CBEST Remediation Plan Review - UK Building Society

Client Challenge

Following a recent series of intelligence-led penetration tests, the client had devised a remediation plan which was to be reported to the regulator. Working with the 2nd line risk function, TORI was tasked with conducting an independent review of the plan to:

  • Identify any gaps in remediation activities
  • Draw out dependencies and risks associated with the plan
  • Advise as to whether plan objectives are achievable within target timescales and known constraints
  • Comment on the security implications of key decisions

What we did 

  • Conducted extensive interviews with key stakeholders and all action owners
  • Reviewed the security architecture, policies and standards
  • Analysed the attack vectors employed in the exercise and the technical findings of the penetration testers
  • Performed a gap analysis on the remediation plan against the penetration test findings

Outcomes & Results

  • Delivered a line by line assessment of the efficacy of the control designs and implementation plans for each vulnerability
  • Identified vulnerability details discussed in the pen test report commentary that were not covered in the summary findings and as such had no associated remediation activities planned

Recommendations to improve remediation outcomes including:

  • Improved governance   
  • Definition of a critical path
  • Allowance in planning of a period of post-delivery optimisation
  • Identified the key activities which would deliver the greatest mitigation of risk
Top