Contact HotSkills
HotSkills
SEARCH
How to reach us: 800.507.4517 info@hotskills-inc.com

 

HotSkills launches Orange Parachute!
Orange Parachute specializes in ISO 27001 certification and information security program evaluation, design and implementation.
click here for more details

ISO 27001 Certification

Financial Services Organization - Credit Card and Banking

This case study involves a leading Financial Services company located in the Midwest. The parent organization contains one of the leading Credit Card issuers, with over 3 million customers and a growth rate of 8%. The Financial Services organization has over 3000 employees in 23 locations. The Banking side has been rated #1 in its category by the American Banking Association for four years running.

The structure of the Information Security function was that Networking and Information Security groups were managed by the same individual. The majority of the technical Information Security functions were provided by the networking group. Staffing consisted of approximately 45 people in the Information Technology department. Back end operations, including transactional activity and customer service websites are outsourced to third parties, both on the Credit Card and Bank sides.

The Information Security Officer was searching for a methodology by which to develop implement, and manage the Information Security Program. Various standards and references were examined, including ISO Standards, FFIEC, COBIT, business requirements, and other sources.

Objectives

As a growing organization, the objective was to create an Information Security program that was defined, measured, and flexible. It needed to be integrated with the corporate culture and enterprise risk methodologies. Achieving ISO 27001 certification was an objective intended to show industry leadership among financial institutions. At the time of the certification, no other financial services company had achieved certification to ISO 27001.

Needs

The program also needed to address the following needs:

  • Accelerate program maturity while maintaining flexibility
  • Build the Information Security Program based on ISO 27002
  • Enhance compliance with laws and regulation
  • Improve communication with internal and external parties
  • Provide proof of activities and management
  • Create a structure for growth
  • Empower span of control and accountability

All these needs had to be addressed without adding additional employees.

Actions Taken

Upon examination of the potential methodologies, it was determined that the ISO 27002 Information Security Code of Practice provided the best fit for the Financial Services Organization. By leveraging ISO 27002, it was possible to build a flexible, business friendly and risk based Information Security Program. Due to the fact that ISO 27002 is the only internationally accepted Information Security standard, it brought immediate credibility to the foundation of the effort.

The Financial Institution decided to engage an expert third party, HotSkills, Inc. This decision was made on the unparalleled experience of the HotSkills staff, and their proven ability to provide certifiable solutions. The HotSkills Principal Consultant assigned to the task had previously worked through several successful certification efforts, including one with the Federal Regulatory body responsible for oversight of the Financial Institution.

The first major step involved a program assessment. This assessment reviewed what program elements were in place, and rated their maturity level. This maturity level was rated on a scale of one to five, and was based on the CMM model developed by Carnegie Mellon University. Completion of the assessment resulted in the production of an "Information Security Roadmap." It was determined that six major control gaps existed, but that processes and documentation existed for the remainder of the areas. It was determined that these existing processes and documentation were in need of revision and "repackaging" in order to fully develop and implement an Information Security Management System (ISMS).

The second major step involved the design and development of the actual ISMS. Program elements and requirements were identified, defined, organized, and documented. A "framework" was developed, which included an Information Security Charter, Standards, and requirements. The Financial Services Institution's Information Security Policy was examined, and revised. This revision empowered the ISMS, and provided the appropriate span of control to the Information Security Officer.

The third major step was the implementation of the ISMS. The methodology utilized in the development of the ISMS allowed for the creation of an Information Security Program that was designed to allow for the certification of the organization's primary data center, while having impact throughout the entire organization. Because of the critical steps involved, including the participation of key stakeholders during the process, implementation was achieved with no major issues.

Certification was the fourth, and last of the major steps that were undertaken. It was determined that the scope of registration/certification would be centered on the primary data center for the Financial Services organization. This data center contained the mission critical applications utilized to attract, retain, and service their customers. A well defined Domain Definition was created, and a Risk Assessment was performed against the domain. Utilizing a risk management approach that was consistent with the culture of the organization, an effective measure of risks was obtained. These were categorized into Raw Risk, Treated Risk, Accepted Risk, and Residual Risk.

A registrar was selected, and the Certification Audit was scheduled. It was determined to leverage HotSkills to serve as an Ombudsman during the actual Certification Audit.

Results

In just over 12 months, working with HotSkills, the Financial Institution had a fully developed information security program, and was able to obtain ISO 27001 certification.

In addition to the direct benefit provided to the Financial Institution, many other areas of the business were able to derive benefit.

How the needs were met:

Accelerate program maturity while maintaining flexibility

The program was able to show maturity through a documented program, proof of activities, and their implementation into the Financial Institution's environment

Build the Information Security Program based on ISO 27002

The Information Security Management System was built upon the concepts of ISO 27001. Control Objectives were derived from ISO 27002, GLBA, PCI DSS, FCRA, as well as other legal, regulatory, and business requirements.

Enhance compliance with laws and regulation

Through the structure of the ISMS, it was possible to show how legal and regulatory requirements were met. Mapping documents, specific to the Financial Institution's ISMS, were created for GLBA and PCI DSS. These documents were very important in dealing with external auditors, reducing the required preparation time and ensuring consistent communication.

Improve communication with internal and external parties

The ISMS helped improve communication with internal and external parties in several ways. Clearly defined communication channels and responsibilities allowed for timely communication when and where required. Third Party requirements were derived from the ISMS, and were available for inclusion in contracts and measurement of service providers. The structure of the ISMS also allowed for the "how do we do this?" or "what are we doing about this?" questions to be answered very easily.

Provide proof of activities and management

By documenting program requirements and tracking activities, it was possible to develop an accurate system of measurements that reflected the management of the Information Security Program. This proof was shown through the creation of records, communication to required or involved parties, and continuous improvement.

Create a structure for growth

By creating an Information Security Program (as defined by the ISMS), it was possible to identify the services that were provided to the organization. The ISMS, while formal, was flexible enough to allow for the addition of new components, or the revision of existing components very rapidly. This allowed for new initiatives from the Financial Institution to be identified, analyzed, and incorporated in a short period of time - consistent with the existing program.

Empower span of control and accountability

Through the development of the ISMS, and revision of the Information Security Policy, it was possible to empower the ISMS. This empowerment ensured that span of control was appropriate to the layer of the organization. Executive Management and the Board of Directors maintain organizational and strategic control, and the Information Security Officer maintains tactical and operational control. Change can be affected rapidly when needed, and oversight exists and is informed.

Certification

The results of the Certification Audit were outstanding, with ZERO non-conformities, major or minor. The process of developing and implementing the ISMS was critical in this level of success.

info@hotskills-inc.com
(800) 507-4517
 © Hotskills 2005-2008 All Rights Reserved. Privacy Policy 4801 Nicollet Ave S, Suite A
Minneapolis, MN 55419
Site Map Services Industries About Us Contact