What is CTAM?

Cyber Threat Analysis and Mitigation (CTAM) service does what it says on the tin. It allows a company to evaluate its complete environment as it relates specifically to the business requirements, IT environment, people, processes and its data. Far from being a theoretical exercise the CTAM service has bases in consulting, penetration testing and forensic analysis. It takes the best of all Cyber security services allowing them to be moulded around the individual needs of a customer for the best possible outcome of the current risk landscape. There are many times where standard methodologies look at prescriptive controls that stifle an organisations growth and limit its flexibility. This is because the risks and the underpinning services need to be tailored to business requirements, as well as the operating environment of that company. One size does not fit all. The CTAM process treats every company as an individual and seeks to understand how it operates and why it does so in its prescribed manner. These services will identify the risks to this operating model, setup and environment. It allows for best practice to be considered but aligned directly to the business, its drivers and requirements providing a realistic baseline. It Is a truly tailored solution bespoke to the individual organisation thereby significantly reducing your risk profile.

How does the PCI-Secure approach work?

Goal Setting and Setup for Success

  • We will discuss your requirements, outcomes and desired results as well as the level and type of reporting required.

Consulting Review

  • High level review of all aspects of the business and IT estate;
  • What technical, business and personnel controls you have in place;
  • Once the landscape is understood it is then the consultants job to analyse and find any gaps;
  • The consultant will find real world scenarios of how the controls, processes, usage of the services can be broken by both business and technical aspects;
  • The consultant will then write a high level risk report and classify these by risk to the business
  • Quality review and adjustment as needed based on any further information supplied will be iterative.

 

Testing

  • The test will be designed based on what has been found in the consulting review and identified assets that have value to you, the customer;
  • The testers will then use penetration testing, social engineering and any means necessary to get hold of your data – this is a how long not if.

Specialist Testing

  • Depending on initial findings, further penetration testing and specialist forensic analysis maybe required to prove compromises, the exfiltration of data and other real world losses.

 

Reporting Alignment

  • PCI-Secure use the testing report to update the consulting report, add any additional findings, modify risk scoring as appropriate.

Review the Business and IT Plans / Strategies

  • The consultant will review the business and IT strategies for the coming 1-3 years;
  • These are analysed against the findings from the report.

 

Develop an Action Plan

  • A costed matrix should be discussed with the business for both internal as well as external costs that would be applicable to changing any of these solutions.  These are usually worked on a points scale of 1 point = 1k
    • Impact on the business strategy (scale 1-5);
    • Impact on the tech strategy (scale 1-5);
    • Cost of the change (in points see above);
    • Change to the risk profile once the remediation has occurred (scale of 1-5);
  • A remediation action plan is then developed to produce a change list for each of the items needed;
  • Final action plan review to develop a hot list of remediation actions based on the items that give the most appropriate ‘bang for buck’, quick cost effective wins or suit your strategy / goals.

Design and Plan the Changes

  • You will produce a prioritised list for design phase;
  • PCI-Secure review the designs to ensure that they will meet your end goals;
  • Final costing and approval cycles occur;
  • You appoint project managers or delivery vehicles to get these into place and put timelines on change.

 

Remediation

  • You remediate or bring in specialists to conduct the changes.

Testing / Specialist Testing

  • We collaborate with you in using penetration or forensic testing to ensure that the risk that you were seeking to remediate has been remediated and has not left other gaps within the environment.

 

Re-assignment

  • This is an ongoing cycle of time to re-assess the environment as the threat landscape changes going forwards;
  • You are never on your own and we act as an extension to you for the risk assessments and re-evaluation processes;
  • We assist you with setting up governance processes to ensure that this is repeatable within your business.

 

 

 

Maintenance

  • This is the part of maturity within the model that allows you as a business to make security, risk and threat mitigation business as usual.

Certification

  • If appropriate the changes and alignment of reporting could allow a head start onto a formalised certification against:
    • ISO 27001;
    • ISO 29100;
    • BS 10012;
    • PCI DSS;
    • Cyber Essentials;
    • Others as appropriate.
Why PCI-Secure?

PCI-Secure provides this service to commercial customers as well as those in high risk areas of gambling and insurance. You have never heard of these companies or seen them in the news, as they use our services to stay secure! It is no longer a case of if but when and how badly. Talk to us today about how we can help you….