Governance, Risk Management and Compliance

In this domain, SBS covers multiples tasks from developing information security programs to guidance on implementations for frameworks, from assessing the proper implementations of controls to developing and writing policies, and from standards and procedures to developing security hardening processes. These are customized according to various industry-recognized standards or according to bank internal frameworks and policies.

SBS delivers its services in accordance to Standards and Frameworks like ISO2700, 1CIS Framework, NIST 800-30, SWIFT CSCF, and SWIFT SIPSOF; Risk Methodologies like ISACA Risk IT/Cobit 5 for Risk and ISO 27005; IT Governance like Cobit 5/Cobit 2019.

Services Offered:

Information Security Program Development

An information security program comprises a set of practices that are implemented to protect the confidentiality, integrity and availability of data and IT assets. This is achieved by defining proper interaction between people, processes, and technology within a framework of optimized strategic planning. Developing an information security program comes from the need to organize diverse activities in a properly planned manner in order to avoid wasting time, effort and resources that can be due to overlapping of security activities, or due to the inability to cover all aspects of information security.

Steps to develop an enterprise information security program:
  • Create/adapt policies, standards, procedures, and guidelines
  • Design architecture including PPT
  • Identify and classify assets
  • Define risk management methodology
  • Define emergency and incident response plans
  • Perform security awareness and training sessions
  • Define and manage change management procedure and software development lifecycle operations
  • Manage third parties
  • Schedule Security Assessments and Audits
  • Define metrics

Gap Assessment

A gap assessment – in a framework context – is a process that intends to identify the gap of an organization’s conduct by comparing it against the defined controls of a standard framework like SWIFT CSCF, COBIT, PCI-DSS, ISO, etc. This process is meant to highlight the status of the organization and assess the gap between the framework and what is already implemented. Moreover, this exercise is meant to identify technology requirements and process changes needed to close the gap and become compliant with the chosen standard framework.

Gap assessment is conducted through an interview-based exercise to check if the technical team has implemented the framework requirements. The outcome is a report that specifies the domains of deviation and the scope.


Risk Assessment

Risk assessment is an exercise that comprises of a set of data collection activities which help evaluate the vulnerabilities versus the threat actor in order to study the likelihood of occurrence and the impact of the risk. It is meant to minimize the impact of risks on an organization. This is generally done through risk mitigation, risk transfer or risk acceptance.

Eventually, the purpose is to ensure that the chosen security controls are apt to protect against the risks that the organization might face. Moreover, it allows a better understanding of the types of risks which, in turn, play major role in building a better defensive plan for the future.

Our risk assessment exercise includes the following:
  • Establish the context of the organization by:
    • Identifying assets
    • Identifying threats and risks
    • Determining the rates of occurrence
    • Determining the extent of losses if befallen
  • Assist build a risk response plan including:
    • Accept or tolerate risk
    • Assign or transfer risk
    • Avoid risk
    • Reduce or mitigate risk
    • Reject or ignore risk