Cybersécurité & Résilience

Credential 1: Risk Management – Revamping of the Key Risk Indicators worldwide reporting  

Client: US Branch of a Global Asset Manager 

Sia's Approach 

• Analysis of the current process and recommendations to enhance the production of the quarterly dashboard  
• A matrix of comparison for different BI tools in order to analyze data more accurately. Implementation of Tableau dashboards 
• Implementation of the new process of KRI reporting by integrating a database and the BI framework 
• Development of a Web Application (.NET) where users input their data and comments, and generate the report 

Sia's Added Value 

• The deliverables on the project were a proposition of 3 options to enhance the production process (by adding a database/GUI/BI Tool)​ and a matrix of comparison for the BI Tool. In addition, we developed a tailor-made reporting application(.NET/DevExpress)​ with respect to the client's IT technologies and policies. 
• The development of the application was performed in an agile mode, having weekly status meetings with weekly deployment to ensure testing is performed correctly. 
• Sia Partners has extensive knowledge of the KRI reporting process and has been involved in several projects at the Client over time. 

Credential 2: IT Risk Assessment of Internet Banking Application  

Client: US Branch of a Global Bank 

Sia's Approach 

• Assessed the possible risks introduced by the integration of the new Internet banking system into the bank’s business 
• Reviewed legal, compliance and governance issues, vendor due diligence and contractual terms, IT architecture, security and privacy controls, as well as inherent risks to each functionality of the platform. 
• Devised a solution to meet the new CFPB requirements under the Dodd-Frank Act. 

Sia's Added Value 

• Performed the risk assessment with 13 areas in scope, ranging from internal controls/processes to integration with external applications and third parties 
• Provided an after-action report that detailed the strengths and weaknesses of security processes around the banking application 
• Drafted remediation plans to address security gaps found during the assessment 

Credential 1: Treasury Department – Definition and Selection for Treasury Management, Payments, Fiduciary Accounting, and Reconciliation  

Client: Financial Services, Treasury Department, NY/Toronto 

Sia's Approach  

• Defined the requirements and the Target Operating Model (TMS, ERP, Reconciliation, Banks, Investments) 
• Reviewed and assessed the business and technical requirements with the key project stakeholders in order to produce a final RFP questionnaire, which included questions about the Vendor, Software, Implementation Services, Financial Information, Business & Technical Requirements 
• Performed RFP process, interviews, and reference check with TS and ERP vendors 
• Recommended and defined a full enterprise solution for Fiduciary Accounting and Reconciliation 

Sia's Added Value 

• Standardized RFP questionnaire: The questionnaire developed by Sia Partners has been used for several solutions assessment projects. 
• Third-Party Software Selection Expertise: We have successfully aided clients with sourcing new capabilities and vendors. Examples include case management tools and enhancing financial platforms such as wire payment processing. 
• We are independent and tech agnostic - free from provider or reseller conflicts. 

Credential 2: Regulatory Affairs – NYDFS Cybersecurity Project Manager 

Client: US Branch of a Global Bank 

Sia's Approach 

• Contributed to the preparation of all required documentation (Incident Response Plan, Business Continuity Process, Cybersecurity Program, etc.) that demonstrated compliance with NYDFS 500  
• Developed and managed project plans and all associated documentation, managed milestones, resources, and deliverables  
• Managed relationships with global and local stakeholders throughout the lifecycle of the project  
• Prepared all required communication to ensure all stakeholders are always informed of decisions, system downtimes, process changes, etc.  

Sia's Added Value 

• Assessed all of the requirements and mapped the client’s documents and artifacts.  
• Interviewed stakeholders to augment the assessment of artifacts.  
• Created a file folder structure to facilitate audit by the regulator.   
• Submitted a report summarizing observations, gaps and recommendations for remediation, with prioritization.  
• Sia’s assessment provided comfort for the client to submit its annual attestation to the NYDFS  

Credential 1: SWIFT Customer Security Control Framework Assessment 

Client: US Branch of a Global Bank 

Sia's Approach 

• Provided advice on the SWIFT requirement to all the US Operations of this Global Bank (4 locations)  
• Gathered information on the mandatory and advisory security controls by:​ reviewing the existing policies, procedures, governance/organization and practices surrounding the controls​, examining the evidence regarding the implementation of the controls​ and by conducting interviews with the stakeholders necessary to complete review 
• Realized a gap assessment for the US Operations for each of the control statements in the SWIFT CSCF, in addition to Industry Best Practice 
• Creation of test cases and performed in-depth testing on a sample of controls to ensure their global implementation 
• Proposing recommendations to address the identified gaps to Company management, while being mindful of their internal structuring and situation 

Sia's Added Value 

• Sia Partners is a SWIFT-Approved Preferred Vendor​. 
• Our IT Risk Team has significant expertise in conducting IT / Cybersecurity Audit and Risk Assessments, NYDFS Part 500, and IT Vulnerability Assessments​. 
• We discovered several gaps in controls and provided client with improvements and processes to implement.  

