The client is a manufacturer of specialist material for the packaging, overwrap, and labels markets. Its customers include some of the best-known global brands. It has production sites across the world, and a global sales network.
Client Requirement and Business Drivers
The client had recently experienced three security incidents, and was aware of the need to gain greater control over its information security company-wide. In the past, there had been some isolated initiatives (such as security awareness training for staff), but the client now saw the need for a more integrated and systematic approach. The need to address security provision was under active consideration at board level. However, there was still insufficient awareness of the concepts of information assets and ownership of information.
The client had two main initial requirements:
- The immediate issue, related to the most serious incident was the need for an Active Directory review, to assess the security of the Active Directory set-up and suggest areas for improvement
- A broader issue was the need for an information security gap analysis. This was seen as the best way to assess the client’s current security status, and it would also provide the ideal first step in a full security programme
The client’s IT set-up took the form of a headquarters IT function, with semi-autonomous satellite IT facilities at locations across the world. This architecture made for a challenging information security environment, particularly with respect to rolling out new coordinated security initiatives across the organisation as a whole.
Recognising the importance of the right specialist expertise, together with the need for objectivity and independence, Commissum was engaged to meet the strategic, business and technical security-related objectives of the project within tight timescales set by the business.
Commissum delivered three phases of work, as follows:
To begin, Commissum undertook a full review of the client’s Active Directory infrastructure, with particular focus on the Domain Controller. Aspects reviewed included password policy, generic accounts, and group policy settings. Several issues were discovered, and recommendations for urgent remedial action were made.
Commissum also carried out an Information Security gap analysis against the ISO 27001 and 27002 standards. This was an exercise in reviewing the effectiveness of the client’s existing Information Security controls, and assessing their level of compliance with the standard. This involved: interviews with key business and technical staff members, review of policies and procedures, identification of information assets and lines of responsibility for them, and review of existing controls.
Finally, Commissum delivered a roadmap for implementing the recommendations made, and presented the reports to the client at a workshop.
All the work was carried out within a narrow timeframe, and was time-capped in order to avoid cost overrun. Recommendations were presented in order of priority, to facilitate the most effective use of limited resources in the implementation phase. Commissum consultants remain available for follow-up queries and further consultancy after delivery of the work.