i-Assess / i-Decide
i-confidential’s i-Assess approach rapidly reviews an organisation using a library of industry standard controls that we have prioritised against the latest cyber threats. Each review is tailored to the client, prioritising the controls based their organisation’s operating environment.
This client is a multinational organisation selling insurance and pension products who needed to understand their information security risks and determine the cost and priority of addressing them.
Below is an example of where we have utilised the i-Assess and i-Decide components of i-Deliver to accurately assess an client. We identified the control weaknesses, highlighted the risks, and provided the prioritised, costed control improvement activities to enable the client to rapidly address its control gaps.
Using i-Assess, i-confidential conducted an onsite review to probe the client's control position and provide a comprehensive picture. The review spanned the entire enterprise, from application and infrastructure estates through to business operations. i-Assess provided instant, easy-to-understand management information (MI) for executive audiences by illustrating the results using a simple traffic light system (red, amber, green) to highlight the state of a control.
Based on the i-Assess output, we then used our i-Decide methodology to create a three-year prioritised and costed security improvement programme (SIP) to transform our client's cyber security posture. Within the SIP, we mapped the risk reduction outcomes of each activity to show how the risk would reduce over time and how much this would cost for each risk.
Sample ‘Graphic Equaliser’ diagram:
Our approach determined the information security risk position for the client’s material cyber risks. 82 required controls were reviewed and 10 risk areas identified, including 40 unique weaknesses. The SIP provided a transparent cost vs. risk view of the required improvements, showing the year-on-year risk reduction that would be achieved by the programme. This enabled the Head of Security to recommend to the executive the best level of investment and the right improvements to make based on the organisation’s appetite for the different cyber risks. The approach also gave the risk committee and auditors confidence that the investment proposal was built on a sound and logical foundation.
Identified control gaps and security risks
Created a detailed Security Investment Programme of work
Created ‘Graphic Equaliser’ to demonstrate a 3 year spend to reach target risk position