In today’s cyber security landscape, ensuring compliance & good governance is more important than ever.
- What happens when you need to demonstrate the integrity of your security and compliance practices?
- How do you manage increasing numbers of required or recommended certifications?
- What happens if you are suddenly required to meet a new set of security standards?
- How do you manage the process of testing and verifying your compliance?
We deliver a systematic and strategic approach, covering all aspect of information risk management.
- Continual compliance management available.
- Expert help and advice from experienced staff.
- PCI qualified security assessor & approved scanning vendor.
- ISO 27001 accredited organisation.
- Green light CHECK accredited company.
Information Assurance Consultancy
What is your plan to ensure critical functions will continue after an incident?
NCC Group provides Information assurance consultancy to help companies develop a Business Continuity Plan and protect critical business information. We have a long history in cyber threat prevention, security and information assurance. We can help you in setting the correct direction and approach for your organisation to mitigate risk.
Our experienced Information Assurance Consultants will assist you in assessing security risks. We work with you to provide possible solutions and advise you on policy implementation to improve information security. Such project may range from short one day workshops or advisory visits, through to longer term support.
We help organisation to develop modern security strategies. Our risk assessment team will conduct an in-depth analysis of your facilities and processes. Our specialist skill allows us to make a more holistic business continuity strategy. This will help ensure the continuation of business activities and the safety of information should an incident occur. Marking a business continuity strategy ensures that you have identified and planned to respond to any possible incident that would otherwise result in a business failure.
Many of our clients come to us to help them achieve certifications such as ISO 27001 which is the benchmark for information security. Whatever your policy needs our consultants are able to help. They can define requirements and deliver polices that meet your goals.
- We create policy’s that will meet ISO 27001 requirements
- We provide Risk Assessments following best practice methods such as ISO 27005 and ISF IRAM
- We provide supervising test exercises to support ISO 22301 certification
- A policy review can be carried out to encompass PCI DSS requirements
NCC Group provides these services as a trusted advisor partnering with our clients to address their security and assurance requirements. To find out more about how our Information Assurance Consultants can help phone us today or arrange a call back using our contact form.
Are you looking to formalise your information security management? Do you want to know more about what it takes to become ISO 27001 certified?
Having achieved ISO 27001 certification ourselves, we are ideally placed to work with organisations that wish to implement the standard internally or to achieve certification against the standard.
ISO 27001 is the information security standard that is now accepted as best practice both within the UK and globally. It refers to both electronic and paper-based information, and covers a wide range of security considerations.
Our team will work with you to assess how you are currently managing information security, identify key risks, and provide clearly prioritised recommendations and activities to move towards the standard.
By implementing the ISO 27001 standard you will be in a position to:
- Ensure that you are managing your information security risks in an effective manner.
- Align security policies and procedures to best practice.
- Display the ISO 27001 certification to show that your information security is managed effectively - many tenders now ask for confirmation.
- Use ISO 27001 as a basis from which to start implementing information security.
ISO 27001 covers a number of controls, including:
- Security Policy
- Personnel Security
- Asset Classification and Control
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Development
- Business Continuity Management
Our methodology is modular and includes a project initiation meeting, risk assessment, gap analysis, mid point review, report and presentation of findings.
The new version of ISO/IEC 27001:2013 has been released, NCC Group are fully equipped to advise you on the changes and what it means to you and your orgnisation. We can assist you with your current security processes, to help you in understanding what you need to do to implement the changes needed and ensure you are fully compliant with the new standard.
Do you require assistance and guidance on how to become PCI compliant?
Accredited by the Payment Card Industry as a Qualified Security Assessor (QSA) and as a PCI Approved Scanning Vendor (ASV), NCC Group is ideally placed to help you become compliant and stay compliant with PCI DSS.
PCI DSS is a set of logical, physical and procedural security requirements for organisations processing credit and debit card transactions.
All organisations that store, transmit or process cardholder information need to comply with the standard.
We provide a fully qualified security assessor (QSA) service. Depending on the specific client requirements this can include:
- Introductory awareness sessions.
- Gap Analysis.
- Remediation assistance at the mitigation stages.
- Compliance audits.
- Mapping processes to PCI DSS requirements.
- Report on compliance (ROC).
- Training, policy and strategy development/definition.
