Services – Ccentropy

A.Strategy & Roadmaps

We have experience in developing enterprise and domain strategic plans and roadmap which provide a time-based plan that defines where a business is, where it wants to go, and how to get it there. These are generally presented in a visual representation that organises and presents important elements related to future plans, as well as textual summary presentation. Strategic roadmaps are an effective communication tool for all stakeholders, and links strategic initiatives with business plans.

Consolidating corporate vision and intent
Examine and refine context
Craft future scenarios and benefits
Develop roadmap and prioritisations

B. Business Architecture

Business Architecture is the discipline that integrates and represents holistic, multi-dimensional business views of: capabilities, end‐to‐end value delivery, information, and organisational structure; and the relationships among these business views and strategies, products, policies, initiatives, and stakeholders.

Establish sustainable business implementation strategy
Refine business capability and value streams
Business characteristics and journey maps
Determine high-level (enterprise) integration architecture
Create roadmaps and benefit state

C. Target Operating Models

Target operating models are a description of the desired state of the operating model of an organisation, whether collectively as an enterprise, or for a group or department. Dependant on need and scope, they define the “as is” model and the “to be” model (the target operating model). These models are typically presented graphically, and summarise the internal operation of the business or of a function within a business.

Creating the operational model to realise the corporate strategy and vision
Integrating and organising key resources and structures
Integrating and organising key resources and structures

D. Digital Processes

Digital transformation is the process of refining the usage of digital technologies to create new, or modify existing business processes, culture, and customer experiences to meet changing business and market requirements. Digital Process work relates to how the business processes can be changed to increase efficiencies, reduce manual interventions, reduce delays, and optimse operation for the transformed business environment.

Understanding the operational context of the enterprise (whole or part)
Determining pragmatic optimal data, integration and process models
• Integrating user operation into application landscape
Comprehensive reporting and visibility

E. Cloud Native Applications

Cloud Native Applications is a broad domain which describes applications or external services that are housed in cloud environments. These applications may be service platforms in their own right (such as a Finance suite, a HR suite, a data analytics suite, etc.) which can be licensed. These applications must be securely integrated to either other cloud based applications or on-premise applications to create your unique business advantage and environment.

Functional analysis and enterprise compatibility
Security profile and analysis
Data and integration approaches
Benefits analysis and roadmaps

F. Cyber Security Maturity and Gap assessments

Our Information security risk appetite framework/model provides a structured approach to the management, measurement and control of Cyber related risks.

We perform an assessment that describes the consequences if a significant cyber security incident or cyber security crisis affects the organisation. We review the cyber threat readiness in line with the NSW Cyber Security Policy requirements.

We have supported organisations to develop and implement a suite of IT security policies and procedures including cyber security policies. We also assess whether,

A cyber security threat library has been established capturing possible cyber-related risks to the organisation.
Review of cyber security controls within network layer, server layers and end point layers.
Whether training sessions or awareness sessions have been incorporated into staff induction and annual refresher sessions.
Whether mandatory validation exercises have been included into an annual refresher course to make aware of the roles and responsibilities of the staff and contractors.

G. ISMS design and Audits

Centropy has a proven approach to developing practical and “fit for purpose” Information Security Management Systems for various clients. We have helped over 40 clients achieve certification and close to 80 other clients to align with the standard.

Our ISMS development projects will involve:

The preparation of an ISMS policy, IT information asset registers in order to define the ISMS scoping framework.
Performing an ISMS gap analysis, threat and risk assessment
Generating an ISMS Statement of Applicability (SoA) including the current state of 114 Annex A controls, while mapping to existing policies and procedures.
Developing and ISMS procedure and controls
“Secure by Design” framework and assessment
Provide ISMS training
Perform an ISMS internal audit and conduct a management review and provide a management report
Update the ISMS Threat & Risk Assessment, Risk Treatment Plan and Statement of Applicability to reflect the results of the internal audits and management review.
User access review & Privileged Access Management audits

As part of an audit of an ISO27k aligned ISMS, Centropy consultants review the SoA for each client and undertake a series of internal audits, covering specifically relevant control sections. As a sample these could include:

