Information Security Program Development

Challenge

A specialized firm serving regulated utilities did not have a formal information security program (ISP). Existing legacy program documentation was insufficient in addressing high-priority security policy topics (e.g., information security, data retention, physical security, third-party risk, data privacy, patch management, network monitoring, etc.)

Process

• Interviewed key stakeholders to understand existing legacy documentation, client-specific security concerns, and critical assets and significant risks associated with the ISP
• Evaluated client’s current security practices against best practices and international and national control standards (e.g., ISO, NIST, GDPR)
• Conducted workshops with key stakeholders to identify security requirements and guidelines that the organization actively performs today or needs to perform immediately
• Created an ISP containing 11 security control programs that reflect identified security requirements and guidelines
• Backlogged aspirational security requirements to be incorporated into future iterations of the ISP
• Developed audience-specific awareness training to inform employees of new policies, programs, and responsibilities
• Developed executive communications to inform leadership of changes to the ISP
• Designed a governance and oversight process to manage changes and approvals to the ISP