Governance, Risk and Compliance (GRC) is a concept used to describe methods for ensuring that organizations meet their goals and comply with regulatory requirements in a reliable way, while addressing uncertainty and risk.
Within the GRC Business Area, Secana offers:
- Business management support in order to ensure that organizations meet the requirements for compliance with already existing laws, regulations and standards.
- Analysis of existing requirements and goals in order to develop a holistic and measurable requirements profile, validated by already existing regulations.
- Assistance in complex procurement processes, where laws and regulations may pose challenges for organizations.
- System and Contract Inventories as a tool to map which personal data are being processed and for what purpose and keep track of already existing agreements. The service includes an IT agreement mapping in order to provide recommendations and action proposals which:
- ensure that business needs correspond to already existing agreements;
- reduce business risks;
- lower costs;
- ensure the contract’s and subsequently the organization’s credibility.
- Consulting services related to Systematic Risk Management, which is primarily based on ISO 31000.
- Advice and support to organizations regarding laws and regulations, including:
- the General Data Protection Regulation (GDPR);
- the Directive on Security of Network and Information Systems (NIS Directive) and related Swedish legislation;
- the Protective Security Act.
- Audits and maturity assessments in accordance with the relevant internal and external requirements.
Continuity and Crisis Management are becoming increasingly important parts of both private and public organizations’ security management. Secana has extensive experience in analyzing the specific needs and conditions of respective organizations, and tailoring long-term solutions. A long-term, structured and balanced risk perspective contributes to a robust business management which includes the consideration of business risks in the decision-making process.
Continuity Management aims at helping organizations achieve resilience regarding their most critical deliveries and functions. In simple terms, Continuity Management could be described as a systematic process of identifying an organization’s most critical functions and implementing the necessary measures so as to enable it to cope with turbulence.
Including the Continuity factor in the business process helps organizations get better at managing the loss of their operational capability, or part of it, with minimal cost for its critical functions and deliveries. Secana supports organizations in this effort. Our point of departure is always a combination of our long-standing experience, applicable ISO standards (primarily 22301 in continuity management) and the state-of-the-art research in order to provide optimal support.
Incident and Crisis Management
Incident and Crisis Management includes different phases: prevention, preparation, response as well as restoration process after the crisis. Incident and crisis management capability is important for all types of organizations, in order for them to live up to specific requirements and responsibilities and minimize the risk of damage to their economy and business in the event of an incident or a crisis. An organization with well-established crisis management processes has higher chances of handling a potential crisis without critical losses.
Secana supports both private and public organizations in every phase of this process. We work with a long-term holistic perspective in order to enhance the organization’s crisis preparedness, but can also offer support for individual parts of the crisis management process. We carry out exercises, which is an effective way to increase an organization’s ability to act during a crisis in a speedy manner, evaluate plans, train staff or perform capacity analyses on crisis organizations.
In the business area of Continuity, Incident and Crisis Management, Secana offers the following services:
- Support in identifying critical activities and developing a strategy
- Risk Analysis and Impact Assessment
- Development of a Continuity Plan
- Disruption Plans
- Methods for Management and Monitoring
- Audit, testing, and exercises
Crisis Planning and Development of a Crisis Management Organization
- Support in developing a long-term crisis management organization
- Strategic guidance and consulting services
- Development of policies and plans
- Support in developing organizational structures and roles
- Development of routines for training and competence development
- Support in developing a warning system
It includes guidance in developing an organisation’s incident management capacity in accordance with ISO27000 and/or ITIL. An example is the development of methods for incident management, incident reporting, processing of personal data during incident management/privacy and the set up of a CSOC (Cyber Security Operations Centre) or the provision of a CSOC as a service.
Crisis Management Exercises
- Planning, conduct and evaluation of exercises
- Wide range of tailor-made exercises with varying levels and scope, depending on the respective organzation’s requirements, capabilities and goals
- Games, seminars/workshops, table top exercises, Red-Blue team and full-scale simulation exercises
In response to the changes on the international arena Sweden has resumed its total defense planning. Authorities, regions, municipalities, companies and organisations need to plan and prepare for their role in total defence.
