How a transport company saved $90k on a technology solution by defining business requirements first

Tue, 09 Sep 2008 00:00:00 -1000

How defining the Information security business requirements before implementing technology, saved national transport company approx $90K.

Client's Challenge

A national transport services and manufacturing company was in the midst of acquiring an Interstate competitor. Due to the unreliable and old systems the company being acquired had, it was decided that remote access would have to be provided into a crucial application for all of the acquired companies external customers, partners and employees in order to provide a higher level of service and win additional government transport service contracts within that state. Upgrading the network was not an option due to application and hardware age.
Internally, disagreements existed between the CFO and IT Manager regarding the solution presented and associated costs, as well as between the MD's of each division regarding access into centralized services and whether this would open up additional security issues. With the varying degrees of disagreement and the acquisition pending, the CEO sought expert independent analysis and advice.

The challenge was to provide the business with the necessary remote access service and provide key recommendations in relation to solutions that the key stakeholders would agree were cost effective and provided the required levels of protection.

GSMiT's Advisory Solution

GSMiT was retained to help the company define how to perform an Information Security Review in relation to this particular crucial application, define gaps and make recommendations with regard to mitigating the risk to an acceptable level.
After an initial pre-analysis meeting with all Business and IT stakeholders, the scope of the project was to be this single application only to begin with. Stakeholders were defined, expectations recorded and information required from the client prior to the first workshop was identified.

GSMiT's initial workshop and Interviews were conducted with the Senior Business stakeholders of the crucial application. We lead and facilitated a workshop to ascertain regulatory and organizational information requirements, rate the sensitivity of information against key impact criteria, and gain an understanding of the current access environment (Who, When, How, Media used, Storage). This was then compiled into a report for the stakeholders to verify and validate as the correct interpretation of their requirements, and how they had rated information in relation to Confidentiality, integrity, Accountability, and Availability.

GSMiT then proceeded to holding individual interviews with the key IT Stakeholders which enabled identification of current and proposed controls from a holistic perspective. Once all had been identified, we facilitated a workshop with all IT stakeholders, and rated these controls for strength and effectiveness providing a neutral and unbiased perspective on how efficient they really are. Using the information gained from both of the previous stages, GSMiT then matched the controls to the information ratings provided by the business which identified existing gaps, and made recommendations to close these gaps. A comprehensive report was prepared and presented to the Business Stakeholders, which provided in a very clear and easy to understand format, the Information considered crucial, the ratings assigned to it, the access environment, the access controls and their effectiveness, the existing gaps, and recommendations to minimise these gaps to acceptable levels.

Impact On Client's Business

As a result of the work we performed, the company resolved the disagreements between the various divisions and colleagues within the company. By identifying the business requirements and all associated analysis components in relation to the application information, holistic controls were able to be matched effectively to mitigate the risk to acceptable levels. This particular company shaved approximately $90k off the initial cost of the technology solution that was originally presented for 1200 users. The technology was still installed for a smaller number of users (approx 300) accessing data which could not be sufficiently protected by current controls. The existing controls utilised by the organization, with additional configuration and management recommendations would provide the required protection for the reminder of the users.

In addition to this particular project, the CEO decided that this process was so comprehensive yet simple for all within the business to follow, that it would serve a broader purpose in assisting the development of an enterprise wide security plan and program.

Smooth transition of Information Security Management from an IT Technology basis to Business Led requirements basis

Mon, 08 Sep 2008 00:00:00 -1000

How a Local Government organization implemented a simplified process which ensured communication and consensus was maintained between the Business and IT, in a time of Information Security Management transition.

Client Challenge

When a local government organization appointed a new Director of Corporate Services, he made the decision to align Information Security Management with the International Standards best practices. This meant moving away from decisions primarily based on technology solutions to a method where decisions were made primarily on business requirements, and changing the ownership of Information Security from I.T. to the Senior executives. The major challenge he faced was finding a simplified methodology that gave the Senior Executives the knowledge and confidence to make business led decisions regarding Information Security without needing the technical know-how or language.
Other challenging aspects for this client were successfully transferring ownership of Information Security from the IT Department to the Senior Business Executives of the local government organization, whilst maintaining a good level of communication and concensus between both parties. Seeking a better understanding of how to implement a methodology based on business requirements, the Director Of Corporate Services turned to GSMiT for answers.

GSMiT's Advisory Solution

GSMiT Consulting focused on providing this client with an Information Security Analysis process that was repeatable, actionable, and reportable and provided a framework for strategic security planning. Using the Linus Secure methodology in our process, the GSMiT team conducted workshops and interviews separately with both the Senior Business Executives and Control Owners (IT). We initially worked with the Business Executives to identify relevant regulatory and Industry standards, the information crucial to the organization from a regulatory and organizational perspective, how they would rate information if a breach of either Confidentiality, Integrity, Availability and Accountability occurred, and the access into this information (how, when, who, devices, storage). This essential step was performed with the key Business stakeholders who were then provided with summary reports of the above information for validation before we moved onto the second phase.
Working in partnership with the Control Owners (in this case the IT Department), we identified all controls currently utilised from a holistic perspective. The strength and effectiveness of each control was discussed and decided without any product or industry bias, enabling a true representation of current and proposed controls.
At the completion of these two phases, we then independently analysed the controls against the ratings that the Business had provided and identified gaps that existed in the protection of key information. A comprehensive final report was produced for the key Business and IT Stakeholders. This contained the key information from both the Business and IT phases, defined any current Gaps, and provided mitigation recommendations from a holistic, cost-effective and vendor independent perspective.

Impact on Client's business

As a result of our work, this client gained a strategic security framework and a process which enabled all security solutions to be based primarily on business requirements. Once the framework was completed, it was then utilised to model new application requirements, and\or the affect adding or removing controls would have on the ratings provided by the Business.
Business and IT gained consensus on security direction and the required protection, without having to understand each other's areas of expertise. This process allowed Business to define what was required in regards to their Organisation's information, and the Control owners to come up with appropriate holistic solutions which matched what had been stipulated.

CASE STUDIES - GSM Consulting Pty Ltd

How a transport company saved $90k on a technology solution by defining business requirements first

Smooth transition of Information Security Management from an IT Technology basis to Business Led requirements basis