Maturing an Information Security Management Program

Download story as PDF

Challenge

Our client, a leading fashion specialty retailer with locations across the United States and Canada, lacked a formal risk management approach, and risk assessments were not being delivered fast enough. The Security and Compliance Team, which provides security consulting services and risk assessments for all of our client’s technologies, was tasked with developing and maturing a formal information security management program. Kalles Group consultants were brought in to assist with the analysis and development of this program.

Approach

Kalles Group consultants began by analyzing and documenting current processes and identifying key performance indicators (KPIs) that may already exist. In addition, Kalles Group consultants used the NIST 800-37 Risk Management Framework to provide guidance to the team. Kalles Group also advised the client to consider implementing a KPI that could be used for completing risk assessments under 90 days.

Kalles Group also performed a gap analysis of the existing risk management program against the NIST 800-53 framework and provided prioritized recommendations the team could consider to improve the maturity of the organization.

Solution

In the first six months, the team developed a repeatable lightweight risk assessment methodology called the business-adjusted risk assessment (BAR). The BAR was used to bring repeatable methodology to the team in how it assessed applications and prioritized them from a business perspective. Adoption was organic and the BAR was introduced as was palatable to our client’s culture. In addition, all existing service requests for assessments were analyzed and baseline metrics for how long risk assessment tickets had been open were documented. The team worked to determine how they could utilize the BAR to go faster while simultaneously providing guidance on what controls the requestors needed to implement to be more secure.

Finally, the 90 Day KPI was developed, implemented, and operationalized, and teams began using this new measure to help keep incoming risk assessment projects on schedule.

The team worked to determine how they could utilize the BAR to go faster while simultaneously providing guidance on what controls the requestors needed to implement to be more secure.

Results

Momentum built and the metrics produced out of the BAR (Risk-Based Scoring) caught the attention of the leadership team as a vehicle to communicate how the service is performing. Analyzing risk assessment methods and the number of outstanding tickets uncovered a simple hygiene problem (lack of attention to closing out tickets) and also the need to evaluate a risk management tool that would be a relational database to house all of the risk assessments.

Monthly metrics were produced for both the BAR risk scores and the priority of the tool to the business with the risk score. Items above a certain risk score were called out on a heat map to have further discussions with Leadership.

The new ‘Risk Assessment 90 Day’ KPI was used to demonstrate the volume of work coming in and the assessment duration. With a focus on the new KPI, ‘time to close a request’ metrics greatly improved.

In summary, Kalles Group consultants helped our client implement new strategies, methodologies, and metrics for performing risk assessments and greatly improve the operations of the Security and Compliance team.