Blog: Consultancy advice
ASSURE Case Study: One
The client needed to meet the requirements of the Network Information Systems (NIS) CAF.
There was a target profile for the NIS CAF that the CAA had set out for the client’s systems. However, we discovered early on that this had the potential to be a transformational piece of work for the client.
By using NIS and the CAA Assure Audit we could help each client department to focus on a single view of how important cyber security was for the entire business.
A number of internal stakeholders (individuals and departments) initially thought it was a compliance check, simply necessitating some simple cyber changes to tick the boxes.
As we reached out to the wider business to get them involved, we were able to help them see how important the part they had to play was to overall good cyber hygiene. For example, patching is reliant on the infrastructure team and IT services team (in RACI terms, the CISO is accountable but departments are responsible for it).
Showing them just how important the part they had to play was to good cyber hygiene was key. It helped highlight transformational challenges that were interdependent between cyber security and the entire business.
How we do what we do
We simplify, we make it risk and threat based, and we prioritise.
We started by getting them to take a framework approach, rather just going through an audit.
Using our NIS, CAA Assure, and wider aviation experience, we broke the objectives down into deliverables. Our experience of other, different frameworks would prove to be invaluable as well.
Back then the NIS framework under CAA Assure was new and no-one had completed this before or completed the CAF returns. The more we got involved with the CAA, the more we were able to develop a shared vision of what ‘good’ completion should look like.
We broke it down to four elements matching the four objectives of the NIS CAF. We simplified these four objectives by taking a top-down, bottom-up approach.
Look holistically across the organisation. NIS Objective A is about risk and setting out how they perform against it and what are the tolerances. It requires knowing what’s in place organisationally to address an incident.
Objective B is about how you’re managing your controls. For this we looked at things at a system level- within the framework of organisational risk management and governance.
We grouped applications and systems together. This provided a more granular view, but in a way that identified commonalities in terms of; security requirements, risks and impacts, security controls and principles.
This enabled us to address NIS Objectives C and D, whilst creating efficiencies of scale for security remediation / implementation based on common controls. The client already had these in the main but they hadn’t completely covered common threats; we helped them understand those.
It also helped them to prioritise actions, activities and programs to address areas of security remediation / implementation.
We also did significant amounts of project management with the client, to ensure that the systems and the CAFs were progressed at the necessary timescales. Our ability and experience meant we were able to communicate to the client the importance of project management tying it together. Essential due to the amount of interdependencies across systems, risks, frameworks and infrastructure.
It’s a challenging time with the pandemic and recession and whilst this has accelerated digital transformation for many organisations, it has also made it difficult for organisations to accelerate cyber transformation at a pace to keep up.
Our softer skills and experience with culture change, collaboration, and bringing teams together are always useful. But they need to be partnered with a firm enough hand when needed, and a clear tolerance on where to draw the line, to define and police a minimum level of acceptable responsiveness.
In practical terms this means applying manageable points of pressure to departments, and supporting the security function in that, to drive change and foster the right changes in culture.
We quickly understood what the business needed; the strategic purpose of the project we were delivering, and adapted our approach as the project progressed. This ensured that the end deliverable was produced and also delivered the requisite strategic value.
In this case, the focus was on not only reporting but also honing the messaging of the reporting for different audiences within the client’s organisation.
This involved producing presentations, executive reporting and CAFs as well as NIS corrective action plans. The latter surpassed the requirements of the CAA Assure Auditor (the regulator) and means that as the client goes through the CAA Assure audit, they have a high level design document in the form of the corrective action plan that they can refer back to.
In summary, 3 key aspects of our output were:
- The client has an Executive level view in a report – this gives the execs an understanding of what the big-ticket items are that need resolving and how they’re going to strategically set those objectives out.
- The client has a NIS corrective action plan – this is above the CAA expectations. This sets key milestones.
- We’ve delivered operational level reporting through individual CAFs that sets the operating divisions up for success- they understand how they need to go about delivering those key milestones.
We also demystified and simplified needs vs benefits so that the client has a framework in future that enables them to take this approach into future transformation projects and programmes.
This was phase 1 of this transformational programme and we have now set out and agreed plans to work with the client on phase 2, which is on-going.
Key recommendations for clients looking to embark on security transformation projects
Early engagement to build relationships and scope projects and programmes in a way that builds on our experience in delivering these types of projects and programmes. We’ve loads of experience, lean on it to scope your project before you start.