Creating Controls & Standards
Creating Controls to Drive Security Understanding and Lower Risk
By i-confidential Staff
A major UK life and pensions company engaged i-confidential to improve its cyber security capability. It had fallen well behind its peers, with security controls that no longer offered appropriate protection.
The organisation lacked a control framework that addressed the latest cyber security threats. This made it difficult to identify control gaps and verify that existing controls were operating effectively. Security standards were also weakened, as there were no sufficiently defined controls to base them on.
Our approach to helping the client was based on our deep understanding of industry-standard control frameworks, such as SOGP, NIST, and ISO. In addition, we have extensive experience of working with large financial services organisations over many years.
Our team of experienced practitioners understood the client’s challenges and knew how to work with internal stakeholders to gain the support and buy-in required. At the outset, this involved gaining an appreciation of what the client wanted to achieve in terms of its risk appetite. With a consensus achieved, work began on translating the desired outcomes to the new control framework. Our team also worked with control owners to determine gaps in the client’s control environment.
We used our knowledge and experience with the most widely used control frameworks to help the client create one of its own. Control areas were aligned to existing risk definitions within the organisation’s operational risk framework. This exercise included determining the boundaries between Cyber and other policy-owning areas, including IT, Supplier Management, and HR. We also provided a ‘translation’ of generic terms to reflect those of the client.
We syndicated the new control definitions with the control owners and other stakeholders. We then created c. 30 new cyber security standards and procedures documents based on the accepted and understood controls.
We were able to provide the client with their own control framework that defined the requirements for cyber security and was fully aligned to industry standards. This gave it the capability to understand the security requirements for all of its processes. In turn, it could improve existing controls via better standards and assurance.
Crucially, the client was also able to understand where it had major control gaps so it could invest in the improvements required to achieve its risk appetite.
“We used our knowledge and experience with the most widely used control frameworks to help the client create one of its own.”