IT Service Review
Having been responsible for the Change Management Programme at Reed Smith leading up to 3E’s successful implementation in May 2015, I now offer the benefit of that experience as a half day Change Management workshop designed to brief internal teams on key areas of change to look out for and manage.
Duration - 1 day
Format -Interactive presentation
The one day workshop will be held on your premises for as many of your team as is relevant to you and while the agenda is entirely flexible I recommend the following sessions;
Change Advisory Team
A discussion around the setting up of a CAT. This should include stakeholders, Senior Management and (often forgotten) end user representation. Ideally an independent consultant should participate as they will not be affected by internal politics and with a foot in neither camp be able to challenge both internal management and the solution vendor in equal measure.
A discussion around the important subject of understanding current practices.
Hold meetings with representatives of all areas of the business before any project plan is announced. Explain the change coming and listen to the immediate reaction.
Be clear as to the areas of the business likely to be impacted and how this may differ. In the example of a global accounting system rollout the impact on the end user is very different to that of the back office Accounts team.
Probably the most important and yet most difficult component of the change management strategy. Clear and frequent communication is essential but the challenge is how. E-mail is typically used as the primary communication tool but has a remarkably low impact. This is a key area for creative thinking as to what will have most effect in the business and I have seen everything from posters on water coolers to 'theme' days in the staff restaurant to software branded cookies delivered to desks. Get staff involved. Create supportive Change Ambassadors that act as evangelists and become a critical part of the communication strategy.
You are introducing change for a reason. It may be to improve efficiency, reduce cost, replace something that doesn't work, enable access to information or introduce new ways to win business. Whatever the reason focus on the positive and include promotional messages in all communications.
with any legacy system it should be relatively easy to identify frustrations and pain points. Use these as 'we've listened to you' points in communications and describe how the new system will make life better.
Touch Point Focus
However large the project or system there may only be a small number of areas or functions that impact the end user. It is important to focus on these and where possible consider a phased approach to these changes. Is it practical for example to leave the existing reporting or time recording function in place until the core system has bedded down?
System V Process
Many firms see the introduction of a new software system as an opportunity to introduce new processes and practices. The thinking is based on taking immediate advantage of new functions/tools and getting as much change out of the way as possible. This can be a very risky strategy. It is often the process change that gives users the most pain and the new system will likely unfairly take the blame. Worse still, key metrics such as system performance will be very difficult to ascertain when users are struggling with the process change. If practical, consider separating system and process change into two defined phases of the project.
Help users adapt to change by updating all relevant firm training, documentation and references to the new system. This might include the on-boarding process, marketing materials, the firms mission statement on the website or even the performance review process.
Post rollout support is critical. Most firms have well embedded support processes that typically involve a form of help-desk usually run by IT. Do not assume that the existing arrangement will adequately cope with the change. Floor walking, catch up training and access to SME's (subject matter experts) should all be considered.
Total cost of Change Management Presentaion is £800 + VAT
84% of data breaches are caused by staff error (PwC 2014), know that your business critical data is safe.
Information Security Best Practice and Certification
Information, particularly personal client information, is increasingly becoming recognised as a business critical asset, forming the backbone of your organisation, and driving growth.
Despite the importance of this information, the applied security is often overlooked, resulting in the vast majority of security breaches actually coming from within the organisation - a result of poor policy, procedures, staff training and their awareness of security risks.
Many organisations are exploring the benefits of certifying to ISO 27001
as a means of letting your clients and business partners know that you
take their information security seriously.
However, following considerable research it has been found that whilst ISO 27001 is an excellent standard it is expensive, time consuming and fairly complex to implement, particularly for small and medium sized businesses. Comments on the rising cost of ISO 27001 certification can be found in this excellent article by PivotPoint security.
The ProSec2 framework was put together by a number of Senior law firm IT Directors following increasing demand from clients for best practice assurances. The new IS accreditation, ProSec2 is designed to be a 'lite' approach and potential alternative to ISO 27001.
Where ISO 27001 focuses on having a management system and controls in place, the ethos behind ProSec2 is education. We believe that a well informed business who understand, operate and communicate IS best practices internally will benefit from improved processes, enhanced customer relations and ultimately an increase in business.
