Security Improvement Program
- Security Strategy and Advisory
- Project / Program Management
- Security Business Analysis
- Security Architecture
- Security Policy Development
- Change & Communications Management
Security Improvement Program (SIP)
For a number of years, This essential service has run a Security Improvement Program that has lacked direction, and outcomes relevant to the core business goals and acceptable organisational risk.
Cloud9 was engaged to baseline this Program, build a strategy, define clear direction and outcomes, and develop a 2-3 year Cyber Security roadmap of activities. The strategy provided clear linkage to business goals, and mapped initiatives to key regulatory and compliance requirements, leveraging industry standard security frameworks (e.g. ASD Top 35 / PSPF / COBIT).
In the early stages of delivering this Program in 2016, the organisation faced a severe breach (the largest in Australia at the time) of their public website which exposed customer information. This raised the priority of the Program, expanded its scope and demanded immediate remediation.
Cloud9 built a team to address all aspects of the expanded Program, and successfully executed key project streams that focussed on delivering the following:
1. Network Security and Segmentation (IDS/IPS, Bluecoat, WAF, MSS Logging, SPLUNK)
2. Internal Applications and Assets (DCS, SEP, ATP, Tenable, WAF, Privileged Access Management)
3. External Applications and Assets (WAF, CASB)
4. Data Management and Classification (DLP, ICT, Endpoint Encryption)
5. Policy, Process and Governance (ASD Top 35 / PSPF / COBIT, Vendor Security Assessments, Cyber Security Roadmap, Cyber Security Training, Table Top exercises, Playbooks, Risk management process, Patching (Monthly/Quarterly/Automation), GRC)
- Competing priorities from the Privacy Commissioner, Board, Finance and Risk Advisory Board, CEO, CIO and external auditors (PwC / EY)
- Lack of strategic direction, ownership and outcomes
- Immature processes and internal expertise
- Limited capability in Enterprise and Solution Architectures
- Delivering a large Program of work within constricting imposed timelines.
Cloud9 worked with the Blood Service to:
- Set a clear strategic direction for the Security Improvement Program (SIP)
- Worked with all levels of key senior stakeholders to manage competing priorities
- Execute the delivery of the entire Program scope under all project streams
- Elicit business and technical requirements with stakeholders and document end to end outcomes and governance
- Build sustainable architecture standards and patterns
- Consolidate and streamline vendor technologies to ensure maximum value is achieved
- Develop security policies and standards
- Manage the Change & Communications strategy.
Cloud9 worked with our client to:
- Delivered all 163 remediation outcomes on time and budget (equates to 1 item delivered every 2 days for 18 months straight)
- The Privacy Commissioner, Board, Finance and Risk Advisory Board, CEO and CIO are all aligned to the management and direction of the Cyber Security Roadmap
- Internal teams now have been trained and have the tools and skillset to better manage potential cyber security events
- All ongoing Programs and projects are now aligned to the security governance procedures created under the Security Improvement Program.
NB: This Program now continues under normal PMO methodologies aligned to the Cyber Security Roadmap at the time of writing.