- Scoping Study - getting the scope of your PCI project right is key to ensuring that you achieve compliance in an efficient and cost effective manner. NCC Group is ideally placed to carry out scoping activities either in the initial stages of a PCI project or as the project progresses.
- Blueprint/Gap Analysis - providing a blueprint is seen by many as one of the first steps along the way to PCI compliance. Our QSAs help you to plan how to achieve compliance, looking at all the options available to you. A gap analysis provides a more detailed and itemised report showing how you are currently managing each PCI control area against the standard requirements.
- Remediation - we can act as Trusted Advisors to provide ongoing support and guidance through the remediation phases of a PCI project.
- Penetration Testing and Vulnerability Scanning - our penetration testing and scanning team can deliver an annual programme of penetration testing and ASV scanning to help you meet PCI DSS requirements and assess the security of your applications and networks.
- Pre-Assessment Readiness Review - we will work with you to undertake a pre-assessment review to ensure that you understand the process that the audit will follow, and also that both parties are comfortable that you have everything in place for the audit.
- Certification Audit/SAQ Review - in the final stage of the PCI project we can provide either a formal QSA based certification audit for Level One or Level Two merchants, or a review of the SAQs that have been developed.
Virtual CISO Security Manager
Having spent time and effort improving your security and assurance posture, how do you continually evaluate and maintain it as the business grows?
One cost effective and efficient way might be NCC Group's provision of our Virtual CISO and Security Manager services providing access to a wide range of compliance-based and technical skills under one framework.
Acting as an extension to your organisation, our experienced consultants provide an ongoing security presence and ensure risks and incidents are reduced before they can cause unacceptable business losses. By utilising this service you also gain access to NCC Group’s huge security knowledge base – providing much greater resilience and support than an individual CISO/Security Manager could hope to.
What to Expect
As well as access to our experts in security and assurance, this services
- Dedicated onsite time every month.
- Email and phone support during office hours.
- Change and project risk assessment.
- Security incident management.
- Proactive risk management.
- Business and IT consultancy.
- Information security audit plan management.
- IT/Governance Steering Committees attendance if required.
- Monthly reporting (where defined) with security KPI’s.
- Allows you to significantly lower cost.
- Enables your company by improving your information security posture.
- Provides management peace of mind that your business is secure and security issues are being managed by professionals.
- Meets business objectives while ensuring new projects are secure and compliant.
- Delivers proactive information security risk management to avoid surprises and assist funding and planning.
- Gives direct access to technical security specialists.
- Increases stakeholder and customer confidence while business risks decrease.
- Keeps smaller businesses up-to-date with new regulation and legal jurisdictions.
- Helps you to be better prepared to address the ever increasing compliance and security regulation and legislation.
Technical Design Review
Implementing or updating any IT Security Architecture can leave your business vulnerable. How do you ensure you are protected during the transition? Do you know the real requirements for your security?
Performing a Technical Design Review allows us to determine the real requirements of your information security and evaluate policies and procedures independently. By allowing us to review any Proposed or existing IT Security Solution we can help ensure you reduce reliance on individual resources and satisfy client’s security expectations. Contact our information security experts now to discuss the scope of the review and how we can help you build your security profile.
What to Expect
Our review is delivered via a mixture of documentation and workshops that can be customised to your circumstances. These can include:
Design Concept Workshops: Our Security Consultants can join with your IT, Security Architects and Web Designers to provide clear, tangible, security advice. Integration can be carried out at any stage of project.
Existing Solution Review: If you already have a number of processes and policies in place we can perform a design review to ensure best practices being followed. We will identify existing security vulnerabilities that may not have been picked up via traditional penetration testing or compliance reviews.
Solution Migration: Migrating key security infrastructure or implementing technical changes can pose an increase risk to your security. Our consultants can assist in reducing this risk by reviewing migration plans and attending workshops.
PSN Design Workshop: If your company is planning on providing services to the UK Government’s Public Service Network, we can help you define a solution that is capable of satisfying the mandatory functional and security requirements.
Our Technical Design Review can be particularly useful when the challenges you face are not covered by existing published guidelines. Our experts can consult on the creation of solution architecture for your IT Infrastructure. We also provide consultancy for the implementation of procedures and policies that protect the security posture of the overall solution.