The “management system” component of the ISMS (i.e. sections 4-10 of the ISO 27001 standard)
Annex A.5: Information security policies
Annex A.6: Organisation of information security
Annex A.7: Human resource security
Annex A.8: Asset management
Annex A.9: Access control
Annex A.10: Cryptography
Annex A.11: Physical and environmental security
Annex A.12: Operational security
Annex A.13: Communications security
Annex A.14: Systems acquisition, development and maintenance
Annex A.15: Supplier relationship management
Annex A.16: Information security incident management
Annex A.17: Information security aspects of business continuity management
Annex A.18: Compliance management

H. Vulnerability assessment and penetration testing

Centropy perform 3 types of vulnerability assessments and penetration testing services

• Network-Level Internal vulnerability assessment

A network level vulnerability assessment will be performed from within the internal network to simulate internal attacks. Assuming the first line of perimeter defence using firewalls and routers is compromised, these tests will address any residual weaknesses associated with the local servers, identifying any internal access points and insecure hosts or workstations, including security provided by network configuration. This gives an indication of whether the internal network is resilient to external hacker and insider attacks. We will use commercial and open source tools as required. We may also consider the current OWASP top 10 vulnerabilities during this review

• Network Level External Penetration Testing

Centropy’s external penetration testing reviews will involve a strategic assessment to evaluate the overall level of security that has been implemented and to ensure that "best practice" controls are being used to mitigate known security risks, through direct probing and performing controlled network scanning activities, including discovery and vulnerability assessment, based on the past experiences in the industry.

In general, the objective of an External Penetration Testing is to analyse external firewalls, Internet routers, other networked systems and applications visible from the Internet at large. Our aim is to ascertain security configuration through empirical methods in order to assess the level of susceptibility to Internet-initiated attacks. This is accomplished by performing a controlled and managed simulation of an actual attack/intrusion attempt against the network and security devices supporting the Internet provided business services. The attack simulation tests the various infrastructure components against all possible attack scenarios, taking into consideration different levels of potential external attackers and resources available to them. This risk-based approach will provide our clients with results relevant to their business, by identifying real-world threats and risks jeopardizing their business.

• Wireless Network Leakage

Employing a wireless solution offers great flexibility, but it comes with the potential for attack as it expands Councils’ logical perimeter. From rogue access points to weak encryption algorithms, threats to wireless networks are unique and the risks can be significant. Wi-Fi can provide opportunities for attackers to infiltrate an organisation’s secure environment – irrespective of security access controls. Penetration testing can help identify weaknesses in the wireless infrastructure. We will use commercial and open source tools as required for this testing exercise, and will include:

Identifying Wi-Fi networks, including wireless fingerprinting, information leakage and signal leakage;
Determining encryption weaknesses, such as encryption cracking, wireless sniffing and session hijacking;
Identifying legitimate users’ identities and credentials to access otherwise private networks and services.

I. Data Privacy & Protection

Centropy’s Privacy Impact Assessment engagements are performed in line with the process recommended by the NSW Information and Privacy Commissioner under section 36(2) of the Privacy and Personal Information Protection Act 1998 (PPIP Act.), or alternatively the Health Records and Information Privacy Act (NSW) 2002 (HRIP Act.).

The PIPP Act provides guidance to promote the adoption of, and compliance with, the Information Protection Principles (IPPs) and protection of personal information and the privacy of individuals. Similarly, the HRIP Act provides guidance to comply against Health Privacy Principles (HPPs).

Our approach for the Privacy Impact Assessment will include a mapping of potential data flow considering:

Who will collect what information from whom and for what purpose;
How will the information be used or processed, and whether the collection of any identifiable health information is excessive;
How will the information be stored and kept secure
The processes for ensuring information quality;

Centropy has been at the forefront of establishing data protection controls for many organisations. During a data protection review we assess whether:

• Appropriate data classification and ownership allocation has been determined.

• Appropriate role-based access and authentication controls (including remote access) have been established within the key council business application to enable protection and security of data capture, data processing, storage and dissemination of data classified as sensitive.

• User access logging and audit trailns of key transactions within the key council business application have been implemented.

• Application white-listing and antivirus malware and macro protection controls have been implemented in line with the ACSC essential eight requirements.

• Effective processes have been established to identify and report on data breaches.

