Thought leadership

Security Assessments for Financial Services Organisations

With over 15 years of consulting experience, we measure your company’s security posture and advise on the best cyber security strategy to future-proof your business.

We can assess and validate the security across all aspects of your organisation, including NIST, PCI-DSS and Cyber Essentials compliance.

 

NIST

As cyber security continues to mature and be at the top of everyone’s mind, a natural shift has occured from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated to their valuable assets.

Blocking every threat would be nice, but is cost-prohibitive (not to mention nearly impossible). Instead, organisations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerance levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity’, which called for a standardised security framework. Existing frameworks like NIST 800-53 and ISO27001 provided specific controls and processes, whilst the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program form a more strategic, business-centric view.

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year. However, in lesser or unregulated industries, it is recommend to get an assessment every two years due to the continual evolution of threats.

A typical SysGroup NIST CSF assessment follows three steps:

  1. Interviews and workshops with relevant subject matter experts and control owners.
  2. Review of documentation (policies, standards and procedures) and evidence of controls in place.
  3. Report on the detailed findings, risks and recommended steps to remediation.

It’s important to work with an independent assessor who has seen how the controls are applied across different industries and similar organisations. An experienced assessor can give organisations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organisation is well protected.

Leveraging a professional brings many benefits for an organisation, including:

If you choose to collaborate with an assessor, remember to always be transparent. Sharing all weaknesses enable the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.

PCI-DSS

A PCI-DSS risk assessment is a formal process that companies use to identify threats and vulnerabilities that could have a negative effect on the security of payment card data.

According to requirement 12.2 of the Payment Card Industry Data Security Standard (PCI DSS), any organisation that processes or handles payment cards must implement a risk assessment process that is performed at least annually and when there are significant changes to the environment.

The risk assessment process must identify critical assets, threats, and vulnerabilities, and the effect they may have on the cardholder data environment. The risk assessment should result in formal, documented analysis of risk.

Merchants have been required to conduct risk assessments since the PCI DSS was first released in December 2004. The PCI DSS cites OCTAVE, ISO:27005, and the National Institute of Standards and Technology (NIST) Special Publication 800-30 as examples of risk assessment methodologies. However, the PCI DSS doesn’t dictate the process that companies should use to conduct their risk assessments.

The PCI DSS risk assessment offers organisations guidance to help them identify, analyse, document and manage the information security risks that may affect their cardholder data.

Organisations can identify these vulnerabilities using vulnerability assessment reports, penetration testing report, and technical security audits. The PCI DSS risk assessment also provides companies with remediation strategies so they can implement risk management strategies to mitigate those vulnerabilities.

Conducting a risk assessment helps provide direction on what vulnerabilities a company should address first.

According to the PCI DSS risk assessment,  an organisation must:

SysGroup consultants have extensive knowledge working in the financial services industry and have conducted a number of PCI DSS risk assessments.

Cyber Essentials

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats.

The full scheme, launched on 5 June 2014, enables organisations to gain one of two Cyber Essentials badges. It is backed by industry, including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses.

Cyber Essentials is suitable for all organisations, of any size, in any sector.

The Government requires all suppliers bidding for contracts involving the handling of sensitive and personal information to be certified against the Cyber Essentials scheme.