Financial Information Security Case Study

About Michelle

Group 183

Michelle is a CSO of an internationally recognized financial services company.

She started the year with several initiatives aimed at addressing risks of concern.

Acquisitions and consolidations (with associated outsourcing) have dominated her team’s time to date.

The risks haven’t gone away… and now she has some new ones. She needs help.

Information Security Concern

Michelle is worried. She’s a bit worried about the risks she knows about. She’s very worried about the risks that she’s less sure about – especially those associated with the recent acquisition of a Private Equity firm and the outsourcing of their investor communications. Adding insult to injury, Internal Audit is on its way and the key system on their internal audit plan is one she had intended to assess and “clean up” this year. Her current challenges include:

✔ Understanding the magnitude of the risk around her firm’s database infrastructure. FTC Red Flag, Mass Law, and looming SEC legislation on data breaches coupled with Ponemon’s high price tag make getting her arms around database security practices a priority.

✔ Assessing the Information Security posture of the Private Equity firm in advance of fully collapsing the infrastructure.

✔ Extending their Third Party Risk Management program to include Information Security/Compliance to simplify the process of validating security/compliance prior to entering into an agreement. Integral to the effort is establishing the mechanisms to validate the security posture on an ongoing basis (an audit finding the previous year).

Information Security Approach

Michelle contacted us after seeing a PPS principal speak at the FBI’s International Conference on Cyber Security. PPS helped Michelle and her team explore the various approaches to addressing these issues, and pinpoint the right combination of activities to meet their specific requirements.

Michelle and her team decided to:

✔ Conduct a Database Security Assessment that included Database Discovery, Configuration Assessment, Vulnerability Assessment, System Audit review, and Privileged User Management review. The focus of the engagement was to determine if all databases of note were in the asset database, which databases contained Personally Identifiable Information, the extent to which encryption/scrubbing was being used, and whether the way applications consumed data presented a risk. The engagement also ensured that privileged user access was restricted to the maximum extent possible, and logged/monitored in accordance with good practices.

✔ Conduct a security assessment that included a credentialed network vulnerability assessment/penetration test against the infrastructure of the new Private Equity firm. By using a credentialed vulnerability assessment, risks associated with the configuration of the operating system and the applications installed (e.g., unpatched versions of Adobe or Office) could also be ascertained. An application vulnerability assessment and penetration test of a key client-facing application was also conducted.

✔ Develop a Vendor Risk Management program for Information Security/Compliance. The approach they chose aligned with ISO-27001 Risk Management concepts, in that the program calls for each contract to define the key risks that need to be addressed by the vendor’s Information Security Management System (as opposed to the controls that should be in place). Further, the contracts specify the vendor’s responsibility to provide key attestation on an ongoing basis to demonstrate contract compliance.

✔ Conduct a “quick”  Application Security Assessment in advance of Internal Audit’s visit. This, coupled with the Database Security Assessment, allowed Michelle and her team to work with the application team to address all major deficiencies in the application prior to the audit.

We continue to work with Michelle as an extension to her team to ensure that key security and compliance initiatives stay on track – no matter what operational issues crop up that consume her core team’s bandwidth. Next up: Gauge their overall Security Posture via a BITS Shared Assessment.

You might say that their “Information Security forecast looks bullish”!