Assess
Cyber risks
Understanding an organisation’s cyber risk begins by assessing the existing and proposed risk management posture through various services. The deliverables are clear risk management reports for leadership and key stakeholders with recommendations for improvement.
Key services include:
Independent Cyber Risk Review / Audit: This is typically the first stage of CAP engagement for SME organisations. The service is designed to provide immediate insight into an organisation’s cyber weaknesses, both organisational and technical. Organisations that undertake these reviews are demonstrating that they treat cyber risk as one of the top business risks to their organisation and they are investigating the potential impacts and acting upon recommendations for risk mitigation. The review considers the following:
IT & IT security organisation structure
Cyber risk profile
IT security strategy
IT security management Infrastructure & applications
Policies & processes including incident preparedness & response
Resiliency / survivability
3rd party service providers
User awareness
Remediation strategy
Cyber security and incident leadership
Meetings with key staff and providers will provide further detail for the assessment. A report will then be submitted and presented to the customer including an operational maturity assessment, cyber risk register, capabilities gap analysis and recommendations for improvement.
Existing cyber risk management “snapshots.” These services are intended for organisations with an established cyber risk management approach and provides leadership with an independent view of their organisation’s issues approach and any areas for concern. On commencement, a customer engagement team will be agreed and asked to provide some or all of the following:
Cyber risk governance framework and its role within risk culture
IT and IT security infrastructure including 3rd party service providers
Risk registers, business continuity and crisis management plans
Results of vulnerability assessments and penetration tests
Cyber incident response plan and test results
Meetings with key staff and providers will provide further detail for the assessment. A report will then be submitted and presented to the customer including an operational maturity assessment, gap analysis and recommendations for improvement.
3rd party service provider and merger/acquisition target assessments: The detail of 3rd party cyber risk management strategies is often unclear to organisations using or considering their services. This is especially important when considering cyber incident response. The CAP will build a matrix of 3rd party service providers based on assessment of their cyber risk management operational maturity, highlighting issues and providing recommendations for ratification and/or improvement of engagement structure.
A similar methodology can be applied to partnership and merger & acquisition prospects, providing leadership with insight into cyber resilience and suitability for further engagement.
Detailed assessments and testing: Should any information provided be insufficient to accurately provide leadership with a definitive assessment, a gap analysis will determine further information that should be obtained. Focused assessments on particular risk areas will then be performed by the CAP or with assessment partners. Based on the critical IT infrastructure identified and the risk exposure associated, the CAP will look in detail at technology assets, governance, policies and procedures to provide jargon-free assessment of the security of the applications and infrastructure and place them into the cyber risk register.
Incident readiness assessments: Every organisation must be prepared for a cyber incident. Many have some form of incident response strategy and plan in place, but often these have proven to be insufficient in the face of an incident. Preparation is key. In many cases an organisation’s existing crisis and business continuity management frameworks have not evolved to include the increasing risk of cyber incidents. These engagements are designed to close the gaps and provide the organisation with clear steps to build an effective incident response strategy.