Security Controls Review
Defined Control Requirements Enable Targeted Security Investment
By i-confidential Staff
In an ever-evolving threat landscape, organisations can struggle to ensure they have effective cyber security controls in place, to both mitigate the risks they face, and protect key information assets from compromise.
It was on this basis that a global financial services client asked i-confidential to conduct a review of its security position. It wanted to use the results to establish a programme to address the most significant gaps.
Our Control Framework was used to assess the client’s cyber security controls. Aligned to NIST and ISO 27001, it contains 800 low-level control statements written in practical and understandable terms. It is built on the experience of working with large financial services organisations for many years.
In this case, the control assessment encompassed the entire organisation, including the application and infrastructure estates. The client’s risk and investment appetite was also considered.
With the assessment complete, we then provided a detailed cost and benefit analysis for a series of recommended activities to address the highlighted gaps. This was then structured into a three-year security improvement programme (SIP). For each of the 80 security improvement projects within the SIP, we defined the detailed security control requirements.
A further output from the review was a risk position statement. This detailed the significant gaps discovered by mapping the individual control requirements to a set of top-level cyber security risks that we defined for the client. We then summarised the required improvements and costs to move from the current state to an acceptable risk position, showing which control requirements would be met over time.
The review identified 60 weaknesses across 10 risk areas. The SIP provided a straightforward cost-versus-risk view of the required improvements, showing the progressive risk reduction that would be achieved.
The client’s Head of Cyber Security was able to recommend to the executive the right level of targeted investments to make, based on a clear statement of the control requirements that needed to be met.
The level of detail we provided for the new control requirements gave confidence to the Risk Committee and auditors that the investment proposal was built on a sound foundation. The organisation benefited from the definition of an improved set of cyber security risks that could be easily embedded into their operational risk framework and first-line assurance processes.
“For each of the 80 security improvement projects… we defined the detailed security control requirements.”