Establishing an Integrated ISMS for the

Co-operative Banking Group

STREAM Integrated Risk Manager Risk management made simple

Richard Mayall richard.mayall@acuityrm.com

Partner, Acuity Risk Management

Mark Henry Mark.Henry@cfs.coop

IT Security Assurance Manager, The Co-operative Banking Group

Some of our Customers

Typical Customer requirements

1. Many Standards: ISO 27001 22301 9001

14001 18000 20000 PCI-DSS COBIT

GSI IAMM…

2. Variety of methodologies, assessment

schemes, risk types, KRIs, KPIs…

3. Efficient compliance and risk processes in

complex business environments

4. Dashboards, reports, exports for

internal / external auditors…

GRC Key Components

…and supporting processes

Overview

Introductions

Co-operative Banking Group : ISMS Requirements

Selection of ‘Content’ for the system

How we constructed the system

Example data collection and reporting views

Summary and questions…

Your presenters…

Richard Mayall

Supported CBG with original ISO 27001 certification, risk

assessment

Supported migration to STREAM for ISO 27001 in June 2008

Supporting current development of ISMS with CBG

Responsible within Acuity for integrated content development

projects for our Enterprise STREAM customers

Mark Henry

34yrs experience in Financial Services with last 10yrs in Security.

Manages IT Security Assurance to ensure we meet our Legal,

Regulatory and Business Requirements.

Managed the ISO 27001 re-certification for smile & Personal

Banking Internet channels since 1999 (using Stream).

Developed and implemented a 3rd Party Data Assurance Model

Revamping our Security Baseline Controls into a comprehensive

IT Security Governance Framework

The Co-operative Group

ITS Governance Framework

Key Objectives :-

Align / report against key Standards (i.e. ISO 27001 and PCI-DSS)

Benchmark against industry peers & ‘best practice’ (via. ISF Benchmark)

New IT developments built to appropriate CBG Security Standards

Certify compliance with Banking Industry Payment Schemes

(e.g. CHAPS, Faster Payments, BACS)

Validation and highlighting of areas of best practice across IT

Identification and effective risk management of all control deficiencies

regular reporting to inform risk and investment decisions

Support Co-op’s ethical stance by demonstrating good compliance and

risk management.

IT Security Control Standard Architecture

IT Security Governance Framework

Building the System

ISO 27001 COBIT PCI-DSS PCI-DSS

Reporting Lenses

‘Baseline’ ISF Controls

(Assessed)

Platform specific

technical Standards

(Assessed for each

applicable technical

environment)

Content in STREAM

Control Assessment

Control Assessment II

High-level summary reporting

Control deployment summary

Linkages for the ISO lens…

ISO 27001

Through the ISO 27001 lens…

ISO 27001

Multiple Control Standards

Drillable Risk Dashboards

Dashboards for various business views, gauges for:

Risk counts by threshold

Risks levels against appetite

Control deployment levels

Personal Workflow…

Way ahead

Gather assessments across the IT estate

Create further lenses:

PCI-DSS

COBIT

CHAPS, Faster Payments, BACS…

STREAM Servers

Benchmark

Submissions

Output data from STREAM for ISF Benchmark

submissions…

Develop interfaces to accept ‘assessment’ data feeds

from technical monitoring tools (Qualys)

Real-time Data Feeds

(Qualys)

Essential Components

Questions?

Acuity Risk Management LLP

Liberty House

222 Regent Street +44 20 7297 2086

London

W1B 5TR www.acuityrm.com

STREAM Integrated Risk Manager Risk management made simple

The Co-operative Banking Group

Miller Street

Manchester

Lancashire

M60 0AL www.co-operativebankinggroup.co.uk