Comprehensive Security Assessment Drives Cyber Maturity For a Leading Cancer Research Organization

THE CUSTOMER

The EORTC operates in a highly regulated sector where clinical trial data is collected in large quantities. Even though this data is anonymised and complies with the strictest data protection standards, no organisation can be fully immune to cybersecurity threats today. As a rule, organizations are imposed with significant fines for failing to fulfil their data protection obligations for all sensitive and personal data protected under the EU-wide GDPR. Given the cutting-edge therapies, treatments, and drugs the EORTC is also involved in trialling and developing, IP flowing through its IT systems, it can potentially be a prime target for threat actors. These could be financially motivated cyber-criminals or even nation-state operatives looking to gain an advantage.

Other cyber-risks might stem from the large ecosystem of third-party partners the EORTC works with, including clinicians/doctors, hospitals, researchers, and pharmaceutical companies, among others. These collectively could represent a significant supply chain risk.

Advantio offered EORTC its initial Cybersecurity Maturity Assessment free of charge (an in-kind contribution).

“Our team, mainly working on compliance with clinical trials regulations, had the opportunity to see how the Cybersecurity Maturity Assessment by Advantio tackles similar concepts in the field of cyber-security. Good Clinical Practices share many common goals and techniques with IT security best practices. The risk-based approach is certainly one of them.”

– Pascal Ruyskart
Head of the EORTC Information Technology department

ADVANTIO’S SOLUTION

The Cybersecurity Maturity Assessment by Advantio is a framework for assessing security posture which allows organizations to make strategic risk-based decisions about where to target their investments. It focuses on internal policies, external standards, and compliance.

Advantio's holistic methodology focuses on IT and cybersecurity business functions, enabling organizations to:

• Understand their security posture via a qualitative maturity assessment, combining process maturity, risk assessment, and project management
• Reduce operational risk by putting in place effective controls for security, privacy, business continuity, governance, and compliance
• Deliver value through a more efficient assignment of resources and budget management, improved visibility into the value delivered by risk management, and engaging the business in risk-based decisions

Advantio was engaged to perform its assessment on EORTC’s IT department. This was done in two separate stages, between July and August 2019. First, an onsite assessment rated the maturity of the EORTC’s processes and related adoption. Next, a black box penetration test was performed on its external web-facing applications.

THE BENEFITS

Thanks to a comprehensive Cybersecurity Maturity Assessment, Advantio was able to provide the EORTC with a full maturity assessment report and maturity score. This gave the customer a good sense of potential security gaps. An implementation plan with timelines and costings provided more information on how the EORTC could go about putting these changes into practice.

In the end, the EORTC was able to gain invaluable awareness of the potential level of cyber risk facing the organization. With this visibility and a concrete action plan, it was able to take practical steps to further improve its cybersecurity operations and build more rigorous defences against commodity attacks. The organization is now more resilient from a security posture perspective than it was pre-assessment.