Conducting a Comprehensive Security Audit

September 29, 2017 By
Download story as PDF

Challenge

Our client, a presentation design firm based in Seattle, Washington, received an information security compliance request from one of their biggest enterprise customers that needed to be fulfilled and attested to by a certified third-party. Compliance was necessary to continue doing business with the enterprise customer.

The request was to implement the security controls and processes that were not yet in place, and identify the existing controls and processes that were in place but not yet documented. Being a smaller organization, our client did not have the necessary internal resources to support either effort in a way that would pass a third-party certification audit.

Approach

Kalles Group (KG) was brought in to prepare the client for the compliance audit. KG began by reviewing documentation and information that would help define the boundaries of where sensitive data is generated, how it is processed and transmitted to and from the client, and how and where it is stored.

To obtain a comprehensive view of the current state, KG then conducted the necessary interviews and gap analysis on the client’s IT infrastructure, IT systems, security policy implementations, business workflows and requirements, as well as the physical location of the client.

Because of KG’s thorough analysis, missing security controls and processes were identified, while undocumented controls and processes were accounted for. An implementation roadmap including a plan of action and recommendations was then provided to the client.

Solution

The roadmap was executed, the missing controls and processes were implemented, and a final project summary was issued to the client. Additionally, the KG team remained available to provide post-delivery support following the third-party audit.

Results

The client successfully passed the certification requirements. In addition, they increased their overall corporate security controls, improved overall processes, upgraded their remote access VPN, added a new MDM solution, and ended up with a more useful set of audit-ready security documentation. Most importantly, our client can continue business operations with their largest enterprise client.