• Whether the information will be disclosed to another agency or organisation, and to whom and for what purpose;

• If the information is to be disclosed to and used by secondary users (for example, another organisation, service providers, system or application developers), how well will those secondary users protect that information or whether they will pass it on to others;

• Whether identifiable health information will be transferred to another organisation in another jurisdiction either in Australia or outside Australia;

• Whether individuals will be able to access and correct their identifiable health information;

• How long the information be retained and when and how will the information be disposed

J. Cyber Security Awareness Programs & Mock Phishing

Centropy works with a number of clients to help assess staff awareness and in response to the assessments then design, develop and maintain Cyber Awareness programs. Centropy’s our expert trainers have led on-premise, instructor led training to staff and management, of various clients for NSW Health and State Government clients.

Centropy has developed a unique Annual service that encompasses a number of modes (including online training and mock phishing as a service) of delivering Cyber Security Awareness training, wrapped up in to tracking and monitoring the effectiveness of the Cyber Security programs on an annual basis.

Centropy has also been involved with developing IT related training material for a large number of state government entities, whereby the participants:

Get exposed to the context of cyber security;
Understand the objectives and principals of good cyber security controls and how this applies to the council across its business activities;
Identify the cyber security aspects of their roles and duties;
Understand basic cyber security risk management; and
Understand the importance of reporting and escalate cyber security related issues and incidents.

Centropy usually cover the following topics during its executive training sessions:

NSW Government Cyber Security policy overview
Cyber threats prevalent in the market today
Liability, responsibility and compliance requirements for Cyber security.
ACSC essential eight controls and required counter measures
OWASP top 10 risks and effective counter measures covering secure systems development practices and security as part of SDLC and change processes.
Systems hardening and patching better practices.
Cyber incident response procedures.
Individual day to day behaviours to minimise cyber risks.

K. Incident Response Plan Design / testing

An organisation’s Incident Response Plan is designed to establish and designate the members, define the roles and responsibilities as well as include the framework for assessing and mitigating the risk of harm to individuals and entities potentially affected by a breach. It also provides guidance on whether and how to provide notification and services to those individuals.

The purpose of the Plan is to ensure that the organisation responds in a timely, consistent, and appropriate manner to suspected and confirmed breaches, in order to protect information and assets and to minimise harm to individuals and entities that may be affected by the breach.

Centropy’s Data Breach / incident Response Plan testing is performed to provide an assurance to the organisation’s management that the organisation is well prepared for and will respond to a breach by requiring baseline requirements and procedures. The Data Breach Response Plan testing assesses the adequacy of existing Data Breach Response Plan and identify any issues or gaps in the plan.

Centropy has worked with various clients in designing and updating their respective Data Breach Response plan. Centropy has conducted tabletop scenario-based data breach response plan testing, where:

Organisation specific data breach scenarios were selected for the simulation exercise
Role play was conducted to enable the attendees to actively participate in the testing
Centropy team members facilitate and observe to record the proceedings of the simulation exercise.
Lessons learnt and key actions, suggestions, updates recorded during the exercise are provided in a formal testing report

L. Public / Hybrid Cloud Security Assessments and implementations

Leveraging extensive experience with various cloud IaaS / PaaS providers, Centropy consultants have performed reviews and assessments of our clients’ deployments on public / hybrid cloud environments. In addition to post-implementation audits, Centropy consultants have also been involved in pre-cloud deployment “security by design” engagements.

In a unique engagement Centropy was also engaged by a client to help develop standards for cloud security deployments for their third-party partners.

M. Gap Assessments &Governance Frameworks

Centropy’s Gap Assessment services are aimed to identify and highlight the gaps that are prevalent in our client’s environment which will help them to uplift their cyber security posture to achieve the desired maturity.

Gap Assessment services include developing the control strategy and appropriate action plans to address the identified gaps.

Centropy team performs different flavours of Gap Assessments.

Cyber Security Maturity Gap Assessments

As part of this service, centropy team assists the client organisation to understand their present security posture and identify the level of maturity that they aspire to achieve. Centropy team will assess and identify the gaps across the client organisation and work with the clients to develop the necessary action plans to achieve the desired maturity state.

Certification Gap Assessments

Centropy team provides assessment services to assess and identify the gaps within the client’s business practices in alignment with various frameworks like PCI, ISO, CPS 234, etc.,

Governance Frameworks

Governance framework is a set of rules and guidelines that provides an understanding on how an organisation is managed and controlled. Centropy team helps to develop a framework that the client’s business users can access and follow as part of their everyday business activities.

Centropy team assists the client’s organisation to build governance frameworks to assist the organisation to manage and control their business units and raise their cyber maturity.

