InfoSec & Risk Management

  • slide
Client: Investment Services
The Director of Governance, Risk, Compliance & Security was looking for assistance in formalizing their IT Security area. He called on Savant Advisory Inc. for their expertise.

This organization had a small IT Security department, but lacked the direct leadership required to help build a strong and repeatable foundation. Savant Advisory Inc. was engaged to provide temporary leadership in this area.

The project started out with us leading a penetration test that was to begin the week we started. The organization performing the test needed the appropriate access and approvals set up before they arrived. Savant Advisory Inc. actively managed the process, solved the immediate issues that surfaced and facilitated the draft report presentation to management.

Once that was complete, the development of an Information Security Charter began in conjunction with the formulation of an Information Security Strategy that would allow the organization to plan out the expansion of the group. Further, a number of Information Security Standards were drafted and presented for approval.

A mobile application was under development by a third party; and, Savant Advisory Inc. was asked to derive guidance to allow the organization to assess the application. This was undertaken utilizing the NIST-800-44 publication, which provides guidance to organizations on protections for Internet facing applications. During the course of the engagement, we were asked to assess the risk of various projects that were in flight, assisting the CIO and Director of IT Security to make course corrections before implementation.

Savant Advisory Inc. derived a process that allowed the IT area to identify the risk, specific to their organization, of various vulnerabilities that were found in the environment. After the meeting, the server manager indicated, "We need more meetings like that.". When have you ever heard that before. The process was a clear success.

Finally, A project was undertaken to implement a Security Incident & Event Management System (SIEM), so that there was greater visibility into potential security events within the organization. The process took about 3 months and the Director noted afterwards, "I've never seen one implemented that quickly before."