SSF has renowned experience in several areas of IT security :

An organisational audit assesses the maturity of the company in question in terms of IT security, based on the guidelines published by the ANSSI French computer security agency. It also checks compliance with standards 27001 and 27002, to which it may be useful to add additional standards such as NIS, RGS, IGI 1300, etc. Following these assessments and checks, one or more detailed action plans are proposed to address non-compliance issues on the one hand and security requirements on the other.

In brief, an organisational audit enables the customer to ensure that the action taken is relevant, consistent and effective within the given framework, and to plan further action as part of a continuous improvement process (PDCA).

The technical audit addresses the need to understand the effectiveness of a system. It is generally carried out as part of intrusion and exploitation tests. An architecture and configuration audit may be necessary before or after an intrusion test.

Intrusion and exploitation tests are generally carried out in a number of phases: discovery (searching for external vulnerabilities, information online or in the public domain, etc.), enumeration (vulnerability tests and checks), exploitation of the identified and tested vulnerabilities by intrusion attempts against the target system from both inside and outside and, finally, document production in the form of a report for the customer, generally comprising of the highly technical results and another section setting out the findings in more simple terms.

The architecture and configuration audits are carried out in accordance with the best practices and documentation of the manufacturers or publishers, taking into account the context and the production and operating requirements of the customer. The audits must also meet the technical security needs arising from their own operations and the identified security risks. The audits are conducted in conformity with international security standards.

The report produced includes all the malfunctions and inconsistencies identified. Depending on the customer’s requirements, a remediation plan and support for its implementation may be proposed.

Training/cyber security education/cyber vigilance

This educational approach is supported by a serious game published by one of our partners. It can be used at different levels of responsibility within the company, and a dedicated course can be assigned. It is made up of educational sequences that provide keys to understanding and specify appropriate action to protect against hackers and ensure a better approach to daily use of IT tools. These keys are presented in the form of a serious game, adapted to each level.