Creating Controls & Standards
Creating Controls to Drive Security Understanding and Lower Risk
By i-confidential Staff
A major UK life and pensions company engaged i-confidential to improve its cyber security capability. It had fallen well behind its peers, with security controls that no longer offered appropriate protection.
The organisation lacked a control framework that addressed the latest cyber security threats. This made it difficult to identify control gaps and verify that existing controls were operating effectively. Security standards were also weakened, as there were no sufficiently defined controls to base them on.
Our approach to helping the client was based on our proprietary Control Framework. Aligned to NIST and ISO 27001, it contains 800 low-level control statements written in practical and understandable terms. It is built on the experience of working with large financial services organisations for many years.
Our team of experienced practitioners understood the client’s challenges and knew how to work with internal stakeholders to gain the support and buy-in required. At the outset, this involved gaining an appreciation of what the client wanted to achieve in terms of its risk appetite. With a consensus achieved, work began on translating the desired outcomes to the new control framework. Our team also worked with control owners to determine gaps in the client’s control environment.
Our Control Framework was used to help the client create one of its own. We aligned our control areas to existing risk definitions within the organisation’s operational risk framework. This exercise included determining the boundaries between Cyber and other policy-owning areas, including IT, Supplier Management, and HR. We also provided a ‘translation’ of our generic terms to reflect those of the client.
We syndicated the new control definitions with the control owners and other stakeholders. We then created c. 30 new cyber security standards and procedures documents based on the accepted and understood controls.
Building on the foundation of our Control Framework, we rapidly provided the client with their own version that defined the requirements for cyber security and was fully aligned to industry standards. This gave it the capability to understand the security requirements for all of its processes. In turn, it could improve existing controls via better standards and assurance.
Crucially, the client was also able to understand where it had major control gaps so it could invest in the improvements required to achieve its risk appetite.
“Our Control Framework was used to help the client create one of its own.”