The client is a leading global provider of a broad spectrum of financial services. They were facing security challenges owing to high-risk security posture caused by inadequate cloud security controls and inefficient security processes.
They engaged with Infosys to conduct a cloud security control assessment and remediate a high severity audit finding.
Infosys identified inherent risks and the false positive cases to efficiently assess the cloud security controls. We further provided a detailed report highlighting the level of risk in their current partner landscape and remediation roadmap .
Key Challenges
- Absence of security control assessment for third-party services involving cloud footprint, leaving the company vulnerable to potential attacks and subsequent financial fines
- Lack of evidence to conduct the cloud control assessment leading to inaccurate reporting
- Limited baseline data causing delay in closing the assessment process within statutory timeline
The Solution
Empowered security defenses with a secure cloud foundation
- Analyzed the inherent risk dashboard for third-party services and identified false positives for accurate reporting
- Identified adequate security control requirements for different third-party services based on criticality of business function and data classification
- Identified gaps in the vendor’s response vis-à-vis available evidence to analyze deficiencies in security control requirements
- Performed deep analysis of services lacking cloud footprint and prepared a false positive report with appropriate evidence
- Provided guidance on vendor risk management specific procedures and templates as per client requirement helping them smoothly onboard the new cloud vendor
- Performed detailed evaluation of data disposal for third-party services to ensure compliance with NIST standard 800-88 policies and mandates
Benefits
Elevating the cloud security posture with tailored assessment solutions
Reduced the audit severity of risks to third-party services by delivering agreed assessment within stringent timelines
Identified 37 non-adequate and 101 partially adequate security control services to help client determine the level of risk associated with third-party services
Enhanced the security assessment process by identifying 75+ false positives
