Cyber Resilience Program

Cyber Resilience Program

Case Study

Cyber Resilience Program

Share this Case Study with a friend.

dark mode

Customer Challenge

A top tier US Bank was concerned that their Cyber Resilience capabilities for Response and Recoverability of their critical LOB services were insufficient to meet the increasing risks of Cyber Security exploits considering Ransomware, Malware, Denial of Service, Software Vulnerabilities, Supply Chain Compromise, and Insider Threat scenarios. The client required a holistic view on the recovery and resilience profile of 500+ individual business applications and dial-tone technology services supporting their critical lines of business, and a repeatable set of Cyber Resiliency Assessment, Disaster Recovery Testing and Training capabilities.

How Citihub Helped

Citihub provided a small team of consultants across the US and UK with combined deep infrastructure, application architecture, DevSecOps, security architecture and enterprise risk management experience to design the applicable controls, assessment framework, data model, and execution approach. We used our Application Risk Assessment framework, combined with the bank’s Technology Control Framework, NIST 800-53, and industry Better Practices across Architecture & Operations. The result was a complete methodology for executing full-or-partial Cyber Resiliency assessments with targeted control statements, validation criteria, and evidence-driven assessments designed to minimize impact on application owners.

Cyber Resiliency assessments were ran over a 6 month period, scaling to 500+ application assessments and their employed IT infrastructure platforms. A small team of experienced assessors worked across each Line of Business, leveraging existing documentation, evidence and artifacts collected across the organizational CMDB, SDLC Tollgates (Permit to Build, Permit to Operate), ITSM, CI/CD Tools, and their existing BCDR documentation and exercises. Application profiles were built in advance to provide a ‘low-touch’ assessment that avoided unnecessary disruption of application development teams, enabling a target goal of <15 minutes for the use of each individual application owners’ time.

Each assessment was data warehoused for analysis and correlation of themes, root causes, and gaps in control implementation that could be visualized by senior leadership and effectively prioritized with investment constraints.

Additionally a roadmap of improvement on existing DR exercises, tabletops and training was developed, emphasizing the modern implications and effects of Cyber Scenarios, lateral movement, and data theft.

Results

  • A repeatable framework and factory approach was built that could scale a 100+ cyber resiliency control statement assessment to 500+ critical business applications within the required timeframe
  • Analytic tooling was built that could cover evidence-driven assessments for Cyber Resiliency and be adapted to other Risk Assessments
  • Education and acceptance across Business Continuity and Disaster Recovery leadership around key enhancements needed to bridge the gap from traditional Disaster Recovery to recovery from Cyber Exploits
  • Enhancements to existing Technology Control framework, Architectural Standards, and Backup and Recovery strategy to accommodate for improved Recoverability from Cyber attacks
  • A prioritized list of actionable gaps and recommendations across IT service provider teams and Application owners, netted against existing organizational improvement programs

Related Case Studies

Our Insights

see all insights
code
See technical discoveries and coding insights from our developers.

Learn more about our Services

Application Modernization

Driving the technical, operational and cultural changes required for adoption of cloud native architectures, platforms and services

Application Modernization
read more
read more

Making data accessible, usable, accurate and secure

Data Management
read more
read more

Architecture, design and hands-on engineering of secure and scalable private and public cloud platforms

Cloud Platform Services
read more
read more

Ensuring safety of data and applications in the cloud by integrating security into the heart of developer workflow

Cloud Native Security
read more
read more

Unlocking cloud-based developer productivity through modern, dynamic approaches towards compliance

Continuous Compliance
read more
read more

Implementing modern organizational structures and operating models that transcend traditional silos

Enterprise Transformation
read more
read more

Let's talk about your digital transformation

contact us