Financial Services Improves Information Security with TrustMAPP

Financial Services – Client Challenge

Our client, an ISO at a regional bank, sought SDS’ help to establish a baseline for the maturity of his information security program. The client had two key challenges:

•   The ISO needed to communicate to executives and the board what the state of maturity of his infosec program is and how he will plan to act on prioritized areas of need.
•   Further, the executives and board lacked a security program baseline to set the ISO’s management objectives so they can measure his effectiveness with the program and its improvements.Our ISO client engaged SDS to conduct a program assessment and obtain a TrustMAPP license to meet these needs.

Solution to Challenge

To address these needs, SDS proposed a project that included assessment, analysis and reporting phases to gather program input, measure the program and finally, present recommendations to improve the client’s infosec program. The project leveraged SDS’ maturity measurement solution, TrustMAPP, to provide capabilities to measure, track and improve the security program.

•  The assessment phase began with reviewing the client’s infosec policies to understand the documented security program. This phase continued with a survey to key subject matter experts (SMEs) across the entire infosec program. The survey was formed around measuring maturity for a specific set of infosec processes based on industry best practices (such as NIST 800-53, SANS Top 20 and FFIEC). SDS used TrustMAPP to deliver the assessment to client SMEs. This approach allowed for validation and updates to be finalized in the next phase. SDS sees a strong approach to improving infosec maturity by looking at processes just like other client business functions review their process performance.
•  The analysis phase brought together, using TrustMAPP’s Analytics Engine, all maturity scores and the SMEs’ supporting responses. SDS reviewed and sought to align scoring for areas where results showed differing opinions on maturity.
• The reporting phase used TrustMAPP’s Report Engine and provided the client with an executive summary and process-level dashboard displaying each process with high/medium/low maturity. Further, SDS provided greater details behind the process maturity findings and included prioritized recommendations to improve the maturity of low scoring processes to a client-provided maturity goal. Recommendations included resource hours and tool cost estimates to assist with planning.

Impact on the Client’s Business

This effort provided short and long-term benefits to the customer:

1.   Delivered a strategic roadmap with a baseline and prioritized recommendations, managed within the customer’s TrustMAPP instance, from where to improve processes that comprise their information security program.
2.   Bridged the gap between operations and executive leadership providing clarity on how the information security processes are aligned with the business objectives and how previous investments have improved the performance of the security program.
3.   Identified and assessed against business-focused goals to enable improved oversight of the information security program. This effort leveraged TrustMAPP to allow for future updates to the original baseline and creating workflows to address the findings and recommendations from the original assessment.