New Governance Model Drives Security-Risk Decision Making
“We identified several risks and presented them so they could easily be understood by the security forum.”
A specialist software development client had previously asked i-confidential to deliver a security assessment, which was completed successfully. It then wanted to conduct a further review at a more granular level. In particular, it wanted to understand the specific level of risk being run by each of its client-facing services.
The client came back to us to carry out this work due to the high-quality output we had previously provided.
Our Security Health Check provides a comprehensive review of security controls. In this case, however, we used a refined set of controls to examine the client’s security at an individual service level.
In addition, we helped establish a security forum to debate next steps for any identified risks, which could either be accepted or assigned mitigating actions. This form of governance should be an important part of any organisation’s risk management approach. It allows the risks to be discussed with risk owners and for any challenge to be heard.
Depending on the appropriate next steps, the forum can track progress and discuss escalation if needed. Part of this process was setting expectations about what was achievable in the timescales required. All too often, unrealistic timeframes are set for organisations which lack the necessary resources to meet them. The forum ensures that priority is assigned in a pragmatic fashion.
Having assessed each of the services, we identified several significant threats in our findings. These were prioritised to focus the effort on the highest risks first. As part of the governance we implemented, if a risk could not be accepted or mitigated, it was escalated to the board. This gave the organisation’s most senior stakeholders the appropriate visibility of such unresolved threats.
During our second round of security assessment for this client, we successfully focused on its individual client-facing services. We identified several risks and presented them so they could easily be understood by the security forum. This provided an opportunity to take appropriate action. Some of the more critical risks were mitigated to bring them within organisational tolerances.
We also helped the Information Security Officer to address other issues, such as establishing baseline standards, utilising security frameworks, and understanding and resolving process gaps.