Governance, Risk and Compliance (GRC) is a concept used to describe methods for ensuring that organizations meet their goals and comply with regulatory requirements in a reliable way, while addressing uncertainty and risk.
Within the GRC Business Area, Secana offers:
- Business management support in order to ensure that organizations meet the requirements for compliance with already existing laws, regulations and standards
- Analysis of existing requirements and goals in order to develop a holistic and measurable requirements profile, validated by already existing regulations
- Assistance in complex procurement processes, where laws and regulations may pose challenges for organizations
- System and Contract Inventories as a tool to map which personal data are being processed and for what purpose and keep track of already existing agreements. The service includes an IT agreement mapping in order to provide recommendations and action proposals which:
- ensure that business needs correspond to already existing agreements
- reduce business risks
- lower costs
- ensure the contract’s and subsequently the organization’s credibility
- Consulting services related to Systematic Risk Management, which is primarily based on ISO 31000.
- Advice and support to organizations regarding laws and regulations, including:
- the General Data Protection Regulation (GDPR)
- the Directive on Security of Network and Information Systems (NIS Directive) and related Swedish legislation
- the Protective Security Act
- Audits and maturity assessments in accordance with the relevant internal and external requirements
Continuity and Crisis Management are becoming increasingly important parts of both private and public organizations’ security management. Secana has extensive experience in analyzing the specific needs and conditions of respective organizations, and tailoring long-term solutions. A long-term, structured and balanced risk perspective contributes to a robust business management which includes the consideration of business risks in the decision-making process.
Continuity Management aims at helping organizations achieve resilience regarding their most critical deliveries and functions. In simple terms, Continuity Management could be described as a systematic process of identifying an organization’s most critical functions and implementing the necessary measures so as to enable it to cope with turbulence.
Including the Continuity factor in the business process helps organizations get better at managing loss of their operational capability, or part of it, with minimal cost for its critical functions and deliveries. Secana supports organizations in this effort. Our point of departure is always a combination of our long-standing experience, applicable ISO standards (primarily 22301 in continuity management) and state-of-the-art research in order to provide optimal support.
Incident and Crisis Management
Incident and Crisis Management includes different phases: prevention, preparation, response as well as a restoration process after the crisis. Incident and crisis management capabilities are important for all types of organizations, in order for them to live up to specific requirements and responsibilities and minimize the risk of damage to their economy and business in the event of an incident or a crisis. An organization with well-established crisis management processes has higher chances of handling a potential crisis without critical losses.
Secana supports both private and public organizations in every phase of this process. We work with a long-term holistic perspective in order to enhance the organization’s crisis preparedness, but can also offer support for individual parts of the crisis management process. We carry out exercises, which is an effective way to increase an organization’s ability to act during a crisis in a speedy manner, evaluate plans, train staff or perform capacity analyses on crisis organizations.
In the business area of Continuity, Incident and Crisis Management, Secana offers the following services:
- Support in identifying critical activities and developing a strategy
- Risk Analysis and Impact Assessment
- Development of a Continuity Plan
- Disruption Plans
- Methods for Management and Monitoring
- Audit, testing, and exercises
Crisis Planning and Development of a Crisis Management Organization
- Support in developing a long-term crisis management organization
- Strategic guidance and consulting services
- Development of policies and plans
- Support in developing organizational structures and roles
- Development of routines for training and competence development
- Support in developing a warning system
- Guidance in developing an organisation’s incident management capacity in accordance with ISO27000 and/or ITIL
- Development of methods for incident management, incident reporting, processing of personal data during incident management/privacy
- Set up of a CSOC (Cyber Security Operations Centre) or the provision of a CSOC as a service
Crisis Management Exercises
- Plan, conduct and evaluate exercises
- Wide range of tailor-made exercises with varying levels and scope, depending on the respective organzation’s requirements, capabilities and goals
- Games, seminars/workshops, table top exercises, Red-Blue team and full-scale simulation exercises
In response to the changes on the international arena, Sweden has resumed its total defense planning. Authorities, regions, municipalities, companies and organisations need to plan and prepare for their role in the Total defence.
