20 May Client Story: Reducing Information Risk in Financial Services
Client Story:
Reducing Information Risk in Financial Services
THE CHALLENGE
Our client, a leading financial services provider, wanted to reduce the amount of unnecessary sensitive information held across the organisation. The enterprise had undergone significant change after several mergers and acquisitions, and information management was no longer aligned with best practice policy and regulatory obligations.
To achieve this, they needed to understand the information they held, assess the sensitivity, review the information, and remediate in line with operational requirements.
In the light of highly publicised data breaches, and to remediate internal audit findings, the organisation engaged InfoCentric to assist.
OUR BREIF
- Scan key document repositories such as network drives, SharePoint, Teams and OneDrive, to identify files containing Personal Information.
- Categorise and rank the risk associated with each file, enabling the production of (i) quantified risk exposure report and (ii) prioritised remediation action plan.
- Develop a set of appropriate treatments to comply with obligations, such as removal of files, archival, retention or application of other controls.
- Engage with subject experts across the enterprise to review each file and offer treatment.
- Support each business stream and provide ongoing visibility of progress and risk reduction to senior leadership.
OUR APPROACH
The InfoCentric Team used our InfoSure Service comprising our unique technology, platform, processes and methodology, to help the client meet their objectives.
Working closely with internal stakeholders, the team deployed and continually refined scanners to detect files containing Personal Information. The scanners were performance oriented, able to process hundreds of millions of files throughout the engagement. The scanners were equipped with Natural Language Processing technology to ensure results were accurate and to reduce false positive findings.
The remediation activity took place in parallel with the scanning, where each SME was fully briefed with context and a set of files, supported by valuable insights on file age, location, sensitivity, and other metadata to allow for highly efficient review and treatment.
We gave the client access to reporting via dashboards, showing outstanding sensitivity risk reduction as the engagement progressed. Additionally, full auditability and decision-making logging was provided for future consideration.
KEY OUTCOMES
The numbers associated with the engagement spoke for themselves:
- Over 100m individual files were scanned.
- Approx. 10% of files were considered to have a significant amount of Personal Information and were remediated.
- Over 650 subject matter experts, across more than 180 business teams, were engaged in the review and remediation process.
In addition to the raw numbers, the team was able to provide significant business value:
- Identified significant system and process enhancement opportunities to avoid recurrence.
- Aided in the response to multiple data breach incidents, providing immediate insight regarding the potential exposure from the threat actor’s movements.
- Identified and remediated very significant unknown information assets, such as log files and customer data extracts, both recent and historic.
IN CONCLUSION
The InfoCentric Team was able to meet and exceed the key objectives of the engagement:
- Significantly reduced the amount of sensitive information (specifically PI) that was unmanaged.
- Applied controls across the enterprise to ensure sensitive information was well managed.
- Quantified, located and help mitigate risk around sensitive information that was to be retained.
- Ultimately, InfoCentric helped the client carry forward only valuable information, and leave behind the risk.