Client Requirement and Business Drivers
The client had recently experienced three security incidents, and was aware of the need to gain greater control over its information security company-wide. In the past, there had been some isolated initiatives (such as security awareness training for staff), but the client now saw the need for a more integrated and systematic approach. The need to address security provision was under active consideration at board level. However, there was still insufficient awareness of the concepts of information assets and ownership of information.
The client’s IT set-up took the form of a headquarters IT function, with semi-autonomous satellite IT facilities at locations across the world. This architecture made for a challenging information security environment, particularly with respect to rolling out new coordinated security initiatives across the organisation as a whole.
Recognising the importance of the right specialist expertise, together with the need for objectivity and independence, Commissum was engaged to meet the strategic, business and technical security-related objectives of the project within tight timescales set by the business.
The client had two main initial requirements:
- The immediate issue, related to the most serious incident was the need for an Active Directory review, to assess the security of the Active Directory set-up and suggest areas for improvement
- A broader issue was the need for an information security gap analysis. This was seen as the best way to assess the client’s current security status, and it would also provide the ideal first step in a full security programme