IT Risk & Compliance Services

We help Australian organisations reduce uncertainty with comprehensive IT-focussed governance, risk, and compliance (GRC) solutions

INFORMATION SECURITY COMPLIANCE

Threats evolve.
So should your defences.

We have entered an age of accelerating risk.

A single click can destroy a business, and the attack surface has never been greater.

The surge in technology has created major opportunities for cybercriminals, with over $5 trillion/year expected to be lost to data breaches and malicious attacks. Millions of organisations are vulnerable, few of which have adaptive security in place.

We provide expert information security compliance solutions, constantly evolving to keep your organisation protected, compliant, and ready for anything.

How we protect you

Security Assurance Services

We design, implement, operate and assess information security controls to meet your business and legal requirements.

MATURITY ASSESS DEFEND MANAGE Cyber Maturity Cyber Insurance Requirements ACSC Essential 8 Baseline Assessments Data Classification and Compliance Assessment Privacy Impact Assessment Data Breach Readiness Privacy and Data Protection Cloud Security and Compliance Implementation Assessment Design Consulting and Assessment Architecture Design and Assessment Technical Assessments Cyber Security Training Programs Cyber Security Awareness Cyber Training Services Policy / Procedure / Standard Development Internal / External Audit and Audit Advisory Services (assistance with audits) Gap Analysis Threat and Risk Assessment Compliance Program Management ISO 27001 / CPS-234 / PCI / ISM / IS-18 Compliance Assessment and Management Board Advisory Services Virtual CIO / CISSO Business Advisory Services IRAP Assessment Forensic Investigation Incident Management Specialty Services

How we protect you

Security assurance services

We design, implement, operate and assess information security controls to meet your business and legal requirements.

Baseline Assessments

Cover off the minimum requirements to protect your organisation from cyber security threats.

ACSC Essential 8

Our team will assess your organisation against the Essential 8 strategies to help you understand how your organisation aligns. This provides a clear path forward for strengthening your cyber resilience.

Typically a 5-day, fixed price engagement, our Essential 8 assessment is designed for small and medium-sized organisations who either:

  • have no specific compliance requirements; or
  • provide services to government organisations.

If your organisation has more in-depth security requirements, we recommend a Cyber Maturity Assessment (see below; this includes an Essential 8 Assessment), or, if you have stringent compliance requirements, we recommend our Compliance Gap Analysis or Compliance Program Management services.

What is the Essential 8?

The Essential 8 Strategies to Mitigate Cyber Security Incidents, developed by the Australian Cyber Security Centre, is a prioritised list of mitigation strategies to help protect your systems from a range of adversaries.

In short, the Essential 8 strategies, when implemented correctly, protect against the most common and most basic threats where end-users are most commonly the cause.

While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement these eight essential mitigation strategies as a baseline.

This makes it much harder for adversaries to compromise your systems, which can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

Cyber Insurance Requirements

This assessment looks at the coverage for basic cyber security requirements that a cyber insurer will be looking for, to satisfy the “due-care” clause(s).

Many organisations that have taken the insurance route (to avoid spending money on effective security controls) are now finding that the fine print in insurance agreements can include a clause along the lines of “due care”, that is invoked to deny insurance payouts when:

  • claims are being made; and
  • little or no effort has been put into protecting the organisation from cyber threats

If you fail to proactively protect yourself and continually claim on insurance, your insurance premiums will continue to rise.

Cyber Maturity

A cyber maturity assessment identifies and quantifies the state of your organisation’s cyber security program, and can answer the following questions:

  • What are our cyber weaknesses?
  • Where should we prioritise investments in our cyber program?
  • Where should I start with a cyber security program?

It can also:

  • Help build a stronger security culture
  • Provide ongoing metrics to identify progress over time

The assessment covers domains across Business activities and Architecture, with the optional addition of Cloud Compliance. These domains are aligned to ASIC cyber-resilience best practises, and encompasses the Australian recommendations for minimum controls included in the ACSC Essential 8.

Below is a representation of what our cyber maturity assessment covers:

Business

Identifies the degree to which your organisation is managing cyber security from a people and process perspective

Architecture

Identifies the degree to which your organisation’s technology and controls are designed and implemented.

Cloud Compliance
(optional)

Identifies the degree to which the organisation is securely managing its use of cloud services

Strategy and GovernanceAsset ManagementSecure Cloud Design and Structure
Risk Management and Threat AssessmentNetworking and Technical Architecture DesignInformation Classification and Control
Collaboration and Information SharingProtective Measures and Controls
(ACSC Essential 8)
Protective Measures and Controls
AwarenessDetection Systems and ProcessesAccess and Identity Management
Response and Recovery

A cyber maturity assessment is recommended for organisations that are concerned about cyber security but do not yet currently know where to invest time, effort, and money into improving.