CESG Listed Advisor Scheme (CLAS)
The CESG Listed Advisor scheme (CLAS) provides a pool of private sector Information Security professionals approved by CESG (GCHQ), to give IA advice to UK Government departments and agencies.
NCC Group offers a full range of CLAS related services from project inception to project go-live and monitoring and maintenance including:
- Advice and guidance for connecting to PSN (Public Services Network) and completing Code of Connection (CoCo) accreditations.
- Advice and guidance to clients seeking G-Cloud listing on how they can achieve the required levels of security, how to complete the forms and general help through the process.
- Providing CLAS qualified and experienced staff working as Accreditors across the civil and military services.
- Assessments against the Security Policy Framework (SPF) providing advice and guidance to organisations on how to improve their compliance to this standard.
- Undertaking Technical Risk Assessment (IAS Parts 1&2) and the development or update of Risk Management and Accreditation Document Sets (RMADS).
- Security Architecture and Infrastructure design advice and guidance for OFFICIAL and SECRET systems.
- The creation and development or update of System Operating procedures (SysOps) to align with the latest HMG guidance.
- Reviews of Forensic Readiness processes and plans against GPG18 providing advice and guidance on how to improve an organisations forensic posture.
- Assessment and advice to organisations for complying to HMG guidance when off-shoring services and data.
- Reviews of mobile working solutions and End User Devices (EUD) assessing the approach, strategy and conducting gap analysis exercises against HMG EUD requirements.
- Providing CLAS resource required for the delivery of CESG Tailored Assurance Evaluations (CTAS) and CESG Assured Services (CAS) assessments.
- We have a large team of in-house CLAS consultants and CLAS associates which allows us to manage and deliver large complex long term engagements and smaller specific engagements.
- We can create a CLAS team to address different CLAS CCP specialisms which may be required at different phases of project delivery.
- We can provide continuity of CLAS resource for call off engagements and with experience of central government, local government and suppliers of services into government.
- Our CLAS team also delivers our CTAS and CAS services so can bring innovative solutions and knowledge to address your CLAS requirements.
CESG Assured Service for Telecommunications - CAS (T)
The scheme supports the government Public Services Network (PSN), which requires all telecoms services procured by public sector bodies be assured to suitably protect information at IL2-2-4. This level is sufficient for the transmission of Unclassified and Protected data.
CAS(T) Services by NCC Group
NCC Group has been delivering ISO 27001-based services and has used this experience to develop a service offering enabling our clients to meet their CAS (T) requirements, through all stages of CAS (T) compliance, from service scope definition, through to audit and final submission to CESG.
Our CAS (T)-based services include:
- Scope Validation: We undertake focused exercises to identify and confirm the exact scope of any CAS (T) project. This enables our clients to focus effort where it is needed.
- Gap Analysis: We deliver gap analysis against the CAS (T) requirements to map exactly what work our clients need to do in order to being themselves in line with the standard.
- Remediation: We assist clients as a trusted advisor helping them to remediate the gaps identified as part of a gap analysis exercise. This support includes services ranging from policy development through to design support.
- Audit: As we have CAS (T) accredited auditors within our team, at the end of the process, we are able to undertake full compliance audits which we will then submit to CESG to confirm that you meet the CAS (T) requirements.
Do you need peace of mind that your third party suppliers are taking serious, proactive measures to ensure the on-going security of your information?
Our expert Supplier Assured team will review your supplier data security controls, informed by industry best practices such as ISO 27001, and report on your supplier's current security posture.
While key operations and processes can be outsourced to a third party, your business risks cannot be. So why do so many organisations still fail to assess their third party supplier IT security risks and ensure the on-going security and availability of their business critical information?
Third party suppliers can be an attractive way for cyber criminals to gain access to data and networks that would otherwise be beyond their reach. A huge range of external suppliers, from marketing to accountants to legal firms, can all be potential vulnerabilities. These suppliers may hold customer data, employee data or intellectual property that is hugely valuable to competitors.
When dealing with a third party it should be a given that all possible technical safeguards have been put in place to protect your data, however as recent headlines have shown, this is not always the case. Organisations need to impose the same strict security policies for all third party suppliers and partners as they do for themselves. Insisting on a comprehensive IT security policy at the very beginning of working with the company is a good start.
NCC Group Compliance Manager
How do you track compliance across your organisation?
