The Client’s Situation
An international research institute with offices in over 30 countries was becoming increasingly concerned with cybersecurity and wanted to strengthen their approach to safeguarding organizational data, information, and knowledge.
The organization had a robust research data management program in place, with multi-million dollar multi-year research projects underway which were funded by high-profile agencies and donors including USAID, the European Commission, and the Bill & Melinda Gates Foundation. Although most of the data being generated through these projects will eventually be made openly-accessible, principal investigators (PIs) and other leaders throughout the organization were becoming concerned whether they were following best practices for security related to data collection, transmitting data, and storing data and information before data is published and publicly-shared.
Multiple cybersecurity incidents coincided with the heightened concern regarding research data management and information security. Incidents ranged from account compromises to defaced websites, and understandably alarmed the organization’s Board.
The stress and strain of these events along with urging by the head of the organization’s IT unit led to the internal audit unit initiating an information security assessment. The FireOak team was brought in to conduct this assessment and develop an actionable three-year plan.
A New Perspective & New Insights
We conducted a multi-pronged assessment using a number of techniques and tools to get a comprehensive view of the organization’s information security landscape. Since they had not adopted a particular security framework, we took a risk-based approach based on threat intelligence and real-world trends rather than auditing against a specific framework.
We began with a holistic vulnerability assessment, examining the internal network and external perimeter, cloud services, websites, the wireless network, and endpoint protection within the organization’s offices in several countries. The assessment was specifically designed to evaluate how staff members work in the real world. Many of this organization’s staff members are often traveling, in the field, or in other locations when they aren’t protected behind a corporate firewall. As a result, we designed and carried out several tests to examine how systems and laptops performed in hostile environments.
Likewise, the assessment was designed to evaluate the organization’s overall information security program — the controls, processes, and governance that comprise the organization’s holistic approach to protecting its systems, data, and information; detecting security incidents; and responding to incidents when they occur. We also examined and assessed configurations of key systems, policies, official procedures, log files, and the technical practices as reported by key stakeholders.
Additionally, we facilitated focus groups, tabletop exercises, and interviews with staff to learn first-hand about their security practices and past incidents. We used these interactions to uncover issues and concerns, assess overall awareness, and understand how information security work is handled and prioritized. Since information security is not strictly an IT problem, we took an inclusive approach across the organization, including Finance, Communications, website managers, and PIs responsible for research projects in addition to the IT team.
Through these conversations, we developed a keen understanding of self-reported behaviors and practices. We then correlated this against documented policies and procedures, findings from the technical assessment, and industry best practices.
A Unique Approach, Transformative Results
Shortly after starting the technical evaluation, our team uncovered some critical security flaws involving partner-managed services. We immediately shared these findings and our concerns so the organization could begin to work with their service provider to address these findings immediately, long before we completed the engagement. This type of open and frequent communication with our clients is indicative of our working style. Whenever we discover a critical finding we’re quick to touch base with our client.
A key part of our approach is to work closely and build lasting relationships with an organization’s IT team. It can be difficult to build trust in these types of engagements, but it is essential to fully assess security operations. It’s critical for the tech staff to see us as partners and allies who are there to help, rather than thinking of us as auditors trying to find fault with how they do their work. At various points in the engagement, we were on-site to update project sponsors, present findings, answer questions, and discuss issues as they arose. Findings from the assessment were presented in a comprehensive report which included practical, prioritized recommendations and a 3-year plan for moving forward. The report was written for business leaders, not the IT staff. In-depth technical details useful for IT were included as a separate section in the report, and supplementary data from technical evaluations was shared in machine-readable, usable formats.
Our overarching recommendation was to establish a formal information security program. To jump-start development of this program, we provided recommendations for which security framework to adapt, based on this organization’s unique needs, drafts of critical information governance policies, and a blueprint for change management. Some culture changes will be critical over the long run, so we provided tactics for shifting the mindset away from thinking that security is a technology problem.
“Security is everyone’s responsibility.”
Like many non-profits, this organization was extremely budget-conscious, and there was limited funding earmarked specifically for information security. Throughout our recommendations, we emphasized maximizing their ROI on existing security and infrastructure devices rather than buying new equipment.
Having a strong information security program doesn’t hinge upon having best-of-breed equipment, the newest or most expensive firewall, or other cost-prohibitive equipment. So much about security is related to people (roles and responsibilities, accountability), governance (policies), adopting formal operating procedures, embedding data and information security into organizational culture, and more. Technical controls certainly play a big part in this equation, but putting strong controls in place can often be accomplished with existing technology and devices.