Cybersecurity · CESCE: Risk analysis as a common denominator
Our project at CESCE represents a real example that demonstrates the effectiveness of our "Integrated IT Security and Compliance Management Model" under a common axis: risk analysis and management.
At CESCE, we deploy our global IT Security and Compliance strategy
A paradigmatic project in which we manage to combine synergies and common aspects between the ISO 27001 standard and the different security (National Security Scheme) and privacy regulations (General Data Protection Regulations). From the design phase to the final audit, through the entire implementation and monitoring process, the project has been successfully completed, achieving ISO 27001 certification of CESCE’s Information Security Management System (ISMS).
Under the approach of security risk analysis as one of the common axes to the different regulations, we proceeded to apply the internationally recognized methodology MAGERIT and the tool PILAR. By approaching the risk analysis and management process under this multi-standard vision, we obtained a single roadmap to carry out security and privacy initiatives, achieving maximum efficiency.
CESCE (Compañía Española de Seguros de Crédito a la Exportación) is one of the most important commercial risk management firms in Spain, present in 9 countries. Header of a group of companies that offers integral solutions for commercial credit management in part of Europe and Latin America. It is the 4th Group in the world and the 2nd in Spain in terms of credit and surety.
CESCE is also the Spanish Export Credit Agency (ECA) that manages export credit insurance on behalf of the State in Spain.
Precisely because of its nature as a state-owned company, CESCE must pay special attention to the obligations in the field of Information Security by implementing a system based on the code of practices defined in the UNE-ISO/IEC 27001 standard.
Multiple needs with a common denominator
CESCE raised the need to cover 3 basic axes for the adequacy of the processes and security management of its Information Systems in accordance with current regulations:
- Design, implementation and certification of the Information Security Management System (ISMS), according to the UNE-ISO/IEC 27001 standard. A key requirement is to obtain such certification in the current year (2018).
- Risk analysis and improvement of internal processes to reduce the level of risk in the treatment and use of information.
- Compliance with the Spanish regulations that came into force, the General Data Protection Regulation (GDPR), as well as the National Security Scheme (ENS).
At this point, we approach this project under our comprehensive approach of Security and Compliance, starting from risk analysis.
We tell you about this experience at CNIS 2018
GRC platform for the integral management of IT and information security processes It provides support for regulatory compliance and established standards: GDPR, ENS, ISMS (based on ISO 27001); as well as ITIL and ISO 20000, in the area of service management. Integration with PILAR and LUCIA.
The pace set by the digital age requires organizations not only to defend the perimeter and avoid vulnerabilities, but also to deploy a Cybersecurity strategy with a 360º approach. Covering not only the technological field but also the physical, organizational and legal.