Organisations are faced with increasing pressure to implement and efficiently operate governance, risk and compliance (GRC) processes, as well as information security technology. Both are needed to help organisations meet the requirements of a growing number of IT compliance standards, such as ISO 27001/2, PCI DSS and SOX.
NCC Group’s Compliance Manager offers a practical and proven alternative to the currently available GRC options. It is designed for organisations that need to implement a number of GRC processes within a short time frame and at a reasonable price.
Our Compliance Manager comes with a set of Template Forms and workflows to fast track process implementation. These cover areas such as PCI DSS 2.0 & 3.0 and ISO 27002, ITC Policies, and Incident Response.
What to Expect
- Forms – enabling the user to quickly define Forms (without programming) to implement the data capture element of a process, such as an ISO 27002 control list, an incident Response Form or a 3rd Party Assurance Questionnaire – the possibilities are endless.
- Workflows – to control the flow of Forms through a process.
- User Definable Dashboards – providing the user with a summary or granular view of process activity.
- Define and track Projects and Tasks, related to a specific Form or section within a Form, for example requesting that a person completes a specific Section or adds evidence for a compliance requirement.
- Reference System Objects from other modules within Forms - such as Scans, Audits, Vulnerabilities, Assets and Events – to implement the concept of continuous auditing and compliance.
- Store documents, such as the evidence for a security control, in a central repository and link the evidence to a Compliance Requirement or Control.
- Export data to office productivity tools, such as Microsoft Excel, for further analysis.
- Run a selection of operational and management reports; providing different views of the information for different stakeholders
Compliance Manager provides organisations with a convenient, cost effective way to automate GRC processes – in a manner and at a pace that meets with resource and budgetary constraints. Efficiencies and cost savings are achieved rapidly through process automation and by reducing
spreadsheet proliferation – removing the manual process of aggregating spreadsheet data.
Additionally, the Software as a Service (SaaS) model is ideal for organisations that need to automate processes across departments, geographic territories and organisations (such as trading partners), providing a common ‘language’ for all stakeholders. It allows everyone involved in the end-to-end compliance picture to access the information they need, when they need it, from anywhere in the world.
All of this enables compliance teams to operate more effectively and puts them in a position to meet their growing compliance workloads.
Card Production Audits
When producing payment cards, any failings in your systems could compromise security of your organisation and sensitive data. How do you currently check your security to ensure compliance?
As a service provider to both MasterCard and Visa Inc., we provide PCI Card Production certification audits globally. NCC Group will ensure that your logical and physical security measures are up to the job and are compliant with the industry standards.
Here are the services we provide:
- PCI Card Production Audits
- Over-The-Air (OTA) Personalisation Audits
- 3-D Secure Audits
- Cloud-based Payment Platform Security Audits
- PCI Card Production Consultancy
- Training Services for Card Vendors
NCC Group is accredited by MasterCard and Visa Inc. to perform audits against PCI Card Production logical and physical security requirements. We have unrivalled experience of conducting payment scheme audits worldwide and helping card vendors achieve compliance and certification to the industry standards. We have 11 auditors approved by the major payment schemes and conduct card audits of personalisation and manufacturing facilities in over 60 countries. We have expertise in all areas of card production including personalisation, manufacturing, PIN distribution, EMV and key management and mobile provisioning.
Over the air (OTA) personalisation also known as mobile provisioning is the process whereby consumer’s payment account details are securely transferred onto their NFC (Near Field Communication) enabled mobile phone. OTA personalisation occurs remotely allowing provisioning of mobile handsets with MasterCard or Visa payment credentials over wireless networks. These mobile devices can then be used to perform payment transactions at merchant locations with enabled contactless point of sale terminals.
NCC Group has significant experience in delivering consultancy services and certification audits of the mobile provisioning facilities wishing to take advantage of this growing market. Our understanding of the commonalities and differences between the OTA provisioning standards of the major payment schemes helps us efficiently deliver combined certification audits in a single visit.
To reduce fraud and increase consumer confidence in online shopping, payment schemes introduced a mechanism of 3-D (Three Domain) authentication allowing issuers to verify that the person making e-commerce transactions is an authorised cardholder. The 3 Domains of the 3-D Secure service (Issuer, Acquirer and Interoperability Domains) provide secure protocols enabling enrolment of cardholders in the 3-D Secure service and secure exchange of data between the issues and merchant in order to authenticate the cardholder during the e-commerce purchase.
