Content+Cloud is becoming Advania
From 14 November 2023, Content+Cloud will be rebranded as Advania, two years after our acquisition b...
Case Study: The AA
Founded in 1905, The AA is one of Britain’s oldest motoring associations, providing vehicle insurance, breakdown cover, driving lessons and other motoring-related services. More recently, the business has expanded to include accommodation, travel and restaurant reviews.
- Service Areas Professional Services, Cyber, GRC Consultancy
- Industry Transport
- Organisation Size 150 people
- Completion date June 2022
1
Delivered in accordance with accepted security good practices
2
Independently testing application security via a third party and validated as secure
3
Successful security testing by the Google Play Store and Apple’s App Store
4
No last-minute security bugs or security fixes required delaying the release of the application
Having previously launched new services to meet present-day needs, and to enhance their already-established reputation and business model, The AA wanted to offer a modern motoring experience using cutting-edge technology.
This meant building a new platform, one which The AA envisioned as the ‘ultimate car care companion’. To successfully achieve this, The AA needed to merge governance and risk management with technological innovation, and carefully plan to ensure that any new technology met all relevant industry and government regulations from the ground up.
Challenge
With the goal of achieving further modernisation and scalability, The AA wanted to create and launch a cutting-edge mobile app, called AA-X. The app aimed to revolutionise and simplify the way motorists can review and maintain their vehicle’s health.
The app was built to collect data from vehicles and use artificial intelligence (AI) to help drivers keep everything running smoothly. If a problem was detected, the app could book the car into a garage, or schedule an AA Mobile Mechanic to attend. As well as many other functions, AA-X would allow drivers to improve their understanding of battery and engine maintenance and recognise small issues before they become costly repairs.
This innovative approach to vehicle maintenance required careful planning and design. Although the app development could be outsourced, it became clear during its creation that The AA needed to look outside for the necessary expertise in information security governance, risk, and compliance (GRC). A consultative and experienced information security resource was needed to ensure that their new platform would offer a secure and safe user experience.
The AA wanted to leverage their existing knowledge of mechanics and engineering with the newest technology available. With its their desire to process user data, The AA needed expert information security support to complete the project.
To guarantee good governance practices were applied from the ground-up, enabling them to achieve their goals, The AA sought a partner who could deliver GRC consultancy and guidance promptly and successfully.
Approach
Given its expertise in delivering information security consultancy (across discovery, advisory, implementation and assurance), Content+Cloud’s GRC Consultancy Team was selected to conduct this work. Our team had previous success in supporting The AA’s own internal Information Security Team, integrating security into business processes.
We delivered information security consultancy in alignment with The AA’s GRC requirements, which included first digesting The AA’s suite of information security policy suite and supporting documentation.
Once this was completed, this enabled our consultant to act as an extension of The AA’s Information Security function – ensuring that application development conformed to the business’ own security standards and was within its risk appetite and tolerance.
Within the advisory role, the primary aim was to help communicate and advise upon good security practices – balancing the business’ objectives with appropriate risk management to ensure the project stayed secure-by-design and default. This also supported technical security assurance, helping to build in processes where the application was subjected to vulnerability management during its development lifecycle.
We developed a structured approach to identify and articulate specific security requirements associated with the project and collaborated with key client business and technical stakeholders to support the delivery of objectives.
Content+Cloud’s consultant Raghbir joined as an extension of the InfoSec team at a time when we were under-resourced and needed an experienced security consultant. Imran Knight, Senior Information Security Consultant, Group Risk and Compliance, The AA
Solution
Deploying one of our expert GRC Consultants meant that we were able to:
- Act as The AA’s primary security advisor offering guidance and recommendations throughout the project.
- Review and analyse The AA’s security policies to ensure a comprehensive understanding of the client’s security framework.
- Relay information and guidance around good practices and regulatory requirements to the project team.
- Respond to information security-based questions raised by the project team to offer clear understanding of security implications and considerations.
- Provide structure for AA-X security requirements and communicated these to The AA’s third-party application developer.
- Co-ordinate with The AA’s wider Information Security Team on the project’s ongoing progress.
- Conduct risk assessments, develop risk mitigation strategies and implement appropriate controls to address threats and vulnerabilities.
- Assist in development of security awareness and training for stakeholders, promoting a culture of joint responsibility and emphasising the critical importance of compliance.
Outcomes
Our GRC consultant played a pivotal role in ensuring:
- Effective security governance, risk management and compliance throughout the project
- The client’s activities were aligned with industry standards and good practices
- The organisation’s overall security objectives were met
- The AA were able to include effective security-by-design in their new app
- Successful application launch on two app vendor platforms (Google Play and Apple App Store)
Ultimately, the key outcome based our GRC Consultant’s work was the release of a secure application which was verified as such through independent third-party testing.
By working closely with the delivery teams and other key stakeholders every step of the way through AA-X’s lifecycle, we established the principle of security by design which meant that no nasty security-related surprises arose in the final stages of development.
This eliminated the need for last-minute security fixes which inevitably result in delays and additional overheads – something The AA was keen to avoid.
Raghbir picked up The AA’s security policies and standards quickly and was invaluable during this period; his broad and deep knowledge of security was evident. It was the right person and the right time, and the result has been the successful launch of the MVP app with little engagement needed from the core information security team.Imran Knight, Senior Information Security Consultant, Group Risk and Compliance, The AA
The Future
Following the completion of our GRC consultancy, The AA launched AA-X on both the Google Play and Apple App Store.
Should The AA require additional support for a major release of the app or for any other consultancy, Content+Cloud’s GRC Consultancy Team will be on hand again to act as an extension to its internal information security function.