It is also beneficial for organisations that seek to track improvement across a period of time, and also validate whether recent changes have been successful in improving cyber program maturity.

While the assessment is applicable to all industries, it can be tailored to consider specific industry frameworks.

Privacy and Data Protection

Meet the privacy requirements imposed by lawmakers in Australia and around the world.

Data Breach Readiness

Understand your readiness to respond to data breaches, and get advice and solutions to improve your preparedness.

Under the Notifiable Data Breach (NDB) scheme, if your organisation is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’, you must notify the Office of the Australian Information Commissioner and affected individuals.

Our 4 stage service places your organisation in the best possible position in the event of a data breach disaster occurring.

  1. Putting data breaches, and the Australian Privacy Act in perspective for your organisation — examining the specific areas where the Act applies to you
  2. Preparing a data breach response plan, to facilitate a rapid response that incorporates your legal obligations
  3. Training your organisation to respond to data breaches, with basic training for critical staff to respond to data breaches, from containment to review.
  4. Training for responding to NDBs. This final stage is used to train critical staff about the requirements of the NDB scheme, and how to respond in these scenarios. This training will cover the mandatory data breach reporting obligations, as well as the requirements to assess suspected breaches.
Privacy Impact Assessment

Put a selected business activity through a systematic assessment to understand the impact that the activity might have on the privacy of individuals.

This assessment also sets out the mitigation strategies for managing, minimising or eliminating identified impacts.

For Australian Privacy Principle (APP) entities (organisations with an annual turnover of $3 million or more), this forms an essential component in the protection of privacy — and a key part of your overall risk management and planning process.

Completing this assessment will enable you to:

  • describe the flow of personal information
  • assess the possible impact on an individuals’ privacy
  • identify options for avoiding, minimising or mitigating negative privacy impacts
  • ensure all privacy requirements are met
Data Classification and Compliance Assessment

Understand where sensitive data lives, who has access to it, and, importantly, who needs that access.

This enables your team to pursue a state of least-privileged access, which can drastically reduce the risk associated with a data security incident and maintain that status over time.

Why is this important? Security breaches can result in significant monetary loss, especially when companies haven’t taken measures to protect valuable data. In many organisations, files and folders are shared unnecessarily with hundreds or even thousands of employees.

Very often, users have access to far more data than they need to perform their jobs. This leaves sensitive data overly exposed to outside attackers and malicious insiders since credentials for a single account can provide access to a trove of unsecured information, ranging from business plans to employee and customer data.

We help you get a clear picture of access requirements, opening a clear path forward for securing your data, whilst minimising disruption to your legal, business, and security teams.

Technical Assessments

Maximise peace of mind with expert input for security architecture, design and implementation.

  • confirm that best-practices & security standards are adhered to
  • identify potential security risks
  • Identify gaps or undocumented components
  • ensure business case and functional requirements are met
Architecture Design and Assessment

Achieve a holistic view of the technical security risks across your organisational environment.

This service highlights potential areas of risk and provides technical consultation to remediate identified risks.

This service can be of value:

  • in the early stages of implementing a new security architecture
    we would work as an extension of your project management team, assisting with planning and design
  • after a new security architecture has been put in place
  • following a merger or acquisition
    determining where technical risks may be present in either the consolidation or interoperability between the organisations and their systems
Design Consulting and Assessment

A thorough, independent review of a proposed design and implementation plan, early in the project life cycle.

Find out whether a plan introduces new risks, falls short of your security and compliance standards, or even fails to meet your objectives.

You will get a report with a summary of findings, along with detailed recommendations on technical or policy controls to reduce risk.

This service is useful when:

  • you are seeking tenders or proposals for a project — and you need a review of  and input into the proposal or design
  • the team designing and implementing an existing project have not seen your internal security policy
Implementation Assessment

Validate whether the implementation matches the design you requested and approved.

Too often, organisations are left with an implementation which does not match the brief, and discover only when it is too late.

We examine the delivered result — and strictly compare it to the signed-off design.

Where any variations exist, we check that they are fit for purpose, do not introduce previously unexpected risk to the business, and are catalogued within the as-built documentation.

This provides certainty that what you requested is what you have received.

Cloud Security and Compliance

Secure your cloud environment with a clear understanding of security risks and misconfigurations.

We review of your Microsoft Azure, Amazon AWS, or Google Cloud Platform infrastructure, identify risks, and provide recommendations on best practices, and areas for improvement.

