Cyber Programme Wrestles with Tough Investment Decisions
“A key customer success factor was our engagement with the business.”
One of our insurance clients sought a partner to address a lack of business impact assessments (BIAs) for their systems. Without accurate and up-to-date BIAs, their cyber security transformation programme was struggling to determine the investment required to secure their highest-risk applications.
This fundamental gap also impacted the effectiveness of their active operational controls. They were unable to prioritise tactical activities based on the criticality of the information.
We delivered a BIA standards document that defined the requirements, roles and responsibilities, and BIA scoring approach for the organisation. We also delivered a SharePoint BIA repository with data capture forms. This enabled system owners to complete these, along with an associated process description.
The forms delivered a BIA scoring mechanism that provided the application owners with guidance on how to determine impacts using the organisation’s CIA risk framework. It then calculated the overall BIA score based on this. Additionally, we assisted each business department to complete their BIAs.
The Approach
The Problem
The Outcome
A key customer success factor was our engagement with the business. We liaised with IT security and key business partners to orientate them in the process. This gave application owners the confidence to operate the process themselves. It also mitigated the risk of a lack of ownership, as business accountability was clear from the outset.
i-confidential’s solution enabled the client organisation to create BIAs for all their business applications through a clearly defined process, with a repository for maintenance purposes. The resulting BIA scores were agreed by both the risk and audit teams, as they were completely aligned to the organisation’s risk impact ratings. The organisation was then confident that the BIA scores could be used to prioritise remediation. It could also determine the level of controls required, associated with the risk of compromise.