Security Controls Assessment and Implementation
ScottMadden engineered a cybersecurity framework implementation following a merger of two large U.S. energy companies.
Organizational Alignment
- Aligned customer expectations, industry norms, and core business requirements
Operational Efficiency
- NIST Cybersecurity Framework and C2M2 maturity indicators adapted and applied for a simple control framework
Modernized Systems
- Streamlined, harmonized, and modernized more than 800 archaic security controls into 25 enterprise-wide policies
Challenge
Two large U.S. energy companies merged and needed to standardize their security controls across the newly consolidated enterprise. This framework implementation required simplifying the security controls for a broader footprint with clear ownership and accountability as a key target objective.
Process
- Established a simple control framework using the NIST Cybersecurity Framework augmented with maturity indicators from the Cybersecurity Capability Maturity Model (C2M2)
- Identified owners for each control area and key control performers from all business units
- Assessed organization’s maturity of control performance through surveys and interviews
- Identified key gaps in control performance and recommended remediations
- Conducted security controls workshop for control owners and established peer groups to define future state of security controls
- Collaborated with enterprise leadership to support consolidated future state controls
- Implemented periodic control assessment process to ensure regular performance and gap analysis
Result
- The new cybersecurity framework implementation harmonized and modernized more than 800 archaic security controls into 25 enterprise-wide policies
Related Insights
Information Security Program Development
Case Study
ScottMadden developed, documented, and supported the implementation of a multidivisional information security program for a specialized utility service provider.
Data Privacy Program Development
Case Study
ScottMadden developed a program to protect mission-critical data and comply with federal and international regulations.
Cybersecurity Risk-Based Business Plan
Case Study
ScottMadden supported the preparation and planning of a cybersecurity framework and effectively communicated with multiple stakeholder groups the benefits the business could expect to see.
Let’s Work Together
We don’t solve problems with canned methodologies; we help you solve the right problem in the right way. Our experience ensures that the solution works for you.