. : Identify
A top banking institution was having difficulty with scoping and delivering their data security program. There was a gap in information between the front office, the security personnel, and the technology delivery organization.
. : Engage
We worked with technology and associated risk leadership to more clearly define the goals and objectives for the program. We ran workshops with both leadership and staff to understand not only the strategic direction but also the real world obstacles associated with current technology design and delivery.
. : Frame
We created a system approach for identifying business processes and associated technology implementations. We produced an inventory of those elements as well as identified targets of opportunity ranked by risk. The artifacts were used to justify a renewed effort around data security that included data classification, handling, and labeling policies and procedures and mechanisms for mapping these elements into systems of record. By integrating the data security objectives into the change and release processes, we were able to create systems of record that could be queried to identify where sensitive data was being processed, stored, or transmitted across the organization. We also were able to integrate system security requirements into the change and release processes to better manage the overall security posture and risks overall.
. : Solve
We executed workshops to collect the necessary information to design and deliver the solution. We then assisted the organization in producing policy and process documents, special BPMN diagrams depicting data handling, as well as advice to training providers. Our staff is CISSP trained and PCI-P certified, so we also were able to frame the deliverables in terms of both security and compliance.