Information Security Case Study
He informally “inherited” the role of CSO, but was too busy with operations to do it due diligence.
Addressing customer information security questionnaires/audits was consuming an ever-growing percentage of his time. He needed help.
Information Security Concern
Nishant was worried that the level of attestation his clients were demanding was increasing each year — and that his company may start losing customers if it can’t do a better job. His challenges included:
- Providing evidence to current and new clients that the new collocated data center and web application are secured in a manner consistent with prevailing good practices.
- Understanding the information security and compliance obligations that his company needs to achieve. Nishant is uncertain of the security/compliance requirements that are “buried” in the “drawer full” of contracts they have signed. The company’s lawyer has also been hesitant to formally define their obligations relating to PCI-DSS, HIPAA, FTC Red Flag, Mass Law, and other regulations that they may be subject to.
- Determining the best approach to addressing attestation in a manner that actually improves their security posture, simplifies the process, reduces their time spent, and satisfies their customer base.
Information Security Approach
Nishant contacted us after receiving a recommendation from another “technology networking group” member. Pivot Point Security worked with Nishant and his team to analyze various approaches, and helped them come up with the right combination of activities to meet their specific requirements.
Nishant and his team decided to:
Conduct a security assessment that included; an external network vulnerability assessment/penetration test, an internal credentialed network vulnerability assessment/penetration test, and an application vulnerability assessment against the key client-facing application. This provided “near term” proof/attestation to the client base that the application and the infrastructure supporting it were secure. They also conducted a network architecture assessment that included a firewall configuration/rule-base review to ensure optimal levels of segregation, and to validate that the customer specific infrastructure rules were implemented properly.
Conduct an ISO 27002 Gap Assessment of the control environment. The gap assessment output was “mapped” to the five unique compliance requirements identified by contract review. This allowed Nishant to view his gaps specific to law/regulation and/or customer. Then we helped them develop a prioritized road map to drive gap closure.
Consider various ISMS frameworks (e.g., COBIT, ISO 27001, ISO 27002, HITRUST, ITIL) and approaches (e.g., ISO 27001 certification, SSAE 16, Cybertrust) to information security, compliance, and attestation. ISO 27001 was chosen based on an increasing number of references to it in contracts and new RFPs. Having a proven “cookbook” for Information Security and the ability to leverage it from marketing was also of import to Nishant.
Execute on an ISO 27001 pre-certification effort including Scoping, Risk Assessment and Risk Treatment Planning, generating a Statement of Applicability, and driving gap closure (policies, procedures, and standards). The work effort resulted in a successful ISO 27001 certification in a nine-month timeframe.
We continue to work with Nishant and his team, providing ongoing ISO 27001 Internal Audit services and subject matter expertise on demand to supplement his staff.
You might say that their “Information Security ‘references’ make them highly employable”!