Security Assessments & Testing Services

Security Assurance through testing

The fundamental objective of a security assessment is to give you assurance that effective security controls are in place. This can range from making sure that your security guards are alert & properly trained, to ensuring your swipe card readers are functioning, to making sure that your software applications are properly coded to prevent malicious attacks and hackers.

Security assessments are very closely related to audits and can often be used in conjunction with a formal audit to give you a snapshot of the security situation at any given time. The main benefit of using a security assessment is that it allows you to go beyond the usual audit scope and probe for security weaknesses before the criminals and hackers have the chance.

Security Assessment Services

All our services are driven by your needs and we are always willing to tailor what we offer around your requirements. At a very high level, we offer the following categories of security assessments:

• Security Review. We will visit the location of your choice and carry out an assessment of a specific aspect of the security. Examples of this service include reviewing CCTV camera positions, ensuring that the guard force are suitable, auditing HR / pre-employment background checks and verifying IT Security Policies are complied with.
• Formal Security Assessment. We will visit the location of your choice and assess the security controls against an agreed standard. This can include physical security or information security and is carried out in an overt manner. Our team will declare itself on arrival and all assessments will be formally recorded.
• Detailed Security Assessment. Building on the formal assessment, we will also include a phase of testing which is unannounced to the site in question to assess reactions and incident management processes.
• Technical Assessment. Where you have electronic assets, we are able to provide you with a variety of assessments from straightforward vulnerability scans which determine weakness in your infrastructure to detailed penetration tests. Where security and privacy are paramount, we can also provide you with technical sweeps of your facilities looking at possible electromagnetic information leaks.
• Supplier compliance assessment. Outsourcing services to a 3rd party is a good business move, but it is rare for you to be able to outsource the associated risks. To give you assurance that your suppliers are meeting their contractual obligations, and are able to provide a suitable service for you, we offer a supplier assessment service. We will only assess your supply chain with the supplier’s approval and within the bounds of your agreements, but other than that, we will tailor this to your exact needs.

All our security testing is carried out with your knowledge and prior agreement. We will never conduct a security assessment without your explicit permission and our assessments will never go beyond the agreed scope. Contact us to find out more about how our security assessment services can improve your organisational security assurance.

The Security Assessment Process

Planning and Scoping

At the start of our engagement, we will work with you and any stakeholders you want involved to determine the scope of the assessment. This is certainly the most important stage and will set the boundaries for how we will conduct ourselves for the duration of the testing.

During this stage, we will need you to make decisions around key aspects of the assessment - for example, do you want us to announce ourselves to the facility at the start or would you prefer we carry it out as "mystery shoppers?" The process and conduct of the assessment will be agreed with you in advance and can cover our appearance, methodology and testing tools. The more we can agree prior to the assessment, the greater the end value will be.

To make sure there is a clear understanding and agreement, we will document the scope of assessment and look for your written approval before we begin testing.

If you want to start the process of planning and scoping a security assessment for your facility, then get in touch with our security consultants and we will be happy to assist you.

Conduct of the assessment

During the actual assessment, we will keep a log of any noteworthy activity and remain in contact with you throughout. In the event that a serious security vulnerability is identified, we will look to notify you as soon as practical and, depending on the nature of the vulnerability, we may suspend testing. If this happens, we are happy to reschedule and recommence at a time that suits you. If we are carrying out supplier assessments, we will also normally notify the supplier of their security vulnerability. Non-critical vulnerabilities will be reported on completion of the assessment.

We will never exploit vulnerabilities any further than agreed during the planning and scoping phase.

Although the exact testing will depend on the agreed scope, our normal process will be to carry out a study of the location, or electronic research for technical assessments. This is followed by a review of any relevant security documentation such as architectural plans, network diagrams, security instructions etc. Then, when we have identified the most significant areas of risk, we will carry out a practical assessment to verify the control efficiency.

Post-assessment activity

Unless you specify otherwise, on completion of our testing we will announce our presence to the facility being tested (if we haven’t done so already) and will seek out the senior on-site security person for a hot debrief of our findings. If this facility is not your primary location, we will also provide a verbal summary of the testing to yourself or nominated representatives.

Our post-assessment reports, verbal and written, will include a summary of the observed findings (with evidence as required) and recommendations for how you can best risk manage them. Our normal methodology is to provide up to four risk treatment options (treat, transfer, terminate, tolerate) but we can modify this as needed.