Total defence is a concept that refers to the strategy required to prepare Sweden for war, and encompasses all societal activities, which need to be conducted at the highest level of preparedness. Total defence consists of both military (military defence) and civilian activities (civil defence). Both pillars need to be coordinated in order to build a resilient society.
Secana has expertise and experience in crisis and continuity management, protective security and information security. We combine this capacity to support you in your overall defense planning. Together we can develop your total defence planning in a way that can also strengthen your organisation’s day to day operation.
Secana is there to support you and your organisation in its total defence planning by providing the following services:
- Support in total defence competence development;
- Support in identifying activities that are part of total defence;
- Support in identifying organizational dependencies;
- Support in conducting risk and vulnerability analyses from a total defence perspective;
- Development of continuity management processes that correspond to the total defence requirements;
- Design and implementation of the necessary cooperations within the total defense planning;
- Support in setting requirements for contractors within total defence planning.
Secana can also help you understand the hybrid threat – what it is and how it can affect your operation. Together we can make use of this knowledge to strengthen your business resilience.
Information and Cyber Security refers to the prevention of damage, unauthorized use of and access to electronic information and communication systems (IS/IT, ICT). Illegal disclosure of information and breach of communication systems can have devastating consequences. The integrity of, and access to, information can be compromised. This means that organizations can be the victims of extensive disruptions. Even nations’ capacity can be affected in the event of an extensive disruption of critical societal functions or damage of critical infrastructures.
Within the Information and Cyber Security Business Area, Secana supports its clients in the implementation of solutions that correspond to their specific requirements and line of business. Our services include the following:
- Conduct of risk and vulnerability analysis in information and cyber security
- Development of models for monitoring and crisis management in cyber security
- Strengthening of collaboration in a world of increasingly integrated private and public sectors
- Carry-out of targeted and specific training courses and other awareness raising and competence development efforts for employees and managers
- Implementation of information security management system – see offer below
- Security Operations Center (SOC) – see offer below
- Establishment of key-roles for the organzation, e.g. Data Protection Officer (DSO/DPO) and Chief Information Security Officer (CISO).
An Information Security Management System provides guidance to organizations in regards to how they should manage their information security processes. Secana consists of experienced advisors with competence in information security and Management Systems (based on standard SS-ISO / IEC 27000), in accordance with regulations from the authorities ‘and municipalities’ information security (MSBFS 2016: 1, 2016: 4, 2016: 5, 2016: 7).
Depending on the cilent’s needs, Secana can assist with:
- Project management and arrangements for the implementation of the information security management system
- Mapping and documentation of existing information security processes
- Establishment of processes for information security
- Production of policy documents, guidelines and instructions for information security
As part of supporting organizations in their cyber security efforts, as well as in the event of ongoing cyber security incidents, Secana offers a SOC service that is adapted to the organization’s needs.
The service can include:
- Implementation of tools for in-house SOC activities
- Implementation and monitoring of IT environment
- Analysis and management of suspected and occurring incidents
- Support concerning the reporting of incidents in accordance with applicable laws and regulations
- Support concerning reporting to the organization’s management
- Support concerning reporting to other relevant actors
The service is based on tools developed by Secana’s partner Cybereason (for more information see www.cybereason.com)
The Business Area of Systematic Security Management incorporates services that serve as vital components for an organization that wishes to further develop its security management processes.
Our experience in supporting clients with protective security and the protection of critical infrastructure demonstrates that we have developed working methods to help our clients build an effective protection system in a cost-effective manner, as part of a long-term sustainable security process.
The common denominator within this business area is that we work to protect businesses with high-level security requirements. Apart from protective security, Systematic Security Management is of crucial importance in order to ensure compliance with the requirements of other regulations (such as the GDPR, NIS directive, ISO standards, etc.).