The UK goverment are now offering Security Consultancy grants of up to £5000 for small businesses click here for details
The ProSec2 Framework
The ProSec2 framework is built on 5 best practice principles. Each principle has an associated objective and requirement. As part of the package we provide 10 fully editable IS Policy Templates for your use should you need them.
By completing the assessment and achieving accreditation you will be informing your clients that your business is following best practice in these key areas.
ProSec2 is a straightforward and affordable 4 stage process to accreditation and the ProSec2 standard will give your clients the comfort that a best practice framework is in place. In addition once accredited, your business is more than half way to ISO if you wish to carry on.
As ProSec2 has a strong emphasis on education, we also believe that self policing is an important part of the accreditation and therefore our auditors only want to know that the best practices are understood and policies are active.
The straightforward and transparent audit process is carried out by a licenced, independent auditor who can award accreditation on the spot.
All ProSec2 accredited businesses may use the accreditation logo freely to promote the fact they have information security best practices in place.
The ProSec2 Package
Stage 1 - Preperation
On site preperation briefing by ProSec2 consultant
Self assessment questionaire to assess risk and gaps in policy
Stage 2 - Implementation
Following completion of questionaire; on site gap analysis by ProSec2 consultant of all documentation and processes. Provision of free policy pack (10 best practice IS policy templates)
Stage 3 - Review
On site review by ProSec2 consultant of all completed documentation and active policies
Certification checklist provided
Stage 4 - Audit & Certify
Onsite audit by independent auditor
Easy to understand
10 best practice IS policy templates included
Enhances client confidence & perception
Can offer comptetitive advantage and differentiator in contract tenders
Enhances security awareness within your organisiation
Under 300 employees = £3,000
301 - 600 employess = £5,000
600+ employess = £7,500
The UK government are now offering Security Consultancy grants up to £5,000 for small businesses click here for details
Contact us to order your ProSec2 package. We will arrange a date for your initial preperation meeting with a ProSec2 consultant.
The new European data protection regulations (GDPR) come into force in May 2018 and repsent the most significant chane to data privacy regulations for 20 years. With non-compliance penalties of up to 4% of global revenue, it is essential that businesses underestand what's comin, the impact on systems/processes and what actions are needed to ensure compliance.
Duration - Half day
Format -Interactive presentation
Who should attend? Anyone who is or will be a member of the GDPR preparation team; Stake holders from key data processing areas (HR, MArketing, Finance, Records Manaement); Supervisors from approriate user teams
The 2twenty4 GDPR Strategy Workshop consists of:
Introduction to GDPR
Likely impact on current systems
Likely impact on current processes
Impact on Direct Marketing
New Data Access Request obligations
New Data Protection Officer obligations
New Breach Notification obligations
New Cloud Service Provider requirements
Developing a Compliance Action Plan
The workshop includes Data Register, Impact Assessment and Breach notification templates and will help you understand what you need to do to prepare, where the responsibilities lie within your business and the resources needed going forwards.
Understand key points of new legislation
Identify current risks and exposure
Engage key stakeholders
Maximise projet success
Enhance communication to business
Produce compliance action plan
Total cost GDPR Workshop is £600 + VAT
The DPO Toolkit consists of 20 best practice templates and spreadsheets to assist with the planning and preparation for compliance and audit.
IDEAL FOR: Data Protection Officers looking for core documentation templates
Included in the toolkit:
Data Register (Excel)
Legal Processing Register (Excel)
Risk Register (Excel)
Task Assignment Schedule (Excel)
Third Party Processor Register (Excel)
DGPR Checklist (Excel)
6 Month High Level Project plan
Breach Notification Template
Incident Response Plan
Consent Process Template
Consent Withdrawal Process Template
Data Mapping Questionnaire
Data Mapping Template
SAR Process Template
Privacy Notice Policy
Privacy Notice Register
Processing Records Template
Data Transfer Process Template
Third Party Processors Policy
Third Party Processor Checklist Letter Template
Total cost of GPO Toolkit is £2,500 + VAT
The Cyber Essentials scheme has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation's vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide costeffective, basic cyber security for organisations of all sizes.
The five CE controls
1. Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective
2. Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
3. Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.
4. Malware protection – ensuring that virus and malware protection is installed and is it up to date
5. Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
Contact us to order your Cyber Essentials package. We will arrange a date for your initial preperation meeting with a Cyber Essentials consultant.