Menu

Demystifying your
Cyber Security
Issues.

We tailor to your needs to solve your cyber security problems.

At EHJ & SJ Consultancy Ltd we eat, sleep and breathe IT security!

Our range of flexible, cyber security solutions include supporting security within ICT migration programmes, undertaking reviews on your ICT existing infrastructure, cloud-based risk assessments, performing security testing and guiding your organization in achieving Cyber maturity. We also provide services to implement and undertake security DevOps.

We aim to demystify your cybersecurity issues by providing support, knowledge and practical hands-on assistance. We provide clients with a 360-degree security viewpoint and proactively encourage them to "shift to the left". This simple methodology ensures that robust security protocols are implemented from the start of any project, a critical step required to reduce risk and identify vulnerabilities.

Our services are delivered by experienced industry consultants with over 30 years of combined expertise in delivering security services to support IT and Critical Infrastructure and IT/software development. our personal and inclusive approach allows us to integrate effectively with both onsite teams and 3rd party suppliers.

State of the art project management tools support our inclusive project management process and allows us to respond contemporaneously to changes in scope while maintaining full visibility across any given project.

Simply put we love what we do!

What We Do

We provide professional cybersecurity services and products to help secure your infrastructure, systems and data

Security Architecture Services

We offer a complete security architecture as a service to Clients wishing to know whether your infrastructure is both designed and at risk from potential security attacks. Our Security Architecture service can be utilized in a manner whereby we can identify security weaknesses in the development of your design, undertake a detailed review of your existing infrastructure, be it Cloud, On-Premises systems, or software application systems. We also provide design and implement security governance procedures using security controls designed to ensure your systems and business is compliant. We examine both the security technology, tooling, and operational processes designed to mitigate attacks from happening and advise, devise and implement solutions to address any gaps we identify.

 

Security Architecture Services

Security Testing & Management Services

Security test management is complete end-to-end management of security testing services designed to put you at ease when it comes to vulnerability scanning or penetration testing. We have partnered with CREST-certified Penetration test companies that provide the best in penetration testing. We collaborate with our clients to ensure we understand the scope and infrastructure requiring testing and then make arrangements to test this with our in-house ethical hackers or whether an independent and certified penetration tester is required. We also provide continuous web and network infrastructure vulnerability testing using our cloud-based platform to provide you with continuous scanning and reporting. Our systems can integrate with a wide range of vulnerability management systems to ensure the management of vulnerabilities and patches can be seamless.

Security Test Services

Audit, Risk & Compliance

Obtaining an inventory or understanding what Assets an organization possesses is often tricky, complex, and hard to manage as part of a standard business-as-usual lifecycle. EHJ & SJ Consultancy is an experienced consultancy working with multiple organizations to determine the best way to assess and audit organizations to ISO 27001, Centre of Internet Security, Cloud Security Alliance, Cyber Essentials, ISA-62443, and PCI-DSS. We perform gap analysis reviews on security governance procedures and work to ensure organizations adopt governance, risk & compliance processes to manage security risks. We provide solutions in addressing gaps, ensuring you can achieve compliance.

Audit, Risk & Compliance Services

Security DevOps

Building security into the Software Development Lifecycle (SDL) is pivotal to ensuring vulnerabilities are mitigated from day zero, and the process of building a secure development lifecycle can save organizations high costs. We have tried and tested cost-effective approaches in building, consulting, and implementing a security-based development lifecycle. Whether you are looking to deploy infrastructure as code or build and deploy software for websites, microservices, and mobile applications, we can provide the necessary support to embed security into your SDLC. We offer a consultancy service in guiding your organization to achieving total security within your development process by implementing a robust SecDevOps approach whereby we can create pipelines that incorporate the best security testing from concept to production.

AppSec Services

Resource Augmentation

Whether it requires short-term capabilities to support a technical security program or you have requirements to build a team using highly qualified technical resources, we can utilize our large pool of candidates, both internal and associates, to offer short-to-long term support in acquiring security & technical resources. What makes us unique is we have a solid understanding of the constraints faced by Clients who have a need to be supported by technical individuals but don't necessarily have an understanding of what an excellent candidate fit would be. Our team comprises security & solution architects & consultants and can be leveraged to determine ideal candidates that possess the right technical and people-based skills.

Resource Augmentation

Security eLearning & Phishing Awareness

EHJ & SJ Consultancy brings you a phishing and awareness platform designed to improve and measure the 'human security' element of your organization. Our phishing platform provides vital areas of growth to support improvements in your overall Cyber maturity and resilience from cyber threats by:

  • Coordinated Phishing Campaigns with Automation
  • Security awareness training, wherever you need it
  • A single plane of glass for analyzing your organization's risk and improvements across your staff
  • Cyber awareness made simple for you and your users
  • Policy Compliance to store your corporate policies and manage them
  • Detailed but straightforward report hunting for data provided in real-time
  • Synchronize users with ease of Active Directory and Google Integration
  • Real-time breach monitor providing Cyberthreat Information

eLearning & Phishing Services

Public Sector Frameworks

We Supply to the following Public Sector Frameworks. . .

