Our client is an executive agency for a government department which operates within a highly regulated area and must consider a wide range of requirements, particularly those stemming from the CAF, NIS2 and UK/EU GDPR.
The Challenge
Given the range of these requirements, our client sought assistance with supplier and project assurance. The role of project assurance is to ensure any new system/platform is assured before go-live and to gather confidence that security controls are working in the way they should to ensure the security of the system.
The Solution
We refreshed our client’s approach to supplier and project assurance to align to the aforementioned legal/regulatory requirements and to ensure new systems comply with these requirements. The assurance process has been designed to ensure all evidence is in place to demonstrate compliance before go-live. For example, whether a thorough Data Protection Impact Assessment (DPIA) has been completed, issues are remediated following penetration testing, and multi-factor authentication (MFA) is in place for remote access.
The Results
Supplier assurance activities have been significantly improved to ensure our client is taking a pragmatic, risk-based approach, whilst still analysing evidence thoroughly and identifying issues against regulatory/legal requirements.
Issues identified through our assurance processes are managed through a new risk management model that Bridewell has implemented, to align with the corporate risk management framework which aids communication with senior stakeholders, and other interested parties.
Bridewell has also developed a range of policies for our client, covering areas such as assurance and risk management. Bridewell has additionally offered a range of recommendations on existing policy development as part of the assurance work (e.g., include the requirement to conduct risk assessments as part of the 'design' stage of a project within the risk management policy).
Finally, Bridewell is responsible for the day-to-day management of two junior civil servants working within our client’ s organisation, which involves maintaining development plans aligned to the UK Cyber Security Council’s career framework. The members of staff have greatly improved their knowledge and understanding of assurance since Bridewell supported the team, and have received praise from the cyber security leadership team.
