CASE STUDY
Creating formalized cyber security documentation & enhancing security posture
Miles IT helps a municipal organization clearly define its cyber security policies and programs while adding enhancements to fulfill regulatory requirements.
MEET THE CLIENT
Municipal organization
The client is a municipal water company providing citizens with access to the water resources they need for daily living.
With several small locations, the organization has one centralized location as its infrastructure hub.
PRIMARY CHALLENGE
Properly documenting & formalizing proof of security controls
The client was already one of our Miles Assurance Plan customers, so when their regulatory body requested information security program documentation, they reached out to us for assistance.
Mandated Information Security Program
The client’s regulatory entity mandated that they create and share an information security program to protect their assets from cyber security threats.
Assistance with Formalizing Documentation
Though the client had a strong security posture, their documentation was not well-defined; they needed a cohesive strategy to integrate their numerous controls.
Unique Controls & Services Relationship
The organization’s staff and controls are not directly related to their service delivery, which made it more challenging to clarify necessary security protections.
OUR PROVEN PROCESS
From initial assessment to final implementation
Our team, led by our Director of Compliance & Risk Management and Compliance Analyst, began by performing a risk assessment to provide a complete snapshot of the client’s actual highest risk threats compared to their previous assumptions. From there, we focused on improving & formalizing documentation and making enhancements to security controls.
-
Organization-Based Risk Assessment
+
Our risk assessment is based on the NIST 800-30/800-37 Risk Management Framework. We used this to objectively score threats with input from the client while leveraging our experience scoring these threats. In addition, we completed a sensitive information flow mapping diagram to understand how sensitive information interacts with users and systems.
-
Documentation Drafts
+
We drafted the client’s documentation based on their existing materials and our findings from the risk assessment.
-
Documentation Review & Control Consultation
+
We reviewed the documentation with the client and presented recommendations for strategies to improve control activities and strengthen security posture.
-
Documentation Finalization
+
We made necessary revisions and prepared the policies for implementation.
-
Documentation Adoption
+
The client formally adopted the documentation as part of their organizational processes and shared the policies with their staff and regulatory entity.
-
Follow-Up As Needed
+
As additional questions came to light beyond the initial scope of work, the client reached out for help with required updates.
OUR STRATEGY
Clear & comprehensive security policies
We created transparent, in-depth processes & programs to formally document the client’s controls and guide their responses & activities.
Information Security Program
This document includes information regarding use policies, data handling, permissions, user privileges, and much more, so all end users follow an understandable framework.
Senior Management Information Security Policies
We created a separate policy for senior management to directly record decisions solely related to their roles.
Cyber Security Incident Response Process
To ensure the client recognized the necessary steps to take in the event of a breach or attack, our team developed an in-depth incident response plan.
Change Management Process
The client can easily navigate organizational changes, including technology shifts or employee departures, with our clearly defined procedures and best practices.
Vendor Management Procedures
With a transparent process for evaluating vendors and their policies, the organization increases overall security and data protection.
Business Continuity Plan
Our team created a comprehensive business continuity plan, so the client can quickly return to normal business operations in the event of a disaster.
Risk Register
We prepared a comprehensive document that includes information regarding all possible risks to the organization, along with their priority level and recommendations for resolution.
THE RESULTS
Defined security procedures & enhanced protection
The client was able to share formalized security documentation with their regulatory body and gain approval to continue operations.
Formalization of Control Activities
The client’s security processes are now fully documented and commensurate with the mandate from their regulatory entity.
Improved Threat Intelligence
Though they initially sought help with documentation, the client also increased risk readiness and enhanced security control activities based on our recommendations.
Forward-Thinking Security Mindset
The client understands how to formalize controls before implementing them to ensure documentation matches actual procedures.
MOVING FORWARD
Staying up-to-date in a changing threat landscape
With our guidance, the client has a strong understanding of how to handle future documentation changes. They can also reach out to us for additional assistance should any need arise.
With risks constantly evolving, strong cyber security is crucial to ensure continual protection from threats.