We are proud to support the Public Sector and can be found on the following Public sector procurement frameworks:

Sector Framework Framework Description
G-Cloud 12 Cyber Security Consultancy Services
Crown Commercial Services Cyber Security Services 3 DPS
Crown Commercial Services Digital Outcomes and Specilist 5 Supplier
Yorkshire Procurement Organisation YPO Data Centres, Maintenance Cloud Hosting and Security
NHS NOE CPC ICT Solutions Delivery Professional IT Services & Consultancy Support

Case Studies

We love what we do, check out some of our latest works

Royal Sun Alliance Digital Transformation Programme

Enterprise and Cloud Security

We were requested to undertake a security assessment of Travelex’s Payments Platform hosted in AWS. Our approach undertook an initial gap assessment in-line with PCI-DSS and also the ISO27002 controls to support Travelex in their overall compliance needs. The Payments platform provided Foreign Currency exchange rates and transfers across the globe and had a high demand of users and hence the need for ensuring the platforms security was in-line with industry best practice.

Challenge: The platform was already operating a high amount of FX currency transactions and the engineering team had a backlog of technical debt, so security was not at the forefront of the teams mind when we were appointed to review the security status of the payments platform.

Outcome: We performed a comprehensive detailed review of the business processes (development lifecycle for deploying software and infrastructure) and also inspected and tested aspects of the platform within AWS producing a number of findings relating to compliance issues and security risks. We provided a detailed report outlining the potential business financial risks to Travelex and provided cloud security advice to remediate our findings to ensure Travelex had a clear understanding on what to improve and how to undertake these improvements to better protect their payments platform from a cyber attack.

Why not further read more about our case study on Cloud Security in our Blogs page

Travelex Cloud Migration Programme

Cloud Security & Auditing

We were requested to undertake a security assessment of Travelex’s Payments Platform hosted in AWS. Our approach undertook an initial gap assessment in-line with PCI-DSS and also the ISO27002 controls to support Travelex in their overall compliance needs. The Payments platform provided Foreign Currency exchange rates and transfers across the globe and had a high demand of users and hence the need for ensuring the platforms security was in-line with industry best practice.

Challenge: The platform was already operating a high amount of FX currency transactions and the engineering team had a backlog of technical debt, so security was not at the forefront of the teams mind when we were appointed to review the security status of the payments platform.

Outcome: We performed a comprehensive detailed review of the business processes (development lifecycle for deploying software and infrastructure) and also inspected and tested aspects of the platform within AWS producing a number of findings relating to compliance issues and security risks. We provided a detailed report outlining the potential business financial risks to Travelex and provided cloud security advice to remediate our findings to ensure Travelex had a clear understanding on what to improve and how to undertake these improvements to better protect their payments platform from a cyber attack.

Why not further read more about our case study on Cloud Security in our Blogs page

Supporting iDMobile Build Security in Google Cloud for an OFGEM Regulated Project

Cloud Security & Compliance

Ensuring compliance with Dixon's Carphone Warehouse Group (DCG) Security Policies and delivering a solution that would protect financial and personal information was a challenge for iDMobile a telecoms company owned and managed by Dixon’s Carphone Warehouse. iDMobile were required to comply with OFGEMs regulation relating to exchanging of Customer contract data during tariff exchanges between Telcom providers.

Challenge:The project needed to obtain security assurance by DCG Information Security that the platform to host IT infrastructure to manage data flows between several external interfaces including DCG’s and publish reports to OFGEM were being done to a high level of security.

Outcome: EHJ & SJ Consultancy security architecture services were used to perform threat modelling of iDMobile’s solution hosted in Google Cloud and undertook a detailed analysis to identify potential security weaknesses. Collaborating with the development teams, we establish secure mitigation controls to protect both the solution deployment on Google Cloud and also ensure the integrity and confidentiality of the data being exchanged was protected. This allowed iDMobile to obtain security assurance approval from DCG’s Information Security team.

Why not further read more about our case study on Cloud Security and achieving Compliance in our Blogs page

Santander PSD2: Open Banking

Application Security and SecDevOps

Supporting a Global bank here in the UK and working with the other banks as part of the Banking CMA9, EHJ & SJ Consultancy were invited to support Santander in building a security lifecycle in their building of a new PSD2 compliant platform. We also provided support in developing a security-based solution to ensure the complex microservice architecture to support the banks integration into the trusted Open Banking eco-system.

Challenge: Working with banks development, architecture and IT teams the challenge was to build security into everyone’s objective on a daily basis including creating and supporting a full SecDevOps lifecycle for deployment of software code. In addition to this, the bank had some challenges in migrating services from Legacy IT over to a hybrid cloud deployment including the requirement of needing a new Public Key Infrastructure system to support key signing and certificate management for supporting the PSD2 requirements of needing TLS Mutual Authentication.

Outcome: Using our passion for driving security into a programme, we actively built and supported continuous development pipelines that incorporated the latest security testing to perform SAST/DAST testing of all software developed by the teams. We also reviewing the as-is IT and Network architecture and built a solution that incorporated physical HSM’s to support storing of cryptographic material and worked to integrate a fully scalable and reliable internal PKI solution to support the needs of the Banks PSD2 requirements.

