Client: A division of the United Nations
Title: Information Security Governance Implementation
Product / Service: Consultancy and training
Background: Red Island Consulting was contracted to establish a Global Information Security Improvement Program and develop a Global Information Security Management System that was suited to this unique operating and regulatory environment.
This entailed establishing management responsibilities and processes to enable our client to comply with ISO27001:2005. It involved defining and documenting the methodology to be used by local information security managers to implement regional information Security Management Systems which had to support the Global Information Security Management System.
Red Island was responsible for defining the management structure which would enable the client to identify the information assets for 10 international offices. Red Island established a risk assessment and treatment process for centralised and decentralised information systems, developed IT and end user information security policies. It established a Global Information Security Incident reporting and management process. This ensured that incidents reported in a local level, which could impact the wider user base, were identified, tracked and managed.
Red Island Consulting was most recently engaged by this client to provide specialist information consultancy to assist in creating and deploying their information security awareness programme. Two key objectives were to improve understanding of staff awareness of their information security policies and procedures, and to gain an insight into the current practices and culture, and staff perception of information security.
The Objective: To establish, deploy and monitor a best practice information security management system.
The Solution: Working closely with the CISO and information security stakeholders, Red Island defined an information governance structure that could be implemented at their Geneva Head Office and at their 10 key regional sites.
- Risk assessment was conducted via a series of face-to-face interviews with staff from a cross section of departments and seniority within the Geneva location;
- Controls to mitigate risk to an acceptable level were presented and agreed by the client;
- A series of processes were established so that the organisation could monitor the effectiveness and adherence to the controls;
- We developed an online awareness survey that was deployed to all Geneva staff;
- Red Island then conducted a detailed analysis of the data collected and documented the key observations and findings; and
- We provided recommendations for a full detailed strategic information security awareness programme.