Credential 2: FedLine Security Assessment  

Client: US Branches of a Global Bank 

Sia's Approach 

• Conducted an assessment of client’s compliance with the FedLine Security and Control Procedure requirements at NY, Chicago and LA branches  
• Reviewed interview response and documents to understand current state of capabilities for FedlLine Advantage, Web, Direct and Command  
• Compared current state to FedLine Security and Control Procedures requirements to identify synergies and gaps  
• Defined a remediation plan to address any gaps and deficiencies identified in the assessment  
• Wrote a summary report about the client’s compliance and gaps identified on controls of the Federal Reserve Banks’ FedLine security requirements   

Sia's Added Value 

• The assessment of Fedline Web, Advantage, Direct, and Command, identified 6 inconsistent processes across the US Branches.  
• The assessment categorized control observations by Meets the Require, Low, Medium and High priority. The gaps were scored on a Risk v. Effort matrix for remediation. Each gap was accompanied with a recommendation.   
• Sia Partners’ assessment provided comfort for the client to submit its annual attestation to the Federal Reserve.  

Credential 1: IT Security antivirus and scanning tool deployment project 

APAC Branch of Global Bank 

Sia's Approach 

• Managed the McAfee Advanced Threat Defender (MATD) roll-out project for CIB IT Security team for APAC 
• Framed and deployed Nexpose (server Vulnerability and Compliance scanning) for the same entity 
• Ensured day-to-day project steering e.g. preparation of project plans, working committee meetings on a bi-weekly basis, weekly status reports for each project to the APAC IT Security PMO and all stakeholders 
• Liaised with the Global project team and ensure that each project implementation is in sync with the Group expectations 
• Coordinated the relationship with respective vendors for SoW and professional services engagement 

Sia's Added Value 

• Involved legal and procurement teams to adhere to the Bank’s compliance and sourcing guidelines 

Credential 2: IT Vulnerability Penetration Testing – An IT Vulnerability Scan of the internet banking website composed of:  

Client: US Branch of a Global Bank 

Sia's Approach 

• Assessment – Planning including ascertaining the level of written approval required from the vendor and identifying any required testing windows (e.g. timeframes) 
• Vulnerability Scanning – Running Nessus Security automated vulnerability scanning tool to identify possible weaknesses in the application 
• Analysis and Analytics – Penetration scan results will be analyzed to identify any relevant control issues along with supporting evidence 
• Reporting – A report will then be constructed providing full details on the issues identified along with suggested recommendations on a prioritized basis 

Sia's Added Value 

• A globally distributed team of penetration testers, allowing for 24/7 testing coverage and off-business hours testing. 
• Personalized technical vulnerability reports with clear impact ratings and detailed remediation guidance. 
• Seamless integration with other security offerings for a 360 view of cybersecurity risk. 

Credential 1: Incident Response Plan Testing 

Client: US Branch of a Global Bank 

Sia's Approach 

• Developed exercise workshop materials based on the information obtained from the client stakeholders in order to test and assess client’s Incident Response Plan and capabilities. Facilitated tabletop exercise on site for participants and effectively managed the exercise to ensure attendees remained engaged and challenged throughout. Provided an objective assessment of gaps and shortfalls within plans, policies and procedures to address areas for improvement prior to a real-world incident. 
• Drafted After-Action Report that captured our assessment of current strengths and areas for growth and offer concrete recommendations on how to further mature the teams. 

Sia's Added Value 

• Sia has a 3-step approach for conducting cybersecurity tabletop exercise that enable our clients to increase the quality of their incident response plan. 
• Sia uses the SANS Incident Response Lifecycle as the framework to assess Incident Response capabilities​ 
• Clients receive an After-Action Report (AAR) summarizing the exercise and learnings after the exercise. This is drafted and reviewed with management before distributing the final version.  

Credential 2: Ransomware Attack on SAP System 

Client: US Global Agri-chemical Company 

Sia's Approach 

• Analyzed client’s BCR/DRP Capabilities and tested the efficiency of the Cyber Incident Response Plan (CIRP).  
• Facilitated a formal tabletop exercise for client’s U.S. and Brazil offices that tested certain processes within the organization such as Order Entry/Order Processing. Shipping, Invoicing, Accounts Receivable, etc. Provided recommendations for the mitigation and remediation of Cyber Risks identified during the exercise in the After-Action Report to implement takeaways on a global scale.   

Sia's Added Value 

• Sia developed a realistic cyberattack scenario to highlight the vulnerabilities and business continuity capabilities of the business in Brazil, including the need for clarity around how to communicate with trading partners.  
• The client realized that intercompany communications and incident response / BCP training should be enhanced. 
• The exercise highlighted the need for the business to explicit escalation triggers and enhanced BCP documentation.  

Credential 1: Cybersecurity Awareness Program – Social Engineering (Phishing, Vishing) and Training  

Client: US Branch of a Global Bank 

Sia's Approach 

• Deployment of KnowBe4 for the client branch across all users.  
• Deployed a monthly phishing/vishing exercise for all Bank employees.  
• Cybersecurity awareness testing, training, governance, and reporting for all Bank employees. 
• Followed up with repeated offenders and went from 30 to 3 clicks on phishing tests after 2 months 

Sia's Added Value 

• Deep expertise in social Engineering Techniques such as phishing and vishing 
• Increased awareness by helping users be aware of potential social engineering and impersonation attacks.