Information Security Program Development
ScottMadden developed, documented, and supported the implementation of a multidivisional information security program for a specialized utility service provider.
Facing Modern Challenges
- Developed a formalized ISP to address modern security challenges and align with industry best practices
Clarify Current State
- Used ISO, NIST, and GDPR standards to evaluate current security practices and identify weaknesses and opportunities to grow
Multi-Divisional Communication
- Developed audience-specific awareness training to share communication supporting 11 security control programs
Challenge
A specialized firm serving regulated utilities sought expert guidance for comprehensive information security program development after recognizing the lack of a formal information security program (ISP). Existing legacy program documentation was insufficient to address high-priority security policy topics (e.g., information security, data retention, physical security, third-party risk, data privacy, patch management, network monitoring, etc.).
Process
- Interviewed key stakeholders to understand existing legacy documentation, client-specific security concerns, and critical assets and significant risks associated with the ISP
- Evaluated client’s current security practices against best practices and international and national control standards (e.g., ISO, NIST, GDPR)
- Conducted workshops with key stakeholders to identify security requirements and guidelines that the organization actively performs today or needs to perform immediately
- Created an ISP containing 11 security control programs that reflect identified security requirements and guidelines
- Backlogged aspirational security requirements to be incorporated into future iterations of the ISP
- Developed audience-specific awareness training to inform employees of new policies, programs, and responsibilities
- Developed executive communications to inform leadership of changes to the ISP
- Designed a governance and oversight process to manage changes and approvals to the ISP
Result
- A formalized information security policy with associated security control programs specific to the organization
- An information security program implementation plan that eased rollout and improved information security awareness
Related Insights
Achieving Security Program Alignment with the NIST Cybersecurity Framework
Case Study
ScottMadden partnered with a large energy provider to align its security program with the NIST Cybersecurity Framework (CSF).
Data Privacy Program Development
Case Study
ScottMadden developed a program to protect mission-critical data and comply with federal and international regulations.
NXT GEN® Training for High-Risk Tool Usage
Case Study
In 2019, a fall-from-elevation event at a large electric utility prompted enterprise corrective actions on tool safety.
Let’s Work Together
We don’t solve problems with canned methodologies. We help you solve the right problem in the right way. Our experience ensures that the solution works for you.