Home > Case studies

Case Study

Compliance program implementation according to the CIS Benchmarks

Power BI technical lead validating data
Industry
  • Insurance
  • Major French multinational company

Challenge

Implementation of a compliance program according to the CIS Benchmarks framework – from the Center for Internet Security (CIS) – for 17 subsidiaries of an insurance sector client, and development of a monitoring strategy aligned with the various TAIR, SAF, and other monitoring frameworks used by the group:

  • Implementation of controls across 18 domains, including: Access Control, Endpoint Protection (EDR / SEP), Web & e-mail gateway, Firewall, Network, HIPS (Host-based Intrusion Prevention System) & HIDS (Host-based Intrusion Detection System), Mobile, Workstation, Servers, Web Servers, Virtualization, Patching, Database, Cryptography, Public Cloud, Collaboration, Active Directory (AD), and Mainframe.
  • Live monitoring via Power BI for 114 KPIs.
  • Challenge the data reported by Power BI and validate its accuracy and quality.
  • Define the scope of application for each subsidiary and the specific features of their tools not covered by the program in order to define the manual reporting to be created with the subsidiary.
  • Establish quarterly monitoring committees with the subsidiary and the group to share scores and to monitor remediation efforts for corrective action in the event of non-compliance (minimum score: 95.4%).
  • Respond to audits and share progress with other SAF or TAIR teams through security committee meetings.

Solution

  • Work with the group’s technical team to create, test and correct technical baselines. 
  • Implement KPI indicators, design and deploy a centralized dashboard for monitoring compliance scores.
  • Implement a Power BI dashboard to enable automatic data upload from systems not covered by the program, and implement a SharePoint system for evidence management in the case of manual reporting. 
  • Respond proactively to the group's feedback each quarter by providing subsidiaries with accurate data on their compliance status and proposing preventive measures in collaboration with the dedicated teams. 

Methodology

RUN.

Technologies

  • Power BI
  • EDR
  • SEP 
  • Bitsight
  • ProofPoint
  • Vulnerability Qualys
  • VulScan 
  • Horus
  • SIEM (Security Information and Event Management)
  • SOC (Security Operations Center)
  • Cisco
  • Palo Alto

Timeline and resources

Major milestones each quarter: 

  • Compliance program team: 2 resources.
  • Client team: 2 offshore resources and a Power BI technical lead.
  • Functional and strategic team: 7 cybersecurity consultant leads covering the scope of the 17 subsidiaries.
  • Remediation team: Transformation & RUN team: 30 resources depending on the expertise.

Results and customer experience

With this project, the client achieved:

  • Strengthening of security posture.
  • Standardization of practices.
  • Performance management and key topics organization.
  • Efficiency in execution by improving the organization of tasks, establishing effective project management, and anticipating feedback and audits.
  • Collaborative and cross-functional approach between teams, making progress measurable across each of the 114 KPIs, standardizing practices to simplify monitoring, and optimizing security management across all 17 subsidiaries.