N. Risk Management Frameworks

Risk Management framework is a structed process used to identify potential threats to an organisation and help devise a strategy for treating and effectively monitoring the risks.

Centropy consultants have vast experience in devising Risk Management Frameworks for the clients which incorporate mechanisms that can help clients to evaluate, monitor and treat the relevant risks within their business units.

O. Regulatory compliance

a. PCI –DSS,

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. 

The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network.

Centropy’s approach towards PCI-DSS compliance support is:
- Assess
- Remediate
- Report

Centropy has assisted clients with the identification and remediation of gaps identified. This includes the development and formalisation of various documentation and associated artefacts. Centropy provides guidance and assistance in the development of the documents and artefacts by (a) providing a template/shell based on Centropy’s experience, and (b) checking the completed draft document/artefact.

Centropy provides support in consolidating and unifying existing and (to be developed during the remediation phase) PCI DSS documentation set. Depending on the PCI DSS Level Centropy provides support in updating the SAQ and consolidate all the artefacts (e.g. policies, procedures, standards, checklists etc.)

b. CPS 234

CPS 234 is a mandatory information security regulation issued by the Australian Prudential Regulatory Authority (APRA) and commences on 1st of July 2019. This regulation aims to assist APRA regulated entities in uplifting their information security capabilities in order to sustain the current cyber landscape and provide quality services to their end customers.

Key requirements listed within CPS 234
1. Information security Capability
2. Policy Framework
3. Information Asset Identification and Classification
4. Implementation of Controls
5. Incident Management
6. Testing control effectiveness
7. Internal Audit
8. APRA Notification Centropy team provides
services to assess the security controls addressing the CPS 234 requirements and devise a strategy and procedures to meet the control requirements.

P. Policies and Procedures

Centropy team has assisted the client organisations to develop and socialise variety of policies and procedures related to IT Governance, Cyber Security, Business Continuity and Disaster Recovery. The Centropy team assess and develops relevant policies and procedures that outlines best practices which the client business units can follow.

Q. Risk assessments

Centropy has assessed and helped develop appropriate IT risk management controls for many Government agencies and state-owned organisations. During our assessment, we determine whether:

IT risk management is in line you’re your organisation’s Enterprise Risk Management (ERM) frameworks and aligning to relevant IT risk appetite and IT risk tolerance levels when making risk-aware decisions.
Principles and process for IT Risk Evaluation covering, Risk Identification, Risk analysis and measurement, Risk ranking, Risk mitigation, Risk monitoring have been established.
Principles and processes for IT Risk Response covering, risk articulation, triage, risk treatment and risk reporting has been established and in operation

R. ISO 22301 based – IT DR and Business Continuity

Centropy has decades of experience in performing Business Impact Assessment for various NSW government agencies and helping them uplift their business continuity management processes in the following manner:

• Develop an annual review program:
Develop an annual review program (rolling) to ensure Business Impact Analyses (BIAs) and Business Continuity Plans (BCPs) are reviewed, maintained and tested Develop a checklist to facilitate review by Corporate Governance (including guidance for reviewing outsourced functions), which will also assist with reporting to management. Develop review reporting templates that can be provided to business units to facilitate required actions. Feedback into a framework for continuous improvement of the BCM.

• BCP Training:
Deliver face-to-face training, eLearning modules and slides for Business Continuity Coordinators (BCCs) that includes an overview of Departmental requirements per policies and procedures, as well as the roles and responsibilities of the Business Continuity team.

• Monitoring and Reporting:
Develop reports to support management, Executives, and Audit and Risk Committees that suggests metrics to enable an assessment of whether BCM objectives have been met.

• IT Disaster Scenario testing
Perform tabletop or live scenario-based testing of the predetermined business impacts and its BCM activities to ensure planned recovery options will work effectively and efficiently for minimal risk and impact to the business.

S. Controls testing

Centropy performs audits of IT functions against an IT assurance control framework which is in line with COBIT based controls. This covers covering

general IT controls,
identity and access controls,
privileged rights review,
user access monitoring and auditing,
change management controls,
software development controls,
incident and problem management controls,
business continuity and disaster recovery controls.

Our reviews assess the maturity and effectiveness of controls deployed by our client organisations.

What We Are Good At

Digital Transformation

Cyber Security

Governance, Risk & Compliance