Information Security Consulting

Reduce risk without slowing your teams.

Every organization has different risks, constraints, and priorities. We help you identify the gaps that matter most, then build the controls and processes that keep work moving safely.

Services Provided

Application Security Review

For any Web-based software-as-a-service (SaaS) company, the security of customer information is dependent on the security of the code processing that information. A secure software development lifecycle (SDLC) is critical to application security, as it provides a measure of due diligence for a company to show that developers are writing secure software.

Core Features and Expectations

  • Examine SDLC process and procedures.
  • Examine documentation around developing secure software.
  • Examine how application source code is configured.
  • Examine how third-party libraries and services are used.
  • Examine how secrets and credentials are handled.
  • Examine tooling used to identify risks and threats to the source code.
  • Validate existing process against best practices.
  • Recommend improvements to align with best practices and compliance requirements.

Ask Yourself This

Are your developers aware of how often your internet-facing web applications are being attacked?

How often are vulnerabilities being introduced into your codebase and exposed to your customers?

Cloud Security Review

A company's use of Amazon Web Services (AWS, or the Cloud) enables it to move fast and not worry about scaling activities (data, processing power, etc.) that plague companies that use on-premise environments. That said, AWS can only provide a level of security up to a point. Through their Shared Responsibility Model, AWS ensures security of the underlying Cloud services, but the configuration and maintenance of the applications using the Cloud services is the customer's responsibility. Various Cloud services are connected in a distributed nature and, if not architected carefully, can lead to unexpected downtime, costs, and compliance requirements.

Core Features and Expectations

  • Examine the Cloud architecture and configuration used by any Web or back-office applications.
  • Examine the network architecture and configuration.
  • Examine the system architecture and configuration.
  • Examine Cloud security controls and their configuration.
  • Validate security controls and measures against best practices.
  • Recommend future enhancements and controls to handle future incidents.
  • Recommend changes required to support compliance requirements.

Ask Yourself This

Are your employees accessing your infrastructure with the least amount of privileges?

Could any proprietary data be sent from your infrastructure to a malicious computer outside your network? How do you know?

Incident Response Review

The purpose of this review is to ensure that the company and its personnel can respond quickly and effectively during security incidents. These types of incidents are separate from outages of an application (often called incidents), which may or may not have been caused by a security event, but rather these are any type of security event that has broken policy or law and turned into a security incident. These incidents must be handled in a specific, detailed manner to ensure that any insurance claims are valid or company liability is minimized.

Core Features and Expectations

  • Review previous incident records.
  • Examine incident response policy and procedure documentation.
  • Validate the current approach against best practices.
  • Recommend improvements that align to compliance requirements and best practices.

Ask Yourself This

How quickly could your company respond to and recover from a security incident?

Operational Security Review

A cornerstone of security in any organization is not how software is written, nor is it where software is deployed (the infrastructure), it is how humans are organized around best practices in Information Security. Humans, by far, are the weakest link in any secure system but they are essential to an organization's success. Operational Security is the process of adding controls in place that ensure humans, be they employee or contractor, are performing a duty of care with respect to the organization's assets (which includes both employee and customer data). Without organizational security, technical controls applied to software or infrastructure will fail to last.

Core Features and Expectations

  • Examine existing policies and procedures pertaining to the management of employees, contractors, or third-parties.
  • Review historical records for adherence to policy and procedure.
  • Validate the current approach against best practices.
  • Recommend improvements in order to handle existing liabilities and compliance requirements.

Ask Yourself This

How can your security team be effective when it resides solely within the Engineering or Technology department?

Supply Chain Security Review

No company creates its own products and services for everything it needs. There is always the element of outsourcing these tasks to another company. Some companies have over 200 vendors supplying products and services. But supply chain security is one of the most overlooked pieces of the information security puzzle. Whether it is the financial software you buy or the third-party libraries used by developers when creating your Web application, the security of these products is paramount.

Core Features and Expectations

  • Review or create vendor inventory list.
  • Review vendor policies.
  • Review vendor contracts and agreements.
  • Assess security of each vendor.

Ask Yourself This

Do you know if the third-party libraries your developers are using in your products have vulnerabilities? Will they have no vulnerabilities in the future? How can you tell?

Security Awareness Training

The largest measure of a security program's success is how aware each employee is about their responsibility to protect data. Policies and controls will not be as effective if employees do not understand their purpose, and may often simply work around these security measures. An effective awareness training involves both general security and job-specific training.

Core Features and Expectations

  • Review existing training measures.
  • Design security awareness training materials around company priorities.
  • Provide security awareness training.
  • Assess employee awareness levels through short quizzes.

Ask Yourself This

Are your employees aware of their role as the front-line protection of your company's assets?

Do they know what to do in the event of an emergency, or how to properly protect different types of assets?

Pricing

We are always up-front and transparent with our fees to save you time and money.

Hourly Rate

$ 225

The services listed on this page operate on a standard hourly rate. As every company has slightly different needs, estimates become increasingly difficult and fixed price contracts are untenable. Pricing is thus allotted in buckets of time. However, a more detailed scope of work may be created upon request.

Rates can vary based on a variety of situations and special requests. These requests can range from urgency, complexity of the system, longevity of the contract, daily or weekly rates, and so on.

Invoices are produced monthly, payment is NET-30. A 15% deposit is due upon contract signing. Applicable taxes may apply as required by law.

All prices are listed in Canadian dollars.