Security Review Service

Whether your systems have been developed in-house, by a third party, or are externally hosted, it's good to have confidence in their security. 2T Security offers a comprehensive security review service for organizations looking for independent assurance of their processes and architecture.

Our review processes are tailored to your needs. Whether you are looking for an in-depth technical review of software and hardware infrastructure, or a critical eye being cast over the business process definitions, we can help. Reviewing the development and operational processes that have been used is often a part of our scope as well. We have performed reviews across a wide variety of projects and clients, up to and including large-scale 'red team' exercises seeking to identify specific exploitable vulnerabilities in a workshop format.

We can help at any stage of the project lifecycle:

2T Security review process diagram

Our approach

The initial scoping for the work is used to ensure that we have a clear understanding of your system and the objectives behind the review. We then create a written proposal for the work, setting out a clear scope and timeframe. This gives you confidence in what will be delivered.

The process for the main phase of work will depend on the nature of the review. Where your system has extensive documentation, we are able to carry out the review off-site. Other reviews have involved a mixture of off-site reading and on-site interviews and workshops to build up a full picture of the system. Any significant issues found during this phase will be notified to you verbally, to give you as much advance notice as possible.

The report

The report is written after the main phase of the review. A draft will be submitted to you so that you can ensure that it provides sufficient detail, and you have the chance to comment before it is finalized. A typical report will start with an executive summary of the issues found, followed by a section that sets the context of the report in more detail. Positive points identified by the review are listed; this is important as otherwise such a report can seem unduly negative to management readers who are not closely involved. The main part of the report then identifies the issues, describes why they are of concern in business language, and provides recommendations for fixing them. This section usually splits into sub-sections covering different themes, such as processes, technology, and project assurance. Each issue is rated for its severity.

Our staff

All of our staff involved in reviews have extensive backgrounds in information security assurance and security architecture. They are certified under the UK Government's NCSC Cyber Professional (CCP) scheme at Senior or Lead level. Some also hold other relevant certifications, such as CISSP. They also hold UK Government security clearances. They are experts in their fields of security, technology, and information assurance, but also speak in business language, rather than hiding behind technical jargon. We can work with every level of your organization.