Cyber Security

Security Assessments for Financial Services Organisations

Written by SysGroup Marketing

With over 15 years of consulting experience, SysGroup can measure your company's security posture and advise on the best cybersecurity strategy to future-proof your business.

We can assess and validate the security across all aspects of your organisation, including NIST, PCI-DSS and Cyber Essentials compliance.


As cybersecurity continues to mature and be at the top of everyone's mind, a natural shift has occurred from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated to their valuable assets.

Blocking every thereat would be nice, but is cost-prohibitive (not to mention nearly impossible). Instead, organisations are responsible for allocating resources to reduce areas of cyber-risk within their defined tolerance levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of 'Improving Critical Infrastructure Cybersecurity', which called for a standardised security framework. Existing frameworks like NIST 800-53 and ISO 27001 provided specific controls and processes, whilst the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program from a more strategic, business-centric view.

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year; however, in lesser or unregulated industries, it is recommended to get an assessment every two years due to the continual evolution of threats.


A typical SysGroup NIST CSF assessment follows three steps:

  1. Interviews and workshops with relevant subject matter experts and control owners.
  2. Review of documentation (policies, standards and procedures) and evidence of controls in place.
  3. Report on the detailed findings, risks and recommended steps to remediation and uncover control weaknesses or gaps in the current cybersecurity program.

It's important to work with an independent assessor who has seen how the controls are applied across different industries and similar organisations. An experienced assessor can give organisations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate 'hot topics' during the risk assessment, ensuring the organisation is well protected.

Leveraging a professional brings many benefits for an organisation, including:

  • Uncover control weaknesses and hidden/ unknown risks. Interviews include discussions on how and where systems are connected and protected, which can often uncover unknown risks. Likely to happen when operational and security departments function as silos and/ or don't have formal and centralised processes.
  • Identify areas where additional resources would help reduce risk. Risk reduction is fundamental, and NIST CSF assessments are valuable to identify the most key areas for investment of human, technology and financial resources.
  • Realign cybersecurity priorities based on independent perspectives. It's easy for decision makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
  • Address questions from executive management. An assessment provides an impartial answer to "are we covering all major transformation security risks?" and boosts executive confidence in the program.

If you choose to collaborate with an assessor, remember to always be transparent. Sharing all weaknesses enables the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.


A PCI DSS risk assessment is a formal process that companies use to identify threats and vulnerabilities that could have a negative effect on the security of payment card data.

According to requirement 12.2 of the Payment Card Industry Data Security Standard (PCI DSS), any organisation that processes or handles payment cards must implement a risk assessment process that is performed at least annually and when there are significant changes to the environment.

The risk assessment process must identify critical assets, threats and vulnerabilities, and the effect they may have on the cardholder data environment. The risk assessment should result in a formal, documented analysis of risk.

Merchants have been required to conduct risk assessments since the PCI DSS standard was first released in December 2004. The PCI DSS standard cites OCTAVE, ISO 27005 and the National Institute of Standards and Technology (NIST) Special Publication 800-30 as examples of risk assessment methodologies. However, the PCI DSS standard doesn't dictate the process that companies should use to conduct their risk assessments.

The PCI DSS risk assessment offers organisations guidance to help them identify, analyse, document and manage the information security risks that may affect their cardholder data.

Organisations can identify these vulnerabilities using vulnerability assessment reports, penetration testing reports, and technical security audits. The PCI DSS risk assessment also provides companies with remediation strategies so they can implement risk management strategies to mitigate these vulnerabilities.

Conducting a risk assessment helps provide direction on what vulnerabilities a company should address first.

According to the PCI DSS risk assessment requirements, an organisation must:

  • Conduct a risk assessment once a year or anytime it makes significant changes to the cardholder environment.
  • Perform a thorough risk assessment before it outsources any portion of its cardholder data environment to a third-party. The business also has to consider the effect outsourcing could have on the organisation and the credit/debit card information.
  • Identify any vulnerabilities and threats both to its primary and secondary critical assets.
  • Document the outcome of the PCI risk assessment, identifying all the risks during the risk assessment.
  • Have a proper risk mitigation or treatment plan to deal with any case of emergency.
  • Protect its critical assets from any threats that could surface in the future.
  • Identify weaknesses and correct vulnerabilities in a timely manner to reduce the likelihood that a vulnerability will be exploited.
  • Cover all payment channels in the risk assessment, including all the critical assets that can directly or indirectly impact the security of the cardholder data environment.

SysGroup consultants have extensive knowledge working in the financial services industry and have conducted numerous PCI DSS risk assessments.


Cyber Essentials

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats.

The full scheme, launched on 5th June 2014, enables organisations to gain one of two Cyber Essentials badges. It is backed by industry including the Federation of Small Businesses, the CBI, and a number of insurance organisations which are offering incentives for businesses.

Cyber Essentials is suitable for all organisations, of any size, in any sector.

From 1st October 2014, Government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.

SysGroup can assess your organisation against the Cyber Essentials Framework, and certify that your business meets the UK Government's baseline standard.


You might also like