Technology Advisory

The main goal of this range of services is to analyze the client’s requirements and assess their goals in order to direct the most appropriate strategic improvement plans.

• Hybrid & Multi-cloud Readiness Assessment: A service involving analysis of the organizational structure, operations and technologies used by the client; its goal is to assess the organizational and procedural effort and the technological impacts of a potential migration to a multi-cloud environment. The assessment is constructed through a series of elements which allow an in-depth multi-dimensional analysis to be performed on the current level of preparedness for migration.

• Multi-cloud Impact Analysis: Mapping of the dependencies between the existing technologies, the business processes and the services in order to define the extent to which the corporate processes can be ported to the cloud with an appropriate level of confidentiality, integrity, availability and resilience. The activity is performed through a series of methodological steps which, by inputting the existing organizational, procedural and technological elements, allow the drafting of a developmental multi-cloud adoption roadmap towards an optimized model in line with the client’s actual requirements.

• Multi-cloud cost comparison (ROI and TCO): Assessment and comparison of the costs of different developmental digital transformation scenarios. Comparison between on-premises digital transformation projects and multi-cloud scenarios. Standard indices are compared, such as the return achievable in relation to the amount of the initial investment (ROI), or the projected costs borne for the purchase, commissioning, use and decommissioning of a service (TCO).

• Cybersecurity Assessment: Analysis and assessment of the client’s cybersecurity management system. Verification of technological, organizational and procedural elements, both in on-prem and multi-cloud environments. Definition of a strategic plan to reach appropriate levels of maturity in the management of the client’s security, taking into account their business sector.

• Compliance Assessment: Analysis and assessment of the client’s compliance management system. Verification of technological, organizational and procedural elements, both in on-prem and multi-cloud environments. Definition of a strategic plan to attain appropriate levels of client compliance in relation to the applicable laws, regulations and/or standards (e.g.: GDPR).

• Internal SOC and/or Incident Handling Process Assessment: Analysis and assessment of the client’s Security Operations Center, or more specifically of their cybersecurity incident management system. Verification of technological, organizational and procedural elements. Definition of a strategic plan to increase the level of maturity of the SOC and to optimize the client’s security incident management system, taking into account their sector and the applicable regulations (e.g.: data breaches, GDPR).

• Integrated Risk Analysis: Application of the integrated risk analysis methodology supplied by Lutech, or the client’s proprietary version, for identification, analysis and support in the assessment of risks relating to information security (ref. ISO 27001), quality (ref. ISO 9001), workplace health and safety (ref. ISO 45001) and the environment (ref. ISO 14001).

• Business Impact Analysis: An activity which falls under the scope of business continuity and application of corporate recovery or continuity strategies. BIA allows an assessment of the losses (qualitative and quantitative) to an organization’s business following a prolonged interruption to their essential services. It therefore represents the main input to the management of corporate operational continuity for the definition of a composite strategy (people, process, technology) which is able to optimize costs and minimize losses, identifying the best technological solution in line with the express requirements of the business.

• IoT and/or Industrial Security Assessment: Analysis and assessment of the security management system applied to Internet Of Things scenarios or relating to the client’s industrial systems. Verification of technological, organizational and procedural elements. Definition of a strategic plan to reach appropriate levels of maturity in the management of the client’s security and compliance (e.g. NIS) in IoT and OT environments.

• Supply Chain Contract Assessment: Analysis and assessment of the client’s IT supply contracts. Checks on the organizational, procedural and supervisory elements of existing contracts or those under negotiation with cloud service providers, outsourcers or suppliers of facility and application management services. Definition of a strategic plan for optimization of the organization and processes to plug any gaps found during the analysis.

• Cyber attack simulations: Ethical Hacking or white-hat activities with the goal of checking the level of security of systems, applications and entire on-prem and multi-cloud infrastructures, even in vertical environments such as IoT platforms and industrial networks. These activities allow the identification of potential vulnerabilities within the perimeter of analysis which could be exploited by malicious, or black-hat, hackers to compromise the confidentiality and integrity of information or the availability of strategic assets. The main goal is to define a strategic plan to fix any vulnerabilities identified (patching, hardening, upgrading) in order to achieve sufficient levels of security and protection.

The goals of these categories of advisory services are the identification, design and implementation of organizational and procedural solutions which are effective and useful in terms of attaining the client’s security and compliance goals. They also include support, supervision and procedural completion of governance for the technological solutions.

