Establish Information Security Management System

SELECTED PROJECTS

ESTABLISH INFORMATION SECURITY MGMT SYSTEM

Clients

Trusted Client


Categories

Security Enhancement, Bank/Finance


Completed

March 30, 2015


Project Budget

$150,000


Project length

3 months

Project Details

BACKGROUND


An organization within FMI (financial monetary institutes) industry needed an overview of their Governance across the entity, including dependencies upon other organisations inside and outside their organization. The current informstion security system was dated and there was a need for something more modern that also could be measured against ISO27000 standards and enable their ISO Certification for their ISMS (information security management system). 


To get there, they needed to understand information security risks based on their  likelihood of compromise and consequence and have a selection of controls, among minimum was;

   -  Preventative, detective and reactive controls across the physical, personnel

      and technical security functions

   – Network Security & Malware prevention

   – Configuration of hardware, software, data bases and information systems

   – Monitoring and alert services

   – Removable media management

   – Home and mobile working policies

   – New policies managing user privileges

   – User education and awareness

   – Proactively consider new technologies, newly identified vulnerabilities and new

      emerging threats.

CHALLENGE


Organization need an overview of their Governance across the entity, including dependencies upon other organisations. To get there, they needed to:

  • Understand information security risks based on likelihood of compromise and consequence
  • Have a selection of controls mixing awareness, preventative, detective and reactive controls across the physical, personnel and technical security functions – Network Security – Malware prevention – Configuration of info systems – Monitoring – Removable media – Home and mobile working –
  • Managing user privileges – User education and awareness – Proactively consider new technologies, newly identified vulnerabilities and emerging threats. 


 Establish Information

 Security Framework Program

Do you need similar expert help?


Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.

SOLUTION


As start, capturing the  security policies and technical controls that needed to be in force during term of agreement. In addition, a system technical baseline was documented per OS system, sub-system, Db and application level, where all security controls where noted in ISMS technical specifications as a baseline of current IT security controls, of systems at the time of their Service Provider where to take control of managed system and environments. Additionally, Vulnerability Assessment (VA) of IT Infrastructure scope included: 

  • System vulnerability scan of servers,
  • Sub-systems, DB’s        
  • Network and Firewall vulnerability
  • Scans/rules review                        
  • 51 Branch office network scans
  • Storage vulnerability scans                 
  • TCP/IP Port vulnerability scans               
  • External Public IP vulnerability scans     
  • Anti-Virus and Malware assessment        
  • Patch management assessment on operating system level              
  • User ID management assessment        
  • CCTV camera server configuration    
  • HSM (Hardware Security Module)        
  • BIOS and firmware of various systems 
  • Organizations Website
  • All ATM’s  
  •  Print servers and file servers    

RESULT


Security Work Stream Program contribution included: 

- Information Security Controls (ISMS) document describing contractual agreed responsibilities and reflection of Client’s security policies, including  documentation of Client’s technical security baseline of each OS system, sub-system, Databases, Application as of current initial value (fingerprint).

– A Security Policy assessment report where Client’s current security policies where compared with ISO27001 standard.

-  From vulnerability scanning, all VA results and assessed against Nessus industry tool settings and  results was and, processed through ISMS Threat assessment and gap-analysis to identify threats including threat ranking and recommendations for how to mitigate  identified threats.                        

– Executive Summary Report of Client’s Security posture delivered and presented to client CISO and CIO.

– As a final deliverables, a short term project plan was drafted for steady state (BAU) remediation and implementation of mitigating controls for all identified threats.