PrivSec are your security specialists. We provide a wide range of services to meet your needs, including short consulting engagements, web application penetration testing to full audits and certifications. Our wide range of expertise and experiences allow us to provide you a well rounded, full service security review.
Governance, Risk and Compliance
While a risk assessment can highlight what risks may be present in your service, an audit helps quantify that risk and highlights areas for improvement. We develop a thorough audit plan before working with you and your third parties to ensure that everyone is well prepared. Our consultants then assess the effectiveness of controls and not just their presence, to ensure you are aware of the real security and privacy posture of the service in question.
Annual Assurance Reviews
An annual operational security review highlights the effectiveness of key security controls for the services you provide. These key controls include but are not limited to logging and alerting, BCP, DR and access management. This can be used to provide assurance to service consumers to show you are appropriately maintaining the security of your solution between certifications.
Consultancy and Advice
Our team are experts in their fields, and can provide you with bespoke security consultancy and advice as needed. We can assist in the development of security and privacy policies as well as assisting in the development of your security function.
Security Risk Assessments
We work with you and the organisation to highlight the security risks associated with your products and services. Our approach includes running business context and technical context workshops to ensure we're identifying the key risks that you care about. Our process aligns with AS/NZS ISO 31000:2009 and ISO/IEC 27005:2011 risk management standards.
ISO27001 and PCI DSS Alignment
ISO27001 and PCI DSS can seem like daunting standards to conform to, but are often required depending on the environments you are operating in. Our consultants are experienced in aligning organisations with these standards and assisting in the development of related policies and artifacts to help you meet the standards. Members of our staff have completed ISO27001 lead auditor training, and hold the PCIP qualification.
PrivSec Consulting can assist our clients in uplifting their organisations' security posture to advance their Protective Security Requirements (PSR) maturity.
Privacy Impact Assessments
From privacy threshold assessments through to detailed privacy impact assessments, we can assist you with analysing and assessing privacy risks for individuals arising from the processing of their data.
Security Risk Management Plans
Audits often highlight a number of issues requiring remediation, and risks requiring appropriate management. PrivSec can assist you in developing a Security Risk Management Plan (SRMP) that aligns with NZ government expectations, and ensures that you are appropriately managing the security of your service.
With an increase of project delivery using agile delivery methods, releasing project features to production in regular, quick sprints, it is important to ensure appropriate due diligence is provided over these changes. While traditional assurance delivery methods can be conducted for these releases, PrivSec have been working with our clients to deliver assurance in a fit for purpose, incremental manner. Reach out to find out more about how we can integrate within your Program Increment (PI) planning.
Security & Privacy Design Reviews
Incorporating security and privacy design principles early on in the development of a new system or service saves both time and money down the road, reducing costs of rework and delaying go-live dates. We can review your design documentation and attend workshops to help align your services with best practice.
Firewall Rule set Reviews
Reviewing firewall rule sets to ensure that appropriate rules are in place. This includes ensuring that only appropriate services are allowed, sources and destinations are appropriately defined, verifying if unused rules are present, reviewing segmentation applied and validating if any rules are overly permissive.
Secure Code Reviews
Secure code review can be conducted independently or in conjunction with penetration testing. Code review helps identify vulnerabilities in the application by verifying proper security and logical controls are present, work as intended and are implemented in the correct places.
Configuration reviews follow good practice guides surrounding the applicable products, as well as ensuring that the service meets the security requirements of your organisation. Validating key security controls such as encryption, backup and access management are well configured for the service are key components of configuration reviews.
Cloud Security Reviews
As the usage of cloud services become the status quo, it is important that you are aware of the related security and privacy implications of these services. We can highlight the risks of using these services, as well as conduct reviews of your cloud service implementations.
We can review hosts within your environment against industry good practice and benchmarks to highlight any deficiencies or areas for improvement. A host review includes but isn't limited to reviewing operating system and application patch levels, endpoint protection configuration, access permissions, policies applied, logging policies enabled, firewall and network configurations.
Reviewing your databases to verify that it has been well configured, and doesn't expose itself or the data within it to unauthorised parties. Our database reviews review your database against good practice and industry benchmarks and includes reviewing software versions, what users are present, what permissions are assigned, what policies are in place, what logging is enabled, and whether encryption is applied.
Web Application Penetration Testing
Our team can conduct penetration testing against your web applications to simulate real world attacks to give confidence of their security posture.
Our testers leverage industry best practice methodologies including the Open Web Application Security Project (OWASP) Testing Guide and Open Source Security Testing Methodology Manual (OSSTM).
Testing can be conducted as black-box, white-box or grey-box depending on your requirements.
Mobile Application Penetration Testing
Mobile Application penetration testing reviews a mobile application (iPhone or Android) against real world attack scenarios to highlight if vulnerabilities are present.
Testing follows the OWASP Mobile Application Security Testing Guide (MASTG).
PrivSec Consulting can conduct internal or external vulnerability assessments against your services to identify if known vulnerabilities are present using industry standard tooling.
Vulnerability reports are reviewed by consultants to extract relevant findings, and validate any false positive findings where relevant and presented in an easy to consume report for our customers.
We're here to help you
We can tailor our services to ensure you end up with the outcomes you require. Being a boutique consulting firm allows us to be agile, and meet our customers needs while retaining our core goals of simple, pragmatic security and privacy.