Total defence is a concept that refers to the strategy required to prepare Sweden for war, and encompasses all societal activities, which need to be conducted at the highest level of preparedness. Total defence consists of both military (military defence) and civilian activities (civil defence). Both pillars need to be coordinated in order to build a resilient society.
Secana has expertise and experience in crisis and continuity management, protective security and information security. We combine this capacity to support organisations in overall Total defense planning. Together we can develop the Total defence planning in a way that can also strengthen the organisation’s day to day operation.
Secana is there to support organisations in Total defence planning by providing the following services:
- Support in total defence competence development
- Support in identifying activities that are part of the Total defence
- Support in identifying organizational dependencies
- Support in conducting risk and vulnerability analyses from a total defence perspective
- Development of continuity management processes that correspond to the total defence requirements
- Design and implementation of the necessary cooperations within the total defense planning
- Support in setting requirements for contractors within total defence planning
Secana can also help organisations understand the hybrid threat – what it is and how it can affect operations. Together we can make use of this knowledge to strengthen your business resilience.
Information and Cyber Security refers to the prevention of damage, unauthorized use of and access to electronic information and communication systems (IS/IT, ICT). Illegal disclosure of information and breach of communication systems can have devastating consequences. The integrity of, and access to, information can be compromised. This means that organizations can be the victims of extensive disruptions. Even nations’ capacity can be affected in the event of an extensive disruption of critical societal functions or damage of critical infrastructures.
Within the Information and Cyber Security Business Area, Secana supports its clients in the implementation of solutions that correspond to their specific requirements and line of business. Our services include the following:
- Risk and vulnerability analysis in information and cyber security
- Development of models for monitoring, as well as for crisis management in cyber security
- Strengthening of collaborations in a world of increasingly integrated private and public sectors
- Carry-out targeted and specific training courses and other awareness raising and competence development efforts for employees and managers
- Implementation of information security management system (ISMS) – see offer below
- Security Operations Center (SOC) – see offer below
- Establishment of key-roles for the organzation, e.g. Data Protection Officer (DSO/DPO) and Chief Information Security Officer (CISO).
An Information Security Management System provides guidance to organizations in regards to how they should manage their information security processes. Secana consists of experienced advisors with competence in information security and Management Systems (based on standard SS-ISO / IEC 27000), in accordance with regulations from the authorities’ and municipalities’ information security (MSBFS 2016: 1, 2016: 4, 2016: 5, 2016: 7).
Depending on the client’s needs, Secana can assist with:
- Project management and arrangements for the implementation of an information security management system
- Mapping and documentation of existing information security processes
- Establishing processes for information security
- Production of policy documents, guidelines and instructions for information security
As part of supporting organizations in their cyber security efforts, as well as in the event of ongoing cyber security incidents, Secana offers a SOC service that is adapted to the organization’s needs.
The service can include:
- Implementation of tools for in-house SOC activities
- Implementation and monitoring of IT environment
- Analysis and management of suspected and occurring incidents
- Support concerning the reporting of incidents in accordance with applicable laws and regulations
- Support concerning reporting to the organization’s management
- Support concerning reporting to other relevant actors
The service is based on tools developed by Secana’s partner Cybereason (for more information see www.cybereason.com)
The Business Area of Systematic Security Management incorporates services that serve as vital components for an organization that wishes to further develop its security management processes.
Our experience in supporting clients with protective security and the protection of critical infrastructure demonstrates that we have developed working methods to help our clients build an effective protection system in a cost-effective manner, as part of a long-term sustainable security process.
The common denominator within this business area is that we work to protect businesses with high-level security requirements. Apart from protective security, Systematic Security Management is of crucial importance in order to ensure compliance with the requirements of other regulations (such as the GDPR, NIS directive, ISO standards, etc.).
Our clients are aware of the need to work systematically with security issues as they possess assets worthy of protection, which are critical for their business or need to be protected with respect to other stakeholders (e.g. hazardous substances).
