Case Studies

Cloud Migration for Financial Institution

A institution responsible for processing, handling and reporting on a significant amount of large mortgage pools and financial data needed to evolve their security systems and simultaneously move to the cloud. This institution also was under several ongoing audits for financial compliance and security assessments to satisfy inspector general inquiries. There were four different groups with overlapping and shared responsibilities across three un-federated domains to operate and maintain this environment.

Considering the lack of transparency between the the groups responsible for the administration, project management and security posture of this environment; several working sessions were facilitated to ensure migration planning and timing of audit activities were all effectively captured and tracked in an ticketing system. The development of several communication channels and change management boards were established to ensure the clear, effective scheduling were reflected across all four companies.

During planned maintenance windows, unapproved change procedures were observed which provided evidence that role based access mechanisms needed to be enforced, which not only improved the security posture dramatically but also satisfied several audit findings. The planning to revoke access and shift responsibility among the four entities required a lot of objective conversations to establish our common goals and most importantly provide our client assurance that the business objectives and service level agreements would be met without fail. Throughout this effort, the scope of the primary purpose of migrating the environment to the cloud did not change but several milestones required reassessment which yielded in providing our client with making easier decisions once we had established better communication channels.

Cultural Shift for Private Company

A tax preparation company had several areas of concern revolving around the development and deployment of over 300 applications designed to parse and perform calculations on taxpayer information according to local, state and federal tax laws. Some of the most prominent challenges included unmitigated access to production environments, a multitude of anonymous accounts with administrative permissions and a lack of quality assurance and testing procedures.

In order to resolve these concerns, many workshops and intimate conversions were facilitated amongst developers, data base administrators, quality assurance staff and senior level management to document and organize the requirements needed to deploy, test and promote each application for each phase of their respective life cycles. These actions yielded a transparent and auditable process which significantly improved software development life cycle, incident management and security posture for the organization.

The processes that were established provided readily available information to deployment engineers, project managers and mid level management for project planning. Senior leadership was also able to satisfy any potential concerns of software development and information security which helped meet or exceed compliance needs. This tax firm was a private entity at the beginning of this effort and is now a publicly traded company.

High Visibility Audit Response

As a pilot for the Computer Security Inspection and Compliance Program, a specialized dual command ship was selected to assess the feasibility of performing a multistage inspection of security controls against Department of Defense directives and federally mandated compliance. The inspection was coordinated effort that included collaboration of the Navy Red Team, the Navy Blue Team, the Military Sealift Command and civilian contractors. The first two phases of this inspection demonstrated the security posture of the ship did not qualify to pass the inspection and yielded in a plethora of mitigations that needed to be resolved before the final stage of inspection.

After a review of the inspection findings, it was determined that both technical and cultural aspects of information security needed to be addressed. Several workshops and training sessions centered around industry standards helped translate the significance of maintaining awareness of the security impacts of both technical operations as well as the behavioral aspects of information protection. In addition to the traditional DoD directives and manuals, the interpretation and adjudication of other applicable IT industry standards, such as those provided in the NIST 800 series, provided ship staff and leadership a clearer understanding to improve on the technical and cultural aspects of information security which led to the development of better ship operating procedures.

This exercise resulted in a successful pass rating of the final stage of the inspection and was a big win for both the Department of the Navy and the Military Sealift Command. The Computer Security Inspection and Compliance Program helped fuel a new set of standards for the Department of the Navy and has demonstrated it’s significance on improving the security posture of our national defense vessels.

Audit Preparation for Multiple Boundary Accreditation

The client needed to meet a Department of Defense Information Security Administration deadline for all surface warfare laboratories and platform IT environments to be successfully complete the accreditation process in order to continue operating without endangering their respective missions, risk budget cuts and losing their authority to operate. This accreditation effort was also accompanied with the adoption of the Risk Management Framework (RMF) which replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP), where the order in which security posture assessments were changed and created a learning curve for some personnel. Considering all 21 labs were representative of various shipboard architectures and native engineering systems, standard accreditation procedures and traditional IT auditing efforts were typically not feasible which required developing a customized approach to properly document and assess the security posture of each boundary.

To carve the path forward, engineers were interviewed in multiple stages to document the native function of each peripheral and dummy device, their respective maintenance procedures and how these devices and operating procedures would impact the security posture of their immediate ecosystem and any connected information system counterparts. Simultaneously, encouraging lab staff and their respective government representatives to proactively audit their security posture in timely intervals empowered them to establish their own self assessment processes and prepare for future accreditation efforts with ease.

Culture Shift for a Public Entity

A federal civilian agency was prompted by the Office Management and Budget to provide an immediate response to a FISMA audit which had Inspector General (IG) oversight. The primary challenge was there were several audit findings that required communication among stakeholders that were not in regular communication as a result of office politics and disparities of accountability between various contractors and other agency personnel.

Due to the social climate of this environment and the urgency this audit request, the best approach was to extract and consolidate each finding for classification and triage among team members. This effort allowed for the team tasked with gathering the supporting evidence and remediation tasks related to each finding to capitalize on interactions with the responsible and accountable parties with little friction or interference; which also provided opportunities to offer refresher training on procedures that encouraged communication between teams and prevents the need to rush to gather information that would otherwise be readily available.

Leveraging the need of answering to an external authority presented an opportunity for collaboration that otherwise may not have happened. As byproduct, several individuals recognized the value of setting their past differences aside and working together permits for a better cyber hygiene and security posture for the agency overall. The efforts put into responding to this audit has had lasting impressions in the agency.