National Engineering Group - Implementation of Security Programme

Security Programme Implementation - National Engineering Group

commissum managed the implementation of a phased programme that addressed short term critical security issues, implemented medium term organisational and technology “fixes”, and established a long term roadmap for ISO27001 compliance.

Client

commissum's client is a major UK national engineering group.

Client Requirement and Business Drivers

The company had seen strong growth over the previous ten years; achieved though a combination of acquisition and organic expansion. The board was aware that they had reached a stage where they had a substantial information asset base that was known to be critical to their business, but the extent of it was unknown, largely undocumented, and the potential exposure to it and impact on the business not fully understood. In discussion with commissum, it was identified that a formal, phased security assurance programme was the most effective way to address this issue, also enabling the board to move aggressively forward with the next phase of the group’s expansion.

The main business drivers were:

Enabling

• correct identification of information assets, their criticality to the business and understanding of the risks would enable investment in security to be more accurately targeted and effective 
• a number of potentially profitable initiatives involving technology investment were able to be approved after months of delay as a result of confidence instilled by the better understanding of the company’s information risk environment
• savings were made as a result of rationalisation of technologies across businesses within the group

Risk Reduction

• quick wins achieved through identification and close down of several potentially high risk vulnerabilities in the clients Internet facing infrastructure
• a phased programme of security measures including testing and lock down of key elements of the internal infrastructure, tightening up of security policies and key internal processes, and the introduction of security awareness training enabled rapid introduction of risk reduction through layered security in the short to medium term
• a longer term, comprehensive roadmap to achieve compliance with ISO27001 was drawn up to ensure that initial momentum is not lost through controlled maturation and evolution of the security management and infrastructure

commissum Services Provided 

• security healthcheck including asset identification and valuation, risk assessment and gap analysis;
• external penetration testing of client’s security perimeter;
• analysis and lockdown of key elements of the infrastructure identified as critical during healthcheck;
• review and update to security policy and key associated company processes;
• quick-fix updates and longer term revision of client’s business continuity measures; and
• assisted the newly appointed security manager in drawing up a detailed security roadmap for ISO27001 compliance, and provided mentoring for achieving board level buy-in and implementation.

• Case Study 1 - Online Banking Project Assurance
• Case Study 2 - Government Data Handling, BCP & ISO27000 consultancy
• Case Study 3 - Oil & Gas Industry - Asset Tracking System Project Assurance
• Case Study 4 - Professional Institute - Strategic Security Review
• Case Study 5 - Government Agency - Business Continuity Exercise
• Case Study 6 - Government Agency - CLAS Services for Accreditation
• Case Study 7 - National Engineering Group - Security Programme
• Case Study 8 - Application Service Provider - Investor Due Diligence
• Case Study 9 – Global Legal Firm - Annual Test Programme & Security Partnership
• Case Study 10 - Investment Bank - Secure Application Development Training
• Case Study 11 - Manufacturing Company - Active Directory Review & ISO27001/27002 Gap Analysis