Saturday, 19 May 2012
Making your
business happen
Regulatory ISMS procedures & risk assessment
-
font size
decrease font size
increase font size
- Project Name
- Regulatory ISMS procedures & risk assessment
- Client
- Leading mobile telecommunications provider
- Country
- South-eastern Europe
- Dates
- 2010–2011
- Project description
- Our customer’s main objective was to further strengthen compliance with the specific national regulatory framework and to further comply with ISO 27001 requirements. CRI assisted this provider of international telecommunications wholesale services in: maintaining a secure operating environment and integrity of data; protecting itself against accidental or intentional disclosure of information; reducing costs associated with security-related problems and compliance breaches; and protecting its brand and reputation. The scope of the project covered the business operations of the provider and took into account the IT user population, telecommunications and business community, key business processes, as well as key supporting infrastructure, including the information systems environment and the international service provision network environment. The challenges were to: identify all regulatory requirements and measure their impact; have a heterogeneous technology environment; translate regulatory requirements into technology requirements; risk assessment results presentation in business terms; risks association with revenue generation; and business processes technical infrastructure.
- Solution
