Blog: Consultancy advice
ASSURE Case Study: Two
The engagement
The purpose of this exercise was to validate the clients’ baseline security assessment against NIS and the CAF and prepare them for the CAA Assure audit against NIS and CAF. There were 24 systems for the client and 9 third party systems.
The client had carried out some initial testing and reviews upfront and also. systems that we had to look at. They initially rated themselves as a baseline and then used our expertise to validate or interrogate further. We agreed with around 80% of the self-assessed ratings and around 20% where we found that there were risks that weren’t acknowledged, or there wasn’t a full enough picture of the effectiveness of controls
How we do what we do
As we have in-house aviation security experts including current pilots, we teamed up to ensure that our advice was industry-specific and appropriate.
Together, we carried out detail-level auditing (Objective B and C) and the governance and risk management (Objective A), plus SOC and IR elements (Objective B) found details alongside us doing Objective A and B (the SOC and IR elements).
Working from high level compliance and bottom up from technical detail is an approach that PTP regularly deploy on larger client engagements.
Although we were there mainly for auditing and to deliver an assessment, extra value came from our considerable wider IT experience. For example, showing how to set up systems like Splunk (SOC/SIEM) to ensure that one derived maximum value from the system.
Common language
As we know the language of aviation, it made for a smoother, more collaborative and dynamic exercise. It enabled us to work faster as we did not waste time getting ‘up to speed’ with industry jargon and nuances. We also identified potential issues that may not have been picked up without that deep aviation sector understanding.
We made recommendations to prioritise remediation, then discussed and negotiated with the client over the best routes to get compliant. Our focus was on making sure risks were managed in the most effective way, so that the client had a true picture of where to prioritise their efforts. This was really important in a pandemic where finances had to be allocated very carefully.
Specific examples
We found issues with an incident management, specifically not learning lessons about root cause. Further, a legacy system needed upgrading as it simply did not do what was required. We helped explain to the board how this could become a much larger problem in the near future and was worth investing in resolving now.
We also uncovered issues with the SIEM. Firstly it wasn’t monitoring the things that the organisation believed it was monitoring. Further, more importantly no-one was reviewing the reporting. To help fix this we first gathered evidence of the issue and then communicated this to the client. We did it in a way that helped them to understand the risk that this presented to their cyber security, rather than merely pointing out the failure.
Client’s right to reply
We then gave the client an opportunity to challenge that evidence. This is a small but important step. It helps everyone, so long as the client isn’t compromising security. It means that any challenge to our evidence and recommendations has to be demonstrably aligned with the clients’ overall documented & agreed approach to risk.
This approach helped the various operating companies and wider group board build better communications and develop a solid two-way understanding. By clarifying the audit trail we ensured the group board had a better view of the risks across their group companies
Interpreting the CAF
We communicated and liaised with the CAA to confirm the interpretations of the CAF. This was so that even though the reporting didn’t mesh perfectly with the required output, the CAA could see that it was in the spirit of what was required. By taking an holistic view we overcame difficult barriers and provided something that the CAA was happy to work with.
An example of this are IR runbooks, with CAF asking if they had runbooks for scenario testing, and are they used. We helped demonstrate that they were feeding into the runbooks they had when they did their IR exercises, so the CAF was met.
Key recommendations for clients looking to embark on similar projects
Treat the CAF as a moment in time. It’s not a gap analysis or a corrective tool, so answer the questions as in real-time, not with assumptions about the future.