3-D Secure service enables cardholders to get enrolled into the scheme and develop a set of security credentials which will authenticate them during online transactions. Participating merchants implement a Merchant Server Plug-in onto their e-commerce system. Via a secure exchange of messages with the payment scheme and the Issuer, this Plug-in allows merchants to verify if a cardholder is enrolled into the 3-D Secure service and authenticate them with the security credentials registered by the cardholder at the time of enrolment.
NCC Group is accredited to perform certification audits of facilities seeking Visa Inc. 3-D Secure certification (also known as Verified by Visa or VbV) of Access Controls Server and Enrolment Server services.
NCC Group is accredited to perform audits of Cloud-Based Payment Platform providers. Introduction of Host Card Emulation (HCE) technology is a significant development in the mobile payment industry which supports contactless payments made using NFC-enable mobile devices that removes the need to have a secure element on these devices. During a contactless transaction, secure element (or smart card) is emulated by the HCE software deployed on the mobile device which calls upon the payment account details stored in a secure virtual cloud instead of the mobile devices itself. NCC Group works with the Cloud-Based Payment Platform providers to assess physical and logical security systems supporting all stages of the HCE-based payment including data provisioning, active account management, verification for payment, transaction processing, lifecycle management, and post payment processing.
NCC Group have been conducting payment scheme audits since 2002 and have gained a wealth of experience assisting card vendors building up their facilities from ‘zero’, introducing new service lines or undergoing changes. We provide sound advice and practical assistance in reviewing construction plans and physical layouts of the facility, correct implementation of the access control system, intrusion detection system and CCTV cameras, designing the network architecture and developing the ISMS policy suite. All consultancy projects are different and we work with the client to understand their needs and concerns and develop a consultancy service that addresses all client’s requirements.
It is important that card production staff have knowledge of the production process, site security and logical security procedures. We work with card vendors to develop and deliver targeted training sessions for the relevant audience people covering topics are particularly important to our client, such as
- HR security, pre-employment and ongoing screening
- Visitor handling process
- Production process and audit trail
- Key management
- Guards’ responsibilities
- Security policies and procedures
- Business continuity and disaster recovery
Our History and Credentials
NCC Group was the first company to become MasterCard International accredited for Logical Security audit of card production facilities
NCC Group became accredited by MasterCard International to conduct Physical Security audits
NCC Group was accredited by MasterCard International to conduct the Mobile Provisioning Over The Airways (OTA) assessments
NCC Group became Visa Inc. approved for the CEMEA and AP region to provide logical and physical security audit services of card production facilities.
NCC Group was approved by the other major card scheme to conduct logical security assessments of card vendors.
NCC Group was approved to perform Visa Inc. PCI Card Production audit in the USA, Canada and Latin America.
GSMA Security Accreditation Scheme
There is an increasing use of embedded SIMs (eUICC) in phones, automobiles, smart meters and other products, facilitating ‘over the air’ provisioning of subscriber tailored services. Products with eUICCs are commonly referred to as machine to machine (M2M) devices.
Many machine-to-machine devices are not easily reachable for the purpose of subscription management. Subscription Managers (i.e. provisioning providers) and mobiles network operators have been collaborating to develop ‘Subscription Management’ solutions to accommodate this emerging market.
The GSMA’s Security Accreditation Scheme (SAS) was set up to assure and provide confidence to the mobile network operators and their customers that the management of subscription profiles would be carried out against stipulated minimum logical and physical security standards. Thereby, guaranteeing the security, integrity and confidentiality of the subscriber’s personal and profile information.
There are two activities which are carried out to complete the subscription management process; Data Preparation (SM-DP) and Secure Routing (SM-SR).
Being one of the two independent SAS auditor companies approved by the GSMA, NCC Group can conduct an audit against the SAS SM-DP and SAS SM-SR standard worldwide. All audits are carried out to GSMA current standards to meet full compliance. These security audits ensure measures are in place to protect the mobile network operator (MNO).
The audit covers the following areas;
- Security policy, strategy and documentation
- Security organisation and responsibility, including internal audit and control
- Information security
- Personnel security
- Physical security
- Production data management
- Logistics and production management
- Computer and network management
- Data and service management specific to data preparation and secure routing functions of Embedded SIM remote provisioning