• Hybrid & Multi-Cloud Blueprint: Redefinition of the organizational and business processes in relation to a new hybrid & multi-cloud model.

• Information Security Management System (ISO/IEC 27001): Design and implementation of a holistic information security management system in line with the provisions of ISO/IEC 27001.

• Business Continuity Management System (ISO/IEC 22301): Design and implementation of a holistic business continuity management system of the client company in line with the provisions of ISO/IEC 22301.

• Information Security Policies, Strategy and Architecture: Design and formalization of the set of operating procedures, policies, standards and guidelines for the management and control of the various domains which contribute to the client’s global cybersecurity and compliance strategy.

• Risk Management Program: Definition and implementation of the corporate information risk analysis & treatment methodology in line with the provisions of the applicable international standards (ISO/IEC 31000 and ISO/IEC 27005).

• Data Governance Program: Definition and implementation of the program for the secure management of critical client data. This service involves fine tuning the entire management framework for the company’s information, where necessary supported by technology solutions able to implement discovery, classification and protection of proprietary data from risks deriving from improper or illicit removal, use or distribution.

• Enterprise Compliance Program: Analysis, definition and implementation of the management program of the entire lifecycle of the organization’s compliance with regard to IT infrastructure and information security matters. This service involves a series of methodological steps to identify the relevant standards and regulations, define the policies, map out the controls, create the reports and implement the activities required for continuous improvement of the levels of compliance.

• Privacy & Regulatory Compliance: Design and implementation of a holistic management system for the protection of personal data in line with the provisions of the European GDPR and integrated with extra-EU legislation and regulations.

• Cybersecurity Operation Program: Analysis, design and implementation of a Security Operations Center. This service involves the definition and implementation of all technological, organizational and procedural elements which, overall, allow high levels of corporate security to be achieved. This occurs through the preparation of an SOC services catalogue customized by industry and the organic implementation of a series of cybersecurity management processes able to prevent and detect advanced threats and to respond to any remote attacks.

• Asset Inventory & Information Classification: Service for the formalization of documents (operating procedures and policies), definition of processes and implementation of systems for the classification and labelling of corporate information.

• Secure build & system hardening: Service for defining the vulnerability management processes and application of security standards (e.g.: CIS, NIST) to reduce the attack cross-section of systems, databases, applications and network devices, whether these are in traditional on-prem environments or are multi-cloud hosted.

• IoT and/or Industrial Security Framework definition: design and implementation of a security framework structured over IoT or OT environments. The goal of this type of service is to create a summary of the international security guidelines and standards (CIS, NIST, ENISA) and customize them for the client’s environments. The framework, once consolidated, allows the appropriate risk analyses to be performed and the most suitable countermeasures to reduce these chosen (risk treatment).

• Cybersecurity requirements for contracts: Client security requirements analysis service, structured by industry, followed by formalization of the specific documents containing a list of cybersecurity and compliance restrictions for providers (cloud service providers, outsourcers and providers of facility or application management services). These documents are then annexed to the client’s standard documentation in their contracts with their own providers.

Advisory services offering continuous support and shadowing for those responsible for cybersecurity and data protection.

• Multi-Cloud Governance & Compliance: Monitoring of the levels of availability and security of the services, with checks and optimization of the monitoring and management processes over time to ensure they are continuously aligned with business requirements.

• Audit Services: Audits of cybersecurity and data protection practices and the processes, procedures and documentation used in the company to support management of information security and/or compliance with laws/regulations (e.g.: GDPR) or international standards (e.g.: ISO/IEC 27001). The audits are carried out in accordance with international standards (e.g. ISO/IEC 19011).

• DPO as a Service: Data Protection Officer service compliant with the provisions of European personal data protection regulations.

• CISO as a Service: Continuous support service to clients in matters relating to cybersecurity on multi-cloud and on-prem platforms. The professional assigned by the advisory team is responsible both for defining the strategy and managing security. They control the policies for assignment of responsibilities and handle staff sensitization and training. They provide opinions on risk assessment and privacy-by-design concepts. They represent the point of contact for all matters relating to the prevention and detection of and response to IT incidents. They guarantee that the client is on the right path, ensuring continuous improvement of the information security management system.

• Cybersecurity dissemination, training & awareness: Analysis, design and supply of information security and data protection courses. The courses and campaigns to increase awareness of cybersecurity matters and compliance are created specifically in relation to clients’ actual requirements.