Skip to Main Content Skip to Footer

CASE STUDY

Creating formalized cyber security documentation & enhancing security posture

Miles IT helps a municipal organization clearly define its cyber security policies and programs while adding enhancements to fulfill regulatory requirements.

 

MEET THE CLIENT

Municipal organization

The client is a municipal water company providing citizens with access to the water resources they need for daily living.
 

With several small locations, the organization has one centralized location as its infrastructure hub.

PRIMARY CHALLENGE

Properly documenting & formalizing proof of security controls

The client was already one of our Miles Assurance Plan customers, so when their regulatory body requested information security program documentation, they reached out to us for assistance.

Mandated Information Security Program

The client’s regulatory entity mandated that they create and share an information security program to protect their assets from cyber security threats.

Assistance with Formalizing Documentation

Though the client had a strong security posture, their documentation was not well-defined; they needed a cohesive strategy to integrate their numerous controls.

Unique Controls & Services Relationship

The organization’s staff and controls are not directly related to their service delivery, which made it more challenging to clarify necessary security protections.

OUR PROVEN PROCESS

From initial assessment to final implementation

Our team, led by our Director of Compliance & Risk Management and Compliance Analyst, began by performing a risk assessment to provide a complete snapshot of the client’s actual highest risk threats compared to their previous assumptions. From there, we focused on improving & formalizing documentation and making enhancements to security controls.

  • Organization-Based Risk Assessment

    +

    Our risk assessment is based on the NIST 800-30/800-37 Risk Management Framework. We used this to objectively score threats with input from the client while leveraging our experience scoring these threats. In addition, we completed a sensitive information flow mapping diagram to understand how sensitive information interacts with users and systems.

  • Documentation Drafts

    +

    We drafted the client’s documentation based on their existing materials and our findings from the risk assessment.

  • Documentation Review & Control Consultation

    +

    We reviewed the documentation with the client and presented recommendations for strategies to improve control activities and strengthen security posture.

  • Documentation Finalization

    +

    We made necessary revisions and prepared the policies for implementation.

  • Documentation Adoption

    +

    The client formally adopted the documentation as part of their organizational processes and shared the policies with their staff and regulatory entity.

  • Follow-Up As Needed

    +

    As additional questions came to light beyond the initial scope of work, the client reached out for help with required updates.

OUR STRATEGY

Clear & comprehensive security policies

We created transparent, in-depth processes & programs to formally document the client’s controls and guide their responses & activities.

Information Security Program

This document includes information regarding use policies, data handling, permissions, user privileges, and much more, so all end users follow an understandable framework.

Senior Management Information Security Policies

We created a separate policy for senior management to directly record decisions solely related to their roles.

Cyber Security Incident Response Process

To ensure the client recognized the necessary steps to take in the event of a breach or attack, our team developed an in-depth incident response plan.

Change Management Process

The client can easily navigate organizational changes, including technology shifts or employee departures, with our clearly defined procedures and best practices.

Vendor Management Procedures

With a transparent process for evaluating vendors and their policies, the organization increases overall security and data protection.

Business Continuity Plan

Our team created a comprehensive business continuity plan, so the client can quickly return to normal business operations in the event of a disaster.

Risk Register

We prepared a comprehensive document that includes information regarding all possible risks to the organization, along with their priority level and recommendations for resolution.

THE RESULTS

Defined security procedures & enhanced protection

The client was able to share formalized security documentation with their regulatory body and gain approval to continue operations.

Formalization of Control Activities

The client’s security processes are now fully documented and commensurate with the mandate from their regulatory entity.

Improved Threat Intelligence

Though they initially sought help with documentation, the client also increased risk readiness and enhanced security control activities based on our recommendations.

Forward-Thinking Security Mindset

The client understands how to formalize controls before implementing them to ensure documentation matches actual procedures.

MOVING FORWARD

Staying up-to-date in a changing threat landscape

With our guidance, the client has a strong understanding of how to handle future documentation changes. They can also reach out to us for additional assistance should any need arise.

 

With risks constantly evolving, strong cyber security is crucial to ensure continual protection from threats.