ENGAGEMENT
The Security organization for a large financial institution was concerned about its readiness for the forthcoming updated FTC Safeguards regulations. DayBlink Consulting led and managed an FTC Safeguards assessment to help the client evaluate its compliance against the Rule elements and controls. DayBlink Consulting was responsible for gathering information via stakeholder interviews and systems analysis, identifying gap areas, and synthesizing results into a roadmap, formal documentation, and PowerBI data visualizations. Most importantly, DayBlink Consulting assisted with remediating the gaps.
PROBLEM
The Cyber organization was informed that, in roughly 18 months, newly updated requirements (‘Safeguards’) with greater regulatory rigidity would be enforced by the FTC. These updated controls enhanced and extended what was currently required. In addition to an updated control set, the client requested interpretation of several control requirements to ensure agreed-upon definitions. The control set was vague and lacked specific markers for the organization to follow. As a result, DayBlink Consulting was the support system to ensure comprehensive coverage. The client also required a third-party to fairly evaluate the people, processes and technologies under the scope of coverage, identify the gaps and develop a remediation roadmap prior to the enforcement of the regulation. This included not only DayBlink Consulting’s view on the coverage and gaps but also third-party legal counsel, which was facilitated by DayBlink.
SOLUTION
DayBlink conducted a controls assessment. The team interviewed over 50 stakeholders, reviewed over 60 policy and standard documents, and inspected key systems and data connections. Each stakeholder review covered the employee’s area of expertise as it related to the FTC Safeguards, including documentation, personnel, key processes, existing identified gaps and more. From the discovery and analysis phase, DayBlink articulated and prioritized the gaps, presented them to security and company leadership as well as the security review board, and ensured appropriate representation of those gaps to the FTC through collaboration with outside legal counsel.
Once finalized, DayBlink developed an 18-month roadmap for remediation and created a set of PowerBI dashboards and tracking documents to ensure that ownership and remediation of the compliance gaps remained on track. DayBlink additionally supported the development of a budget to align on the cost of remediating each of the activities, ranging from must-be-completed-for-compliance to nice-to-have security posture. As the assessment and planning phase concluded, DayBlink Consulting was asked to continue the engagement to manage the remediation program across the technology organization and assist with closing and remediating the gaps. This included ensuring that the timeline and budget across all 15 workstreams of remediation remained on track.
RESULT
Over the course of the six-week assessment, DayBlink identified 108 remediation opportunities across a range of priorities, including both technology and process issues. DayBlink worked with leaders across the organization to ensure their understanding of the relevant remediation findings and their responsibilities and managed the completion of the activities for over a year beyond the initial assessment. The results of the assessment and the tracking of gap completion were reported monthly by DayBlink across the organization. DayBlink enabled the attestation of compliance within the FTC’s deadline.