons-learned from previous incidents, and from other organisations, I have formulated with my teams, new responses and different playbooks to respond to emerging threats and analysing the success of response to current and past threats. 
  • Liaise with all affected parties to their satisfaction. 
  • Response and recovery is a whole business activity, with some technical actions being delegated to those with the right level of knowledge and the right tools. I have effectively brought thought leaders from different departments to discuss and formulate action plans for cyber response and recovery, working with my team to liaise effectively with other team members throughout the business to put plans into action.
  • Created corrective actions for the departments concerned as part of the post-incident activity strategy – continuing follow up their progress for each incident.
  • The recovery phase of incident response incorporates learning outcomes, and ensures that continual improvements are made. Using lessons learned from incidents or exercises, I have been instrumental in incremental improvements following each exercise, which has made a better service in consequent exercises.
  • Working with industry managed service providers to control SOC and SIEM activity, using Splunk and Microsoft Defender 365.
  • In order to respond effectively to security incidents, I have recognised that working with third-party security providers brings great benefit on detection, response and improvement of defences. Such parties have run SIEM activity and log ingestion for the organisations I have worked for, and I have been at the forefront on continual improvement in these areas.

Audit, Compliance & Certification

As a qualified Lead Auditor I have years of experience in conducting full audits on organisations I am a member of; but I don't have UKAS accreditation to audit external parties in order to certify them. I have developed ISO27001 compliance in 8 companies (7 from scratch), seeing them through to successful certification. As such I have conducted full audits as they were to be conducted by the certifying body, and followed up with annual control audits to ensure continued suitability for the ISO27001 certifications.


The 'Experience' page gives more detail on ISO27001 for your perusal.



Supply Chain Risk Management

I have extensive experience of responding to third-party risk management questionnaires, and supplying appropriate evidence of compliance where requested. This is performed using open and honest disclosure, taking into account organisational security considerations when doing so. Where the organisation is not compliant with a client requirement, planned actions to remediate are shared with the client.  


Having years of experience of assessing third-parties on their security posture, I'm aware of a large number of solutions that can be employed to manage third-party risk (SCRM or TPRM as it’s known), however have been involved in locally produced policies, processes and procedures – authoring much documentation to categorise third-party vendors into ‘risk levels’, and have produced much documentation including questions and scoring mechanisms to validate vendors’ security posture. This has been developed to require various results including ISO27001, PCI-DSS, SOC2 and other evidences based on the requirements of the organisations I have worked for, commensurate with the type and level of service / product being provided (ie; SaaS).