Information Security Program Development
ScottMadden developed, documented, and supported the implementation of a multidivisional information security program for a specialized utility service provider.
Facing Modern Challenges
- Developed a formalized ISP to address modern security challenges and align with industry best practices
Clarify Current State
- Used ISO, NIST, and GDPR standards to evaluate current security practices and identify weaknesses and opportunities to grow
Multi-Divisional Communication
- Developed audience-specific awareness training to share communication supporting 11 security control programs
Challenge
A specialized firm serving regulated utilities sought expert guidance for comprehensive information security program development after recognizing the lack of a formal information security program (ISP). Existing legacy program documentation was insufficient to address high-priority security policy topics (e.g., information security, data retention, physical security, third-party risk, data privacy, patch management, network monitoring, etc.).
Process
- Interviewed key stakeholders to understand existing legacy documentation, client-specific security concerns, and critical assets and significant risks associated with the ISP
- Evaluated client’s current security practices against best practices and international and national control standards (e.g., ISO, NIST, GDPR)
- Conducted workshops with key stakeholders to identify security requirements and guidelines that the organization actively performs today or needs to perform immediately
- Created an ISP containing 11 security control programs that reflect identified security requirements and guidelines
- Backlogged aspirational security requirements to be incorporated into future iterations of the ISP
- Developed audience-specific awareness training to inform employees of new policies, programs, and responsibilities
- Developed executive communications to inform leadership of changes to the ISP
- Designed a governance and oversight process to manage changes and approvals to the ISP
Result
- A formalized information security policy with associated security control programs specific to the organization
- An information security program implementation plan that eased rollout and improved information security awareness
Related Insights
Achieving Security Program Alignment with the NIST Cybersecurity Framework
Case Study
ScottMadden partnered with a large energy provider to align its security program with the NIST Cybersecurity Framework (CSF).
Data Privacy Program Development
Case Study
ScottMadden developed a program to protect mission-critical data and comply with federal and international regulations.
NXT GEN® Training for High-Risk Tool Usage
Case Study
In 2019, a fall-from-elevation event at a large electric utility prompted enterprise corrective actions on tool safety.
Let’s Work Together
We don’t solve problems with canned methodologies; we help you solve the right problem in the right way. Our experience ensures that the solution works for you.