Challenge
A Fortune 100 FSI faced intense regulatory scrutiny during their migration to the Cloud. The client engaged Infinitive to perform a comprehensive gap assessment of its critical technology processes, identify and remediate weaknesses in its control environment, and work with cross-functional teams across the enterprise to develop implementation plans with feasible timelines.
Solution
Infinitive used a cross-referenced, blended framework consisting of industry standards and best practices to evaluate risks and controls for 25 processes, identify and validate issues, and address deficiencies in its portfolio of controls. Our team engaged with associates at all levels of the organization to drive cross-functional collaboration, address risk management imperatives, strengthen governance and monitoring, and establish action plans to remediate gaps in operational processes and oversight. Specifically:
- Leveraged industry standard frameworks (NIST 800-53, NIST CSF, FFIEC) and Cloud-related standards (FedRAMP) to complete a deep-dive evaluation of 25+ processes.
- Developed, implemented, and managed a controls inventory for the Bank’s cloud operating environment to track and report on the lifecycle of gaps from identification through closure.
- Designed and developed control implementation plans to address operational gaps in the bank’s identity and access management (IAM) program.
Outcome
Infinitive strengthened the control environment for the FSI’s enterprise services while reducing its exposure to significant regulatory penalties and reputational damage. In particular:
- Facilitated enterprise-wide remediation efforts across enterprise tech programs and organizations (e.g. Tech Risk, Audit, Cyber).
- Drove the closure of more than 300 gaps across several technology ‘towers,’ such as identity and access management (IAM), cloud governance, IT asset management, and endpoint management.
- Authored and helped operationalize 111 new controls, revised more than ~200 existing controls, and provided updates to 30+ policies, standards, and procedures.
Published September 28, 2022
