Enhancing a compliance program
Snapshot
After experiencing a security breach, leaders at our Fortune 500 fashion retail client recognized the company needed a coordinated, centralized system for reporting security issues so they could be expedited and addressed by the right people. The organization had been managing its security issues through multiple channels and using different definitions for a Finding depending on business group.
Without a system that could efficiently and accurately manage the reporting, management, and solution of security issues, the company was at risk of experiencing a breach that would significantly threaten the business.
Challenge
The eGRC tool RSA Archer was in use to accept issue reporting, but use was limited to a small group. The company was relying on this small group of Findings handlers to unearth, enter, then resolve security issues throughout the enterprise, and leaders knew issues were being missed and going unaddressed as a result. Once Findings were entered into the system, the necessary stakeholders didn’t have the access required to provide the necessary details to resolve the problems.
Posing another significant challenge, system access for the few Findings leaders had been established in an overlay architecture – a prescriptive and limiting design developed by engineers that did not understand Archer’s ability to manage system access in a much more elegant and automatic way. This overlay architecture made a complex and time-consuming endeavor of making even the smallest changes. Archer administrators are an expensive resource, and continually re-analyzing and working around a Byzantine access method was wasting time and money.
Rather than take resources away from managing day-to-day work, the client sought an outside resource to help the company solve these security issues.
Approach
The Kalles Group partnered with the GRC Archer team to build a new solution for managing security issues. The first phase of the project would establish a single repository for reporting security risks and provide enhanced functionality and reporting capabilities for stakeholders. Providing greater visibility to a wider audience would eliminate duplicative effort. Reports and dashboarding would allow teams to better determine workloads, assignments, and the status of team members’ Findings. Issue aging and status could now be tracked in real time.
The second phase of the project would eliminate the old, limiting access architecture and leverage Archer’s built-in functionalities. This phase of the project would standardize methods and improve performance by re-architecting Archer access control to create a foundation that is easy to understand, would serve future growth, and would enable quicker and more efficient changes.
Results
Upon release, the Kalles Group had delivered an end to end solution – from design through training – that increased efficiencies, streamlined processes, and reduced workload. Now that all employees could create Findings, and all security teams had visibility into reports and Findings issues, the security team would be able to focus energy on the risks that matter. The new system offered improved performance, giving access, configuration rights, and control to a wider audience. Utilizing Archer’s built-in capabilities simplified and expedited the management of rights and permissions.
As a final step, the Kalles Group provided training to users, educating them on the system, enabling them to confidently put it to use, and ensuring employees adopt it as the new way of managing security issues.