Our clients are aware of the need to work systematically on security issues, as they possess assets worthy of protection, which are critical for their business or need to be protected with respect to other stakeholders (e.g. hazardous substances).
We work to a large extent with organizations of importance for Sweden’s security, organizations in need of protection against terrorism and critical infrastructure operators. This means organizations that fall within the scope of the Protective Security Act or other regulations, and are thus subject to numerous requirements regarding how the protection of the organization should be designed. Our specialty is to help customers implement working methods that ensure compliance with existing regulations while at the same time adapt to the organization’s special needs and conditions.
Our work is mainly preventive, which means that we assist our clients in developing security functions that ensure their long-term protection. We constantly strive to help our clients conduct systematic, efficient and cost-effective security management. It is our mission to share with you our knowledge of how systematic security and protective security management can be organized and coordinated to foster synergies and add value to the client’s organization and its overall business objectives.
Typical assignments within the business area of Systematic Security Management include:
- Method & Processes Development
- Security & protective security analyses and development of security plans
- Development of an effective management & governance security system
- Mentoring & competence support for security & protective security managers
- Establishment of goals for security management
- Follow up on security management based on established goals
- Evaluation of the effects of an organization’s security management
- Development of supporting policy documents
- Establishment of functions for security requirements in procurement
- Workshops, training and lectures (see our training offerings)
In recent years, the emergence of a new threat landscape has caused turbulence to societal security functions and has demonstrated deficiencies in civil defence. The future is characterized by great uncertainty. The development of Sweden’s future resilience and defense capabilities demands new concepts, new methods and processes and specialised competence. Research and innovation (R&D) is one of the most powerful ways to handle uncertainty and benefit from the opportunities created through new methodological and scientific breakthroughs.
In Sweden’s new concept of total defense, enhanced cyber security is a vital component. Hybrid threats and influence operations pose a serious threat to national security. An increasing number of organizations is affected, which brings to the fore an urgent need for research and innovation in, among others, cyber security.
Secana has extensive experience in supporting private and public organizations, both nationally and internationally, in the areas of risk management, continuity management, incident and crisis management, research and innovation and cyber security. We build strong ties with the scientific community through the development of cooperation with HEIs, research institutes and international research networks. We are a competent partner and a long-term contractor within research and innovation that supports the customer’s participation in consortia and other partnerships.
Within the Business Area of Research and Innovation, Secana offers:
- Planning, management and implementation of Research and Innovation at group level
- Monitoring, competence development and quality assurance in R&D
- Consulting services and methodology support for applications for calls from research financiers as well as for concept and capacity development
- Participation in standardization processes within cyber / total defense and social security
- Reports and analyses based on scientific methods
- Scientific expertise in crisis management, organization and information security with working experience in programs within Vinnova, EU, EDA, and the European Defense Fund
- Competence support and mentoring to management teams and research managers
- Workshops, seminars, courses and lectures (see our training offerings)
Due to its solid knowledge and experience base, Secana can also offer operational analytical support (OA support) to authorities in the areas of cyber defense, hybrid threats, risk management, management and collaboration (LoS), international relations, crisis management capacity and the Human-Technology-Organization (MTO).
Secana offers training sessions and lectures but also develops uniquely adapted solutions based on the client’s requirements. We offer courses within GRC, Information and cyber security, Systematic Security Management and Research and Innovation. Our current courses are presented below.
Secana also offers exercise activities within each respective area, with a focus on continuity, incident and crisis management. Exercises are used to validate policies, plans, processes, training, equipment and agreements among organizations; to train staff and assign it with specific roles and responsibilities, improve coordination and communication between organizations, identify weaknesses, improve organizational skills and identify opportunities for improvement. We are there to assist you with planning, performing and evaluating exercises. Our knowledge covers a wide range of exercises – from discussion-based to operational exercises, seminars, workshops, theoretical and practical exercises (according to ISO 22398). Read more under each training and exercise offering.