Company: Software Development Firm, Australia
Key Drivers: A small-sized software development firm needing to enhance its cybersecurity posture to comply with industry regulations and protect customer data. Hence, they had engaged CGI to prepare cyber security strategy as per NIST CSF 2.0
Approach:
- Initial Assessment: Conducted a comprehensive security assessment, including risk analysis, vulnerability scanning, and a review of existing policies.
- Strategy Development: Developed a tailored cybersecurity strategy focusing on data protection, incident response, and NIST CSF 2.0
- Stakeholder Engagement: Engaged with key stakeholders through workshops to align the security strategy with business objectives and risk appetite.
Engagement Model:
- Collaborative Workshops: Worked closely with the client’s IT and compliance teams through a series of workshops to ensure alignment.
- Continuous Feedback Loop: Maintained a continuous feedback loop with stakeholders to refine the strategy based on evolving requirements and feedback.
Proposed Schedule:
- Week 1-2: Initial Assessment and Data Collection.
- Week 3-4: Risk Analysis and Gap Identification.
- Week 5-6: Strategy Drafting and Stakeholder Review.
- Week 7: Final Strategy Presentation and Approval.
- Week 8-12: Implementation of Roadmap Development and Handover.
Outcome
Maturity Level Summary:
Found that the firm was at a maturity level of 1 (Ad Hoc) in several areas, with specific strengths in software development but weaknesses in formalized security practices and incident response.
Key Recommendations:
- Short-Term: Implement secure coding standards, conduct security training for developers, and establish basic access controls for code repositories.
- Medium-Term: Develop and formalize an incident response plan, enhance vulnerability management processes, and improve monitoring of third-party components.
- Long-Term: Move towards automating security testing within the CI/CD pipeline and enhance data protection measures to align with client requirements.
Improvement Metrics:
Established key metrics to track progress, such as the number of vulnerabilities identified and remediated, training completion rates, and incident response effectiveness.