Virtual CISO - Case Study #1

Cellular Communications Provider in Merger & Acquisition

Industry:  Telecommunications

Location: Toronto, Ontario, Canada

Size:  700 employees

Reason: Mergers and Acquisitions

Effort: First 30 days full time.  Next 60 days 3 days per week.  Remainder of contract was flexible depending on tasks required.  Minimum 1 day per week, typically 2 days per week.

The Story:

This company was a well established small regional player in the Mobile Cellular Communications industry.  After a considerable period of growth and stability, one of the larger Canadian Broadcast and ISP companies put in an offer to acqure this mobile company.  As part of the acquisition, the new parent required that a full Cyber Security Assessment be conducted, and that defiencies be remediated prior to hand-off.

In addition, the acquiring company required proof of Sarbanes Oxley compliance, and provided the tools and guidance *they* used to acheive this.

In partnership with a large Canadian Channel Partner, TeamCISO accepted the challenge, and spent 18 months preparing the Mobile Cellular company's Cyber Security program to comply with the requirements of the new parent company.

The First 30 days:

This contract took the form of an initial ISO27002 maturity assessment, interviews with the relevent subject matter experts in IT, HR, Legal, Privacy, Corporate Communications, the lines of business, as well as reviews of existing documentation.

• After this assessment was completed, a roadmap for remediation was developed .

The Next 60 days:

• Penetration tests were scheduled to assess the security controls protecting the Internet facing assets.
• Network vulnerability scans we conducted across all network segments - IT, OT, and Wireless.
• Asset inventories of both Data and Network Connected devices were conducted and validated.
• The SOX assessment was initiated.
• The existing Security Policies, standards, procecures, guidelines, etc were compared against those of the new parent company as well as Industry best practice, and updated where reasonable.

Beyond the 90 days:

• we updated the Change Management, Incident Management, and Breach Management processes and integrated them with the parent.
• We conducted quarterly Maturity assessments to track progress.
• We implemented log management and a SIEM, and integrated the infrastructure security logs
• We installed and configured privileged access management
• We implemented 2 factor authentication
• We conducted both static and dynamic application assessments
• We adopted the parent's  Security Awareness program

After almost 18 months of effort, we successfully handed the Cyber Security reins over to the parent.

Benefit to Client:  

• The Client did not have aCyber Security team on staff (there *was* a firewall admin)
• No need to find a "temporary CISO" at $200k plus annually
• We project managed the entire program from assessment to handoff
• We provided weekly, monthly. quarterly progress reports
• We provided monthly and quarterly Security Metrics reporting
• One-stop-shop.   We brought resources to the table for each phase including
  • Policy framework development
  • Penetration testing & vulnerability assessments
  • SOX assessment
  • SIEM development/implementation
  • Privileged Access Implementation

More Case Studies in this Series:

Case Study #2 - Fintech Service Provider requires Interim CISO

Case Study #3 - Software Startup requires Governance on a Budget

Case Study #4 - Wealth Management Company with Poor MSSP Contract

Case Study #5 -Small Family Law Firm concerned about Privacy Breaches