Using Cyber Security Review in a Data Analytics Organization


Cyber Security Review (CSR) Case Study

30 June 2022

Case Studies Third-Party Risk Management Assessments Software Vendors

Case Study: At a Glance

Challenges:

  • Impending acquisition
  • Limited internal resources
  • Limited cyber security capability
  • Presentation to acquiring company

Results:

  • Current Maturity: 2.20
  • Target Maturity: 3.20
  • Key Remediation Items:
    • Employ ISM role
    • Implement MDR Service
    • Develop & Test incident response capability

Services Rendered:

  • Cyber Security Review (CSR)

Situation

The client, a Data Analytics organization in Australia with global satellite offices, was going through a potential acquisition by its largest shareholder and key customer. The acquisition required an independent review of the client's cyber security posture against ain internally-recognized standard/framework and a roadmap to prioritize remediation, both of which would be presented to the acquiring company. The client had limited resources to conduct the engagement internally but believed a review would provide a stronger case to both boards.

Task

NCC Group conducted a Cyber Security Review (CSR) for the client against the NIST Cyber Security Framework (CSF) to determine the cyber security controls' maturity level. As the trusted security advisory prior to this engagement, NCC Group understood the client's business operations and was better equipped to deliver a CSR.

Action Items

  • Interviewed 15 stakeholders and reviewed 41 pieces of evidence

  • Established context by understanding the client's business, operating model, security system, and the marketplace

  • Registered core assets and co-developed a list of threat sources and business impacts

  • Performed NIST CSF-driven maturity-based controls assessments to capture the function and the coverage of control architectures

  • Defined the current state of security measures and identified gaps in controls 

  • Documented the most likely risk scenarios and evaluated how organizational capabilities prevent the realization of cyber risk

  • Communicated priorities for remediation to drive security investment and how remediation will impact maturity indices

Results

  • Client was assessed at 2.20 level of cyber security maturity as per the CMMI

  • NCC Group was asked to repeat the engagement on an annual basis

  • Assessed maturity lower than client's desire for a target rating of 3.20

  • NCC Group presented the output and the following three key remediation activities to both boards

    • Employ an Information Security Manager (ISM)

    • Implement a Managed Detection and Response (MDR) service

    • Develop incident response playbooks

Download this case study or learn more about Cyber Security Review.

Doing research on CSR? Download this case study, read more about CSR, or reach out to a cyber security expert to see how CSR could work for your business.

Learn More Download the Case Study Reach Out