Why not read more about our case study on adopting Web Security Practices in our Blogs page

Tesco Banking

Web Security

Working with Tesco’s on supporting their security architecture governance, we were required by their Banking team to assist Tesco’s Banks development and architecture team in ensuring their mobile Tesco Clubcard and Banking application was secured in terms of the development lifecycle and the supporting backend infrastructure.

Challenge: Reviewing the backend infrastructure provided some challenges given the Banks IT infrastructure was somewhat Legacy based on didn’t necessarily support scaling and segregation of systems needed to exchange data with the mobile application.

Outcome: We undertook a technical threat assessment of the backend IT Infrastructure to identify potential security weaknesses in the end to end design and provided feedback and support in hardening and improving the overall security configuration of the supporting Infrastructure to reduce the threat of potential security attacks.

Why not read more about our case study on adopting Web Security Practices in our Blogs page

Network Rail: First Deployment of Traffic Management Systems Programme

Critical Infrastructure Security Auditing & Compliance

Network Rail were deploying Traffic Management Systems for the first time in a bid to improve Railway timetabling efficencies and upgrade Legacy control systems infrastructure. With any Critical Infrastructure Systems, safety is considered paramount in the system design and development and this extends to the domain of Cyber Security, whereby EHJ & SJ Consultancy provided support to the TMS Programme in evaluating the system design for security compliance. Using security frameworks such as ISO27001 and ISA/IEC 62443 to evaluate both the core system design and evaluate the design of two key integration suppliers. Our services ensured the overall design was both secure by evaluating the solution using security audits to identifiy security weaknesses and providing security consultancy advise in improving the overall system security design.

The outcome of our contribution to the programme was to address the lack of security in the programme by evaluating the overall system using threat modelling to highlight security weaknesses and then champion this message to the programme director of the TMS programme to allocate funding to support security improvements within the programme.

Southern TMS ITT Bid

Security Architecture Services

Supporting the Train Operating Company Southern Rail, EHJ & SJ Consultancy provided a much-needed Cybersecurity presence in the bidding stage of the programme by taking our own understanding and experience in applying Cybersecurity to the Critical Infrastructure. We reviewed the proposed bids that Southern Rail received for the tender proposal of upgrading their Signalling infrastructure and acted as an SME in evaluating each bidders Cybersecurity proposal and provided feedback into which bid applied the best principles in demonstrating a secure by design approach in their proposal.

LUL Railway Control Systems

Security Architecture

Our previous involvement with London Underground Ltd was to create and implement a secure PLC system with system monitoring that was secure as part of the Train Describer upgrade programme on the SSL lines. We achieved this providing a fully-fledged TD system with real-time monitoring utilising some best practices taken from ISA/IEC 62443 standard to ensure overall compliance with LUL Security standards.

We undertook the deign and development and integration of a safety critical signalling asset that was built with security into the solution from the word 'go'. Using ISA 62443 security controls, we evaluated the requirements and translated these into project deliverables and developed a design that embedded these controls ensuring access, system hardening and disaster recovery was built into the design ensuring we would achieve sign-off from the principal security assurance engineers to integrate the systsem into a Live operational Railway.

The outcome from deliverying this project to London Underground was this was the first technical control system that had leveraged a security consicous approach to deliverying Signalling & COntrol Systems and set the standard for future projects.

Our Clients

EHJ & SJ Consultancy has been honoured to work with these clients

We were blown away by the sheer professionalism and technical breadth that EHJ & SJ Consultancy provided us in reviewing our Payments platform hosted in AWS. We had concerns but were never entirely sure of the security risks of going into the Cloud at pace, and EHJ & SJ Consultancy's team provided us with a comprehensive list of issues to look into and supported us in applying best practices.

Jacques Burger CISO Travelex Ltd

Delivering quality while under time constraints is always a pressure, but EHJ & SJ Consultancy managed to promote security as an organizational-wide responsibility proactively. Happy with the relationship we have with EHJ & SJ Consultancy and would recommend them on their ability to apply Application Security and Security Architecture services.

Eduardo Martinez Barrios Santander Payments & Industry Oversight - Open Banking

Ensuring security was taken seriously and implemented on a project with no regard for cybersecurity was attributed to EHJ & SJ Consultancy's input on the TMS program. We successfully managed to undertake a full security audit of our supplier's design to part ISO27001 and ISA 62443 and have the ability to assess the security risks posed to the overall safety profile.

Network Rail TMS Programme Network Rail

EHJ & SJ Consultancy provided us with excellent input on how security can be built into a contract and what a security lifecycle looks like, something that has been missing for many years working on these types of Infrastructure projects.

Network Rail: Southern ITT Bid Stanway Consulting

Contact Us

Reach out for a new project or just say hello

Send Us A Message

Sending...
Something went wrong. Please try again.
Your message was sent, thank you!

Contact Info

Where to Find Us

EHJ & SJ Consultancy, The Gatehouse, Gatehouse Way, Aylesbury, HP19 8DB

Email Us At

contactus@ehjsjconsultancy.co.uk