SAFER|GREENER|STREAMLINED
Overview
Katoni had been assisting the OES with ongoing cyber compliance services when a request by the Competent Authority to resubmit their Cyber Assessment Framework was received. Katoni worked with the OES to identify the key stakeholders that would be needed to deliver the resubmission, and facilitated a workshop to have the CAF updated accurately and efficiently.
The Challenge
The OES was working within a tight timeframe. They had both an inspection under the NIS Regs by the Regulator imminently scheduled as well as the CAF resubmission, and needed to get input from multiple stakeholders that were normally contained within different parts of the business while leaving enough time to communicate the results to other relevant stakeholders.
The Result
The CAF Workshop was held over two half day sessions, which not only bene ted the individuals involved in their ability to manage workload but also to allow those in attendance space to decompress and evaluate after the first session.
The workshop allowed each CAF Principle and Indicator of Good Practice to be reviewed and the purpose behind them to be explained in the context of that organisation. Evidence of compliance was found which would not have otherwise been considered. Conversely, Principles which were initially thought by the OES to be further in their development were found to contain gaps.
The benefit of experience allowed advice to be given in real time on ways to address and/or minimise these gaps quickly and effectively (in the absence of a reliable Risk Assessment) creating a more robust cyber resilience profile.
This experience also helped to identify trends throughout the CAF, highlighting to the OES where might be best to place priority and resource when developing their Improvement Plan and implementing prioritised remediation. Policies and Procedures with evidentiary value were able to be identified and discussed, including where improvements could be made to address IGPs not yet achieved.
The Benefits
The solution has the following key technical and integration features:
• A completed and up to date CAF, in which they had confidence.
• A day of communication between internal stakeholders that otherwise may not have interacted effectively, opening future lines of communication, and increasing confidence in lines already there.
• Recommendations of simple improvements to the Cyber Security Management System.
• Identification of detail required for the Improvement Plan, laying the foundation for prioritised remediation to achieve an adequate level of cyber security and resilience.
• Reduced risk of fines imposed under the NIS Regulations
• Reduced potential need for further regulatory scrutiny