Article

Governance, Risk and Compliance - Case Studies

Case Study of setting Up Risk Management and Governance Framework

Technology risk assessment, including monitoring of security solutions, for a leading US-based life sciences organization

Issues faced:

A leading US-based life sciences organization required support in multiple shifts for strategic view of its IT risks, identification of risks from user accesses, network accesses, insecure IT system configuration, (Servers, Firewalls, etc.) and applications, new product development and deployment, as well as database monitoring and computer forensic support.

Solutions provided:

Deloitte assisted the organization in decision making by providing a single strategic view of IT risks emanating from illegitimate user accesses/user profiles, network accesses, vulnerabilities in IT systems (including servers, databases, and network devices), as well as applications by using the IT GRC platform. We advised on security operations center (SOC) strategy and roadmap and on computer forensic to protect IP and copyright information and in database activity monitoring.

Impact delivered:

With Deloitte’s assistance, the organization had a single view of IT risks in its IT GRC platform that could be integrated with ERM processes for decision making. Also, the organization's security architecture improved due to regular network assessments and remediation tracking. The risk reduced too due to user accesses and profiles, including an extended ecosystem. It also helped cover the organization's offices across the globe due to operationalization of multiple shifts, along with setting up a clear SOC implementation roadmap.

Security benchmarking and development of security strategy and transformation roadmap for a leading global LPO organization with data centers in India, UK, US, and Australia

Issues faced:

A global LPO organization with data centers in India, UK, US, and Australia required detailed assessment of its technology infrastructure, identity and access management strategy, data lifecycle management, and vulnerability management to address the risks that its asset were exposed to. The absence of an enterprise security strategy was leading to repeated audit observations, risks of unknown threats, and lack of direction for uplifting the organization’s security position. Also, it had misaligned the security budget due to lack of direction, planning, and roadmap (including short-term, mid-term, and long-term projects). Besides, an absence of a vulnerability management solution and process exposed the organization to various security risks.

Solutions provided:

Deloitte carried out a benchmarking study of the organization's technology infrastructure, Software Development Lifecycle processes for various types of applications, data lifecycle management, policies, and processes. We identified the gaps/deviations from the established benchmarks, devised a security strategy and roadmap, including the business case for projects, and assigned the priority of implementation of projects.

Impact delivered:

With Deloitte’s assistance, the organization developed a clear vision of its security position and the roadmap for its improvement, with a complete business case for each project and timelines/budget/resource required for its implementation. The strategy we devised documented key projects that the organization needed to take up for better stakeholder confidence and also provided a more focused approach to the organization’s information security.

Standardization and rollout of information security and privacy framework for a telecom service provider providing remote management services

Issues faced:

A telecom service provider was faced with a challenge in complying with the security and privacy requirements of its client and the locations from which it was operating. Also, the provider had no standardized information security and privacy control framework across its global delivery centers. It had a broad range of regulatory and contractual requirements based on clients and local regulatory needs, in addition to global requirements.

Solutions provided:

Deloitte assisted the organization in identifying legal, regulatory,  and contractual  information security requirements. We conducted a current state assessment to identify gaps and assisted in mitigating the gaps identified. Also, we provided a single view on the compliance requirements and gaps in the system, multiple audits by the regulators, clients and internal teams, and reporting on the compliance risk management to different internal stakeholders.

Impact delivered:

With Deloitte's assistance, the organization achieved an Integrated Compliance and Risk Management (ICRM) framework, which put in a process to “Test Once and Satisfy Many Requirements”. Also, we provided the organization with a comprehensive list of laws and regulations related to information security, business continuity, and privacy. Besides, devising a dashboard for reporting to management, clients, and regulators on key KPI and SLAs helped the organization in streamlining the governance mechanism.