We work to a large extent with organizations of importance for Sweden’s security, organizations in need of protection against terrorism and critical infrastructure operators. This refers to organizations that fall within the scope of the Protective Security Act or other regulations, and are thus subject to numerous requirements regarding how the protection of the organization should be designed. Our specialty is to help customers implement working methods that ensure compliance with existing regulations while at the same time adapt to the organization’s special needs and conditions.
Our work is mainly preventive, which means that we assist our clients in developing security functions that ensure their long-term protection. We constantly strive to help our clients conduct systematic, efficient and cost-effective security management. It is our mission to share with you our knowledge of how systematic security and protective security management can be organized and coordinated to foster synergies and add value to the client’s organization and its overall business objectives.
Typical assignments within the business area of Systematic Security Management include:
- Method and Processes Development
- Security and protective security analyses and development of security plans
- Development of an effective management & governance security system
- Mentoring and competence support for security & protective security managers
- Establishment of goals for security management
- Follow up on security management based on established goals
- Evaluation of the effects of an organization’s security management
- Development of supporting policy documents
- Establishment of functions for security requirements in procurement
- Workshops, training and lectures (see our training offerings)
In recent years, the emergence of a new threat landscape has caused turbulence to societal security functions and has demonstrated deficiencies in civil defence. The future is characterized by great uncertainty. The development of Sweden’s future resilience and defense capabilities demands new concepts, new methods and processes and specialised competence. Research and innovation (R&D) is one of the most powerful ways to handle uncertainty and benefit from the opportunities created through new methodological and scientific breakthroughs.
In Sweden’s new concept of total defense, enhanced cyber security is a vital component. Hybrid threats and influence operations pose a serious threat to national security. An increasing number of organizations is affected, which brings to the fore an urgent need for research and innovation in, among other areas, cyber security.
Secana has extensive experience in supporting private and public organizations, both nationally and internationally, in the areas of risk management, continuity management, incident and crisis management, research and innovation and cyber security. We build strong ties with the scientific community through the development of cooperation with HEIs, research institutes and international research networks. We are a competent partner and a long-term contractor within research and innovation that supports the customer’s participation in consortia and other partnerships.
Within the Business Area of Research and Innovation, Secana offers:
- Planning, management and implementation of Research and Innovation at group level
- Monitoring, competence development and quality assurance in R&D
- Consulting services and methodology support with applications for calls from research financiers as well as for concept and capacity development
- Participation in standardization processes within cyber / total defense and social security
- Reports and analyses based on scientific methods
- Scientific expertise in crisis management, organization and information security with working experience in programs within Vinnova, EU, EDA, and the European Defense Fund
- Competence support and mentoring to management teams and research managers
- Workshops, seminars, courses and lectures (see our training offerings)
Due to our solid knowledge and experience base, Secana can also offer operational analytical support (OA support) to authorities in the areas of cyber defense, hybrid threats, risk management, management and collaboration (LoS), international relations, crisis management capacity and the Human-Technology-Organization (MTO).
Secana offers training sessions, lectures and courses within all of our Business Areas:
- Governance, Risk and Compliance (GRC)
- Continuity, Incident and Crisis Management
- Information and Cyber Security
- Systematic Security Management
- Research and Innovation (R&I)
We offer fixed courses as well as uniquely developed solutions based on our clients’ needs and prerequisites. Contact us for more information about our training offers and tailor-made possibilities.
but also develops uniquely adapted solutions based on the client’s requirements. We offer courses within GRC, Information and cyber security, Systematic Security Management and Research and Innovation. Our current courses are presented below.
Secana also offers exercise activities within each respective area, with a focus on continuity, incident and crisis management. Exercises can be used to:
- Validate policies, plans, processes, training, equipment and agreements among organizations
- Train staff and assign it with specific roles and responsibilities
- Improve coordination and communication between organizations
- Identify weaknesses and improve organizational skills, as well as identify opportunities for improvement
We assist organisations with planning, performing and evaluating exercises. Our knowledge covers a wide range of exercises – from discussion-based to operational exercises, seminars, workshops, theoretical and practical exercises (according to ISO 22398).