Technology Information Security Case Study
Rajeev is the Chief Technology Officer of a SAAS vendor.
They have gone from 30 to 400 customers in less than two years.
Information Security Concern
Rajeev knows that his firm’s information security hasn’t scaled up with their customer base, and that a range of challenges need to be addressed:
- Demonstrating security/compliance with a wide variety of different standards (e.g., NERC, HIPAA, PCI, FISMA) to satisfy a growing client base.
- Finding a way to reduce the number of questionnaires that need to be filled out, and the number of third-party audits the company is subject to.
- “Cleaning up” policies, standards, and procedures, and then updating them to address the new markets they are serving.
- Improving their ability to detect and respond to incidents in a manner that is demonstrable to customers.
Information Security Approach
Pivot Point Security worked with Rajeev and his team to analyze various options, and helped them come up with the right combination of activities to meet their specific requirements.
Rajeev and his team decided to:
Conduct an ISO 27002 Gap Assessment to gauge their current security posture and gaps that require mitigation. The gap assessment was cross-mapped to the standards (e.g., FISMA, NIST, HIPAA) referenced by existing client contracts, so that all of their compliance requirements were addressed with a single control assessment.
Conduct an Application Design Review, Network Vulnerability Assessment, and Application Vulnerability Assessment/Penetration Test in accordance with OWASP guidance to ensure that the application and the system that hosts it were secured in a manner consistent with best practices. The attestation letters from these tests, in combination with the results of the gap assessment, formed the basis for attestation to existing and new customers.
Select and implement a Security Information and Event Management (SIEM) solution to monitor logs from critical security controls in the solution. Support the SIEM by developing a Security Incident Response Plan.
We continue to work with Rajeev and his team as “on-call” SMEs (Subject Matter Experts) for SIEM operation, as well as acting as Outsourced Incident Response. Still to execute:
- Updating the System Development Lifecycle to better address security throughout the lifecycle.
- Integrating Vulnerability Assessment data with Security Event data to better contextualize security logs.
- Begin the migration to ISO-27001 to further reduce questionnaire and client audit obligations.
You might say that their information security prognosis is excellent!