New Assessment Framework Meets Regulatory Expectations
“Using our approach, the client could test every
instance of the given control on every asset
recorded against the CBP."
In 2018, the UK Prudential Regulation Authority (PRA) highlighted the need for a greater focus on operational resilience.
In response, our financial services client mobilised its Operational Resilience Programme. One objective was to improve the control assessments that ensured the cyber resilience of Critical Business Processes (CBPs).
The client’s existing assessments did not measure all aspects of a control’s effectiveness. In addition, they only looked at a subset of the IT assets supporting the CBPs being assessed, making it difficult to determine true cyber resilience status.
Using our Security Metrics offering, we delivered a new Cyber Assessment Framework, focusing on controls that would have the greatest resilience impact on CBPs. For example, privileged access management controls on servers and databases supporting a CBP, rather than more generic cyber controls, such as user data leakage protection.
We defined the three metric types needed to accurately measure each control: control coverage, control output result, and control remediation performance. A simple status threshold was then defined for each metric. These were set with a low tolerance to reflect the potentially severe impact if a CBP component was compromised due to a weak control.
Using the new metrics, we then assessed each control. First, we extracted the entire IT asset inventory supporting each CBP for the relevant control from ServiceNow. We compared these against the outputs from the control platforms themselves. This gave us a control metric result for every single asset instance supporting the CBP.
Individual metric results were recorded in ServiceNow against control objectives for each asset instance. These were then rolled up to deliver a ServiceNow dashboard with multiple cyber resilience views.
Previous control tests were limited to small samples of asset instances. They could only infer control effectiveness for the 6,000 servers and 40,000 privileged IT accounts involved in supporting the CBPs, rather than accurately measure them.
Using our approach, the client could test every instance of the given control on every asset recorded against the CBP. The assessments were comprehensive because they measured control coverage and remediation performance, rather than just the control output results.
Assessments were more focused because the metric RAG thresholds were aligned to the narrower appetite for CBP control failures. They also concentrated on the cyber controls most relevant to operational resilience - a key requirement of the PRA.
The new output was more useful to stakeholders. Control owners were given an ‘operational resilience RAG’ for their controls, and CBP business owners were able to see the cyber status of their specific CBP.
The Chief Security Officer (CSO) was given an overall ‘Cyber Resilience Score’ based on the roll-up of underlying metrics results. Leveraging ServiceNow Asset Management and ServiceNow GRC dashboarding functionality automated the process and improved accuracy. The organisation used this to compare Cyber with its other key operational resilience scores for IT, People, Supplier Management, and Property.
These improvements provided a step change in our client’s ability to identify and measure cyber resilience control weaknesses, enabling it to meet regulatory expectations.