Setting up a program management office for design and implementation of security operations center for a global automotive major

Issues faced:

A global automotive major required  project management support for its Cyber Security Center setup, involving solution design and engineering, implementation and operations of SIEM, threat intelligence, detection, response, remediation, and forensics. It had no holistic measures in the IT environment to detect, prevent, monitor, and protect its assets against the evolving threat landscape and attack vectors. Also, there were no capabilities in the areas of Security Operations Center (SOC) and threat intelligence to monitor the end-to-end implementation. So, the organization was managing the collaboration and support from various teams for its Cyber Security Center.

Solutions provided:

Deloitte helped establish the program management office to track, measure, monitor, and report the status of Cyber Security Center implementation. We also assisted in establishing the risk and performance indicators for the project goal. We evaluated solution, design and architecture from vendor partners and identified improvement opportunity, while developing a part to optimize a Cyber Security Processes. Finally, we reviewed artifacts, along with identifying, mitigating, and reporting project risks.

Impact delivered:

Deloitte's assistance helped the organization achieve an improved governance and interaction model and enhanced client’s service offering for internal divisions and business units. Also, the organization received on-time delivery of a resilient, state-of-the-art Cyber Security Setup, which created preparedness for Advanced Persistent Threat (APT) and campaign attack or state-sponsored attacks.

Setting up vendor risk management office and governance framework for a global healthcare, consumer lifestyle and lighting client

Issues faced:

The client faced challenges owing to the lack of vendor risk management framework to manage risk across various vendor lifecycle phases. It had a huge vendor base without any vendor risk ranking or consolidated view of risks it was exposed to from various vendors. Its various internal stakeholders at various phases of vendor lifecycle followed different risk management framework and approach. Also, it lacked a robust vendor security governance mechanism.

Solutions provided:

Deloitte assisted the client in developing a vendor information security risk management framework. We analyzed the existing vendor information and built a vendor ranking system based on various parameters, along with developing a vendor risk review approach and methodology based on vendor risk ranking as well as a PMO and a vendor risk review plan. We conducted vendor risk review of critical vendors as per the plan and also developed remediation strategies and plan based on the outcome of the review.

Impact delivered:

With Deloitte's assistance, the client achieved a well-established, holistic, and uniform vendor risk management framework applicable all the vendors/suppliers. Key risks from the vendor partners and the key focus areas on the vendor risk management were identified. Also, risk was reduced from the vendor partners within a stipulated period of time. The client's security posture from the vendor partners and security reporting from the vendors in the form of remediation dashboards, KPI, etc. improved too.

SOX Management Testing on IT and process controls for a leading global beverage organization

Issues faced:

A leading beverage organization in India required support for performing Sarbanes-Oxley Act of 2002 (SOX) management testing. Its decentralized environment with lack of standardization led to the risk of non-compliance. Also, the absence of standardized test procedures led to inconsistencies in test results. So, it needed areas for standardization and process improvements to be identified.

Solutions provided:

Deloitte assisted the organization in performing controls testing across its various business processes and IT controls. We also assisted in reporting to the global parent organization on the SOX testing results, identified Segregation Of Duties (SOD) conflicts, and tested the mitigating controls in SAP environment.

Impact delivered:

With Deloitte’s assistance, the organization achieved a single view of the various controls that were tested. It also helped the organization draft consistent messaging across its manufacturing units and regional profit centers on the evidences that needed to be produced. Moreover, the organization was provided with the areas for standardization and automation of controls.

Evaluation of SOX framework for a large UK-based global bank

Issues faced:

A large UK-based global bank was facing non-adherence to the Sarbanes-Oxley Act of 2002 (SOX) framework and Public Company Accounting Oversight Board (PCAOB) requirements. So, it required a comprehensive SOX framework, design controls, and evaluation of controls.

Solutions provided:

Deloitte assisted the organization in designing a SOX framework as well as in performing design and implementation (D&I) and operating effectiveness testing to comply with the SOX requirements.

Impact delivered:

With Deloitte's assistance, the organization achieved an enhanced controls environment, compliant with statutory requirements.

Did you find this useful?