Information Security
For the past 30 months we have been engaged by a large financial institution in helping them establish a sound Information Security infrastructure. Early on we established a Project Management Office (PMO) to oversee this huge endeavor. The PMO was charged with implementing the proper governance, establishing the appropriate management reporting, developing an awareness campaign and coordinating the activities of the 15+ associated projects.

In addition to staffing the PMO, we also provided many of the Project Managers and support staff for the associated projects. At its peak, there were over 40 people involved in this initiative.

Some of the specific projects included in this program were:

Governance and communication - A Steering Committee was formed to provide guidance and oversight. Security Liaisons from each of the company's business units were selected to provide input to the program and serve as communication conduits. Appropriate reporting was developed for both management and program participants and a program specific web site was created.

Awareness and Training - Over 8000 employees were trained on sound information security practices. Additionally, an on-line security awareness tutorial was developed and implemented. A series of information security posters were developed and posted throughout the organization and numerous articles were written for and published in the various internal newsletters.

Policies and Procedures - The program required the development and adoption of 30+ security related policies and dozens of related processes, procedures and standards for enforcement.

Information Access Control - Part of the program involved ensuring each employee had their own network ID and password. Additionally, password word strength rules were established and implemented. A password synchronization software package was selected and implemented to enforce the password strength rules and synchronize passwords across multiple platforms and systems. Each business unit's applications and information storage were analyzed and access groups were established to control data access.

Remote Access - Over 1000 remote users were converted to a Virtual Private Network (VPN) to better secure their remote access.

Physical Access - The client had over 500 locations that contained servers and communication equipment. Each of these locations were assessed for their physical security and improvements were implemented where necessary.

Application and Third-party security - Over 100 applications and Third-party service providers were evaluated for there information security practices. In many instances, projects were established to address the findings.

Operating System upgrades - The client has approximately 1000 servers. As part of the program, patches were applied and security templates were implemented to further protect the environment and enforce security standards.

Conversion from Novell to Windows NT - The client had a mixed environment of both Novell and Windows NT that was hampering their information security efforts. A project was inititated and completed that converted 3000 users and 80 servers from Novell to Windows NT.