Follow us on:   Facebook Twitter Linkedin

• Management consulting
• Business intelligence
• Information security
• Enterprise content management
• Technology consulting

Security Information

Information Security Blueprint

A major Montreal company entrusted us with a mandate that involved developing a structured approach to information security. We were required to define a target as well as establish appropriate measures and controls to ensure informational assets, which are critical to IT, were effectively secured. We also had to plan short- and medium-term actions and projects.

In general, developing an information security blueprint is justified by:

• the need to have a structured approach to information security investments and interventions;
• the need to establish control measures in order to be consistent with best practices as well as legal and regulatory framework;
• business needs.

Our experts had to consider several details to accomplish this project. First, Information and Communication Technology (ICT) including:

• operation and communication infrastructure;
• software products;
• internal applications and systems;
• operation and IT management processes and procedures.

They also had to consider the legal and regulatory aspect, that is to say, laws and regulations, as well as policies and guidelines. Furthermore, they had to pay particular attention to individuals (employees and non-employees) and the company’s organization while bearing in mind obligations related to their roles and responsibilities.

We developed a four-step plan that consisted of:

• analyzing the situation and requirements;
• establishing a target;
• analyzing the context;
• establishing the action plan.

 
Our challenges

This mandate presented many challenges. The most significant ones included:

• establishing IT Information Security management;
• defining the security strategy, determining priorities, identifying investments and describing security roles and responsibilities within the organization;
• supporting the IT’s vice-president’s actions, means and action plan for securing the organization’s informational assets.

Larochelle’s added value

Secured projects directly resulted in tangible benefits that occurred at three levels.

Business

The gradual application of the internationally renowned Information Security standard ISO 27002, increased protection for the company’ critical assets, measures and controls that allow us to produce evidence necessary for compliance with laws and regulations, and a risk management process to support actions and decision-making.

IT perimeters

Increased security in terms of perimeter access to infrastructures and critical systems as well as increased protection of data and informational assets.

Organization

A structured approach towards information security initiatives and projects, a preventative and proactive approach to information security management, a corporate policy for information security, increased skills and knowledge as well as an overall vision of information security requirements and challenges.

---

Implementing control and compliance mechanisms

This project involved analyzing an audit report as well as proposing strategies and methods to our client that would close gaps in control and compliance mechanisms. The project was accomplished after management approval.

Our client gave this project top priority. After the certified audit report was filed, gaps were discovered in Bill C-198’s (SOX Compliance/52-109) regulatory compliance. Therefore, IT management had to establish control and compliance mechanisms required by law. Not complying could result in criminal proceedings.

After our experts analyzed the assessment file and controls already in place, they established an action plan. For each gap, they presented an adequate control and procedures implementation strategy. They also identified the type of testing required for compliance, taking into account the source of information and stakeholders. Finally, our specialists planned the project required to close the gaps.

During implementation, we put corrective mechanisms in place and coordinated testing processes. We established the appropriate level of documentation Bill C-198 required; meaning traceability. Furthermore, results were measured in order to present the evidence required for compliance. We also developed a communication plan for those affected by the tests’ recurring activities.

We accompanied IT management in implementing corrective mechanisms. In order to avoid any future non-conformities, we established a short- and medium-term plan for projects and preventive activities. In addition, we supported our clients in presenting results to senior management.

We presented our project to various certified auditors. They recognized that the control and compliance mechanisms required by the law had been implemented and that our client met compliance regulations.

Our challenges

Mostly a business challenge, we had to ensure the company’s financial data followed the regulatory compliance required by Bill C-198 (SOX Compliance /52-109).

Larochelle’s added value

We had all the expertise required for this type of mandate. Our specialists implemented control mechanisms and reviewed all quality, testing and delivery procedures for all the company’s financial functions.

Share

• Home
• Larochelle
• Expertise
• Mandates
• Careers
• Site map
• Contact us

© 2012 Larochelle Consulting Group All rights reserved.