Dated: 12-11-2024
Ch02 case Study of Enterprise - Large Sized Organization
Organizational Characteristics
- Location: Karachi
- 10,000+ total staff
- 150 IT staff
- 200 servers
- 1 main DC, 1 DR site
- Energy & distribution sector
Organizational Culture
- Large sized privatized org
- Strong internal culture
- Organization lacks process culture
- Teams have high execution discipline
- Good quality & qualification of IT resources
It Setup
- Windows 2010/2012, Linux, AIX OS
- Oracle & MS-SQL databases
- Over 100 internal applications (Sharepoint, GIS, ASP.net)
- Windows 7/8/10 desktops (5500+)
- Asterisk voice server for voice communication
- 1 DR site (hosted)
- Licensed AV, AD, & windows
- Complete SAP ERP suite & internal development
Security Posture
- Superficial
- No hardening done
- Weak vulnerability management
- Poor security management/governance
- Security team exists
- No management commitment (prior)
Security Requirement
- Security incident; servers hacked causing financial loss
Driving Change?
- Executive management concerned about information security & security culture
- Board drives IT to hire consultant
- Consultant convinces IT to go for security transformation
Security Transformation Project
- Project initiation: 15 days
- Layer 1: security hardening of IT assets (6 Mths)
- Layer 2: VM (1 Mth)
- Layer 3: security engineering (1 Mths)
- Layer 4: Governance & ISO cert. (5 Mths)
Conclusion
- Strong commitment of the Board & IT Director drove the implementation of the security transformation project
- ISO27001:2013 (ISMS) achieved as a security credential