Dated: 11-11-2024

Ch02. case Study of Enterprise - Medium Sized Organization

Organizational Characteristics

• Location: Lahore
• 350 total staff (group)
• 15+ IT staff
• 25 servers
• 1 main DC, 1 DR site, 1 backup site
• IT service business in media industry

Organizational Culture

• Medium sized, profitable IT business
• Good internal culture (several employees with org since 10 yrs)
• Organization lacks processes
• Teams have execution discipline
• Senior resources are experienced

It Setup

• Windows 2010/2012, Linux server OS
• Oracle & MS-SQL databases
• ASP.net 4.x applications (total 15)
• Windows 8/10 desktops (300+)
• 1 Cisco ASA FW in DC; MicroTik routers as edge routers
• Asterisk voice server for call center (10 seats, 6-8 lines)
• 1 DR site (offshore) and 1 backup site (PK)
• Panda AV, AD, unlicensed windows
• Mdaemon for email server, migrating to MS Exchange

Security Posture

• Completely absent
• No hardening done
• No vulnerability management
• No security management or governance
• No policy or staff dedicated for security
• No management commitment (prior)

Security Requirements

• Security incident; competitive data leakage to third-party by internal employee
• License renewal due by regulator; demonstration of security commitment imperative

Driving Change?

• Executive management concerned about information security & security culture
• CEO approaches security consulting company
• Consultant advises project for security transformation

Security Transformation Project

• Project initiation: 15 days
• Layer 1: security hardening of IT assets (3 Mths)
• Layer 2: VM (1 Mth)
• Layer 3: security engineering (4 Mths)
• Layer 4: Governance & ISO cert. (3 Mths)

Conclusion

• Senior resources in the organization were committed
• Demonstration of security commitment was essential for organizations survival
• ISO27001:2013 (ISMS) serves as credible credential for customers/regulator