Challenge
All IT security audits in the Bank were handled in a big famous corporate GRC system. But every time a new cybersecurity standard was published, retuning of the process was frequently connected with issues on the GRC side.
Lack of convenient user tools for managing of different standards requirements and especially of the similar ones, made the team to lose a lot of time for the double work when users had to conduct a new audit campaign with a particular standard.
Defensys technologies
The initial process of dealing with a huge number of requirements was held via electronic tables with all related to such an approach cons. One of the main requirements from the customer’s side was to have the most of the standards, they should be compliant with, available and structured out-of-the-box. After a series of meetings and the PoC project, the Defensys SGRC was chosen as a core solution for the cyber security requirements management system of the Bank.
Implementation
As the first step, the Defensys SGRC had to be integrated with the Bank’s GRC solution. As a result, the whole structure of assets incl. all relations between them and additional fields was imported.
Numerous requirements of the whole list with relevant for the Bank standards were mapped into a single controls framework. Thereby, all involved employees from different departments (not only cybersecurity) are responsible for assessing these controls.
Based on the particular criteria, Defensys SGRC automatically fetches Bank’s assets (both technical and business) and consequently all assets have a complete list of controls to be assessed by the dedicated people based on the customized schedule. So this way the user automatically receives a notification, logs into the System and instantly sees all the controls to be assessed and tasks to be performed.
When dealing with a control, the user has the ability to upload all the necessary documents as a proof of compliance or non-compliance with the assessed control.
For the team’s convenience, there is a built-in team chat for each control. Besides, the user can check, what particular requirements from different standards are related to the particular control. Users can also track the history of all the assessments right in the card of a particular control.
Results
Now Defensys SGRC is used not only by 11 cybersecurity specialists of the Bank, but also by IT administrators and business owners.
After adding and structuring of all information and by using the Defensys SGRC report builder, employees can create the needed reports on the state of compliance of all the critical assets.
As a following step of the project is planned the implementation of the Bank’s risk management framework into the SGRC.