Case Studies

Develop InfoSec System

Case Study: SaaS Software Company

Problem: A rapidly growing SaaS software had been asked by a large prospect to provide a description of the controls that were in place to protect customers’ data. While the company felt that they implemented good security practices they had no formal program or documentation to support it.


The scope of the cloud risk assessment included:

  • Identifying all business processes related to customer data
  • Assessment of data security controls
  • Evaluation of written policies
  • Recommendations for improved security posture
  • Development of White Paper for customers and prospects outlining the organizations formal Data Security program

Kaliber undertook the project in the following phases:

  • A review with management of systems, hosting providers and data storage repositories
  • An assessment of the scope of customer data stored within the environment
  • A review of architecture and networks/subnets
  • Identification of third-party or service provider dependencies
  • A review of the asset inventory, system inventory and network diagrams
  • A review of any compliance regimes that the company would be subject to
  • An analysis of controls that were in place compared to those recommended by the NIST Cybersecurity Framework

Kaliber provided a set of deliverables established to both improve the security posture of the client as well as give comfort to their prospects and clients. This output included:

  • A Written Information Security Policy
  • An Incident Response Policy
  • A Disaster Recovery and Business Continuity Policy
  • Recommendations for Employee Security Awareness Training
  • Establishment of regular phishing training
  • Development of improved HR policies around background checks, onboarding, transfers and offboarding
  • Validation of secure access policies
  • Implementation of software vulnerability management and intrusion detection programs

The outcome of this project was a comprehensive road map for a formal Information Security Management System which could be clearly communicated to outside stakeholders while, at the same time, providing a program which increased the organization’s risk and improved business outcomes.

PCI Gap Analysis

Case Study: Government Agency

Problem: As part of their PCI compliance initiatives a large government agency was required to evaluate required PCI controls, identify missing controls, remediate deficient controls and ensure that existing controls remained effective.

The scope of the cloud risk assessment included:

  • Identifying all relevant PCI controls
  • Assessment of data security controls
  • Documentation of Briefing Notes to appropriate executives for approval
  • Recommendations for improved security posture
    Kaliber undertook the gap analysis in the following phases:
  • A high-level assessment of the specific PCI DSS compliance requirements
  • An assessment of the scope of the cardholder data environment (CDE)
  • A mapping of in-scope devices and networks/subnets
  • Identification of current cardholder data processes and storage locations
  • Identification of third-party or service provider dependencies
  • A review of the data flow diagrams of the cardholder data
  • A review of the asset inventory, system inventory, network diagram and business processes
  • Identification of high risks and long lead-time elements
  • Assessment of the existing information security management system (ISMS) to determine its applicability and any additional procedures required by the PCI DSS

 

The outcome of this assessment was provided in a strategic roadmap, containing a description of the changes necessary to comply with the PCI DSS and key risks and options for treatment. The report provided clear direction for next steps to achieve compliance.

IT Risk
Assessment

Case Study: Non-Profit

Problem: As part of their continued participation in a health network a Healthcare Organization was required to provide a HIPAA-based Information Technology Risk Assessment.

The scope of the risk assessment included:

Classification of data within network

  • Assessment of data security controls
  • Privacy Impact Assessment of data
  • Documentation of Briefing Notes to appropriate executives for approval
  • Recommendations for improved security posture


Kaliber’s approach for the risk assessment of IT systems and Cloud services is well defined, and uses a methodology based on industry best practice. The methodology is supported by recognized standards such as the ISO31000 (Risk Management); the ISO 27000 series; NIST Cybersecurity Framework and HIPAA. These were aligned with organizational specific risk assessment methodologies and frameworks.
Kaliber undertook the risk assessment in the following phases:

  • Project Planning – including confirmation of prerequisites
  • Data Classification and Privacy Impact Assessment – Information gathering / identification / data classification / Stakeholder interviews
  • Assessment of risks (including threat identification), selection of controls, development of draft report, consultation with stakeholders
  • Project Closure – finalization of report, walkthrough with stakeholders and preparation of briefing notes.


Kaliber prepared and released a questionnaire to stakeholders to understand the business uses of the IT systems and the data they stored.
Using this information as well as further information gathered through interviews, Kaliber undertook a Risk Analysis that aligned with the proper Risk Assessment frameworks.

The review also included a comprehensive analysis of the security controls inherent in the current environment and related regulatory issues.
The outcome of this assessment was provided in a Report that described the data classification, key risks and options for treatment. The report provided clear direction for risks and options for treatment in securing data in the current environment.

Check out our Services