This provides reassurance in your cloud security posture.

This service is most valuable if your organisation:

  • Uses cloud for business-critical data or services;
  • Has a ‘cloud-first’ policy; or
  • Is looking to move identity and access management primarily to the cloud, or is currently using the cloud for identity and access management (using systems such as AzureAD)

Cyber Training Services

Assess and prepare your first line of defence

Cyber Security Awareness Assessment & Training

Understand your current level of awareness, and prepare staff, providing them with the tools to prevent phishing and social engineering-based attacks.

Kindness and trust are often abused as an easy way for attackers to gain access to confidential information and systems — and one of the key ways to reduce the likelihood and impact of a successful attack is to carry out a staff awareness and training program.

Each of the items in the table below can be provided individually or as part of an entire cyber security awareness program.

Holistic Awareness Program
Targeted Training

Equip your staff with key background information on cyber security in the workplace

Supporting Content

Maintain continuous awareness with reinforced training messages and information.

Real-time Feedback

Improve awareness over time with advanced exercises, monitoring, and support.

Organisational Training ModulesAwareness PostersUSB Drop Tests
Role-specific Training ModulesSupporting Materials
(coasters, business cards etc)
Social Engineering Training
Boardroom TrainingOne-off SeminarsPhishing Tests
In-person Training SessionsCyber Security ArticlesSystem Warnings
Cyber Security Training Programs

More information coming soon. Please speak to our team for more detail in the interim.

Compliance Assessment and Management

Implement compliance programs with impact, built into your organisational operations.

Each of the following services may be performed separately or considered as a part of a broader compliance management program.

Compliance Program Management

Take charge of your compliance program by outsourcing management to our risk specialists.

To eliminate administrative complexity, we:

  • catalogue compliance and audit requirements
  • monitor risk status
  • manage a calendar with key dates and alerts
  • maintain a database of involved persons
  • audit regularly to maintain assurance
  • report effectively, increasing transparency

We can manage complete compliance programs including those listed below.

Which standards apply to your industry?

This is by no means a comprehensive set of available standards or their applicability; it is a good starting point to understand the available standards. Contact us to discuss specific requirements.

This interactive feature requires Javascript. Please enable Javascript and try again.
Alternatively, a list of common standards are below.

  • IS-18
  • AU-ISM
  • PSPF
  • APRA CPS-234
  • TGA Cyber Security Guide for Industry
  • AESCSF
  • ASIC Cyber Resilience Good Practice
  • PCI-DSS
  • NIST Guide to Industrial Control Systems (ICS) Security (NIST.SP.800-82)
  • ISA/IEC62443
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the mining industry:

  • NIST Guide to Industrial Control Systems (ICS) Security (NIST.SP.800-82)
  • ISA/IEC62443
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the energy industry:

  • AESCSF
  • NIST Guide to Industrial Control Systems (ICS) Security (NIST.SP.800-82)
  • ISA/IEC62443
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the water industry:

  • NIST Guide to Industrial Control Systems (ICS) Security (NIST.SP.800-82)
  • ISA/IEC62443
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the transport industry:

  • NIST Guide to Industrial Control Systems (ICS) Security (NIST.SP.800-82)
  • ISA/IEC62443
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the health industry:

  • TGA Cyber Security Guide for Industry
  • ISA/IEC62443
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the financial services sector:

  • APRA CPS-234
  • ASIC Cyber Resilience Good Practice
  • PCI-DSS
  • Critical Infrastructure (TISN)
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the retail and commercial sector:

  • ASIC Cyber Resilience Good Practice
  • PCI-DSS
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to the education sector:

  • PCI-DSS
  • ETSI TS 103 645 Cyber Security for Consumer IoT
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Here are some of the standards that can apply to government entities:

  • IS-18
  • AU-ISM
  • PSPF
  • ACSC – Cloud Computing Security for Service Providers and Tenants
  • CSA – Cloud Controls Matrix
  • NIST Guide to Security and Privacy Controls (NIST.SP.800-53)
  • ACSC – Strategies to Mitigate Cyber Security Incidents (inc. Essential 8)
  • General Data Protection Regulation (GDPR)
  • Privacy, Notifiable Data Breach
  • ISO27000 Series – Information Security Management System
  • ISO31000 – Risk Management
  • COBIT – IT Governance
  • TOGAF / SABSA – Enterprise and Security Architecture

Threat and Risk Assessment

A Threat and Risk Assessment is a process which analyses the security posture of your environment for vulnerabilities, to examine potential threats associated with those vulnerabilities, and to evaluate the resulting security risks.

​​​​​​​Conducting this assessment helps you strengthen your overall organisational security posture.

A Threat and Risk Assessment from Yell IT is a systematic methodology to:

  • Define and identify security vulnerabilities; 
  • Identify potential threats associated with those vulnerabilities;
  • Evaluate the resulting security risks; and
  • Ensure that the protection mechanisms in place do meet the required objectives of your organisation in terms of integrity, availability and confidentiality.

Threats can be defined as anything that has a potential to contribute to the tampering, destruction or interruption of any service or item of value.

Threats can be split into two elements.

  • Human: e.g.; hackers, theft, terrorism, accidental mistakes, malicious employees, and inadequately trained IT staff.
  • Non-Human: e.g. floods, fire, plumbing, natural disasters, technical malfunctions.
Gap Analysis

Get a focus list of actions you need to take to improve compliance against a chosen standard.

We will assess your current organisational state against a standard or compliance framework of your choice. We clearly define remediation activities needed to achieve an appropriate level of compliance, and deliver the results in a report.

This analysis quickly pinpoints “gaps” present, and can help improve your product, profitability, and business efficiency.

After we conduct the analysis, you will have precise answers to the following questions:

  • Where are we now?
  • Where do we need to be?
  • How are we going to close the gap?
Audit, and Audit Advisory Services

We can audit your organisation, or assist you to pass compliance audits.

With our breadth of experience across a range of audit scenarios, we are well prepared to help you avoid the common mistakes others make, whilst conducting (or facilitating) a smooth, detailed, and successful audit.

Policy / Procedure / Standard Development

Further information coming soon. Contact us for details.

Business Advisory Services

On-demand expertise at the executive level

Virtual CIO / CISSO

Get the specialty skills you need to draw up a strategic overview and deliver the big picture — without worrying about benefits or monthly overhead.

Yell IT offer several engagement models:

The Team Approach

Get access to a team of specialists to handle security activities around tasks such as security architecture design, security infrastructure deployment and management, vulnerability and penetration testing, and policy framework development.

The Project-Based Model

In this model, businesses opt for a project leader who works with the CIO and other internal staff members to handle multiple layers of security – the network, applications, data, identity and access management, as well as people and processes to design a security model and provide ongoing management for a stipulated period.

The Strategist

The third model is about moving to a people-centric model. Business heads and sometimes CEOs are involved, and they may task the virtual CISO with understanding the enterprise risk.

For example, the virtual CISO can conduct activities such as a top 10 risk-based study to establish how risk-prone the organisation is. The virtual CISO may also be tasked to assist the organisation develop and implement governance and assurance artefacts such as a security structure, implement an ISO 270001 framework, or develop five-year security road map and risk mitigation plans.

Board Advisory Services

Contracting a virtual CISO and security team can be far most cost-effective than hiring a full-timer. They can fill in where you need it the most, helping your CIO pull together your security policies, guidelines, and standards.

This could entail anything from getting to grips with the businesses compliance requirements, to staying on top of vendor risk assessments.

Once engaged with Yell IT, you have immediate access to all of our services offered in this space, including (but not limited to) expert knowledge in the following areas:

  • Information security leadership and guidance
  • Steering committee leadership or participation
  • Security compliance management
  • Security policy, process, and procedure development
  • Incident response and SOC services
  • Security training and awareness
  • Security assessment
  • Internal audit
  • Vulnerability assessments
  • Risk assessment

Specialty Services

To ensure that organisations can meet the requirements imposed on them by both Australian and International legislation and regulation, we offer a number of services that can be of assistance:

Incident Management

More details coming soon. Please reach out to our team for more information.

Forensic Investigation

More details coming soon. Please reach out to our team for more information.

IRAP Assessment

More information coming soon, please contact our team for more information in the interim.

Custom Assurance Services

If a specific governance or assurance activity is not specifically called out here, we can also work with you to develop custom governance and assurance programs and activities based on your specific requirements.

Get in touch with us below, and talk to us about your requirements.

Peace of mind

Friendly, precise assurance services.

Leave it with us. Our team work day-and-night to make sure your network and security are performing optimally, whatever the weather.

When you need guaranteed response times and complete support, talk to Yell IT.

Local IT risk & compliance capability

Our specialists are 100% Brisbane based, acting as your local IT assurance partner.

Plain-speaking experts

Effective communication is critical for security, so our team keep messaging clear and precise. Crucially, this minimises confusion  and protects your organisation in emergency situations.

Deep cybersecurity capability

Security is at the very core of our business. We apply extensive practical expertise, providing you with reliable and thorough solutions that help you address uncertainty with confidence.

Talk to us about your risk and compliance requirements

Other specialist cyber security services