Commissum

Security Programme Implementation
National Engineering Group



Engineering & ConstructionThe Client

Commissum’s client is a major UK national engineering group.

Client Requirement and Business Drivers

The company had seen strong growth over the previous ten years; achieved though a combination of acquisition and organic expansion. The board was aware that they had reached a stage where they had a substantial information asset base that was known to be critical to their business, but the extent of it was unknown, largely undocumented, and the potential exposure to it and impact on the business not fully understood. In discussion with Commissum, it was identified that a formal, phased security assurance programme was the most effective way to address this issue, also enabling the board to move aggressively forward with the next phase of the group’s expansion.

The main business drivers were:

Enabling

  • Correct identification of information assets, their criticality to the business and understanding of the risks would enable investment in security to be more accurately targeted and effective
  • A number of potentially profitable initiatives involving technology investment were able to be approved after months of delay as a result of confidence instilled by the better understanding of the company’s information risk environment
  • Savings were made as a result of rationalisation of technologies across businesses within the group

Risk Reduction

  • Quick wins achieved through identification and close down of several potentially high risk vulnerabilities in the client’s Internet-facing infrastructure
  • A phased programme of security measures including testing and lock down of key elements of the internal infrastructure, tightening up of security policies and key internal processes, and the introduction of security awareness training enabled rapid introduction of risk reduction through layered security in the short to medium term
  • A longer term, comprehensive roadmap to achieve compliance with ISO 27001 was drawn up to ensure that initial momentum is not lost through controlled maturation and evolution of the security management and infrastructure

Services Provided

  • Security health check including asset identification and valuation, risk assessment and gap analysis
  • External penetration testing of client’s security perimeter
  • Analysis and lockdown of key elements of the infrastructure identified as critical during health check
  • Review and update to security policy and key associated company processes
  • Quick-fix updates and longer term revision of client’s business continuity measures
  • Assisted the newly appointed security manager in drawing up a detailed security roadmap for ISO 27001 compliance, and provided mentoring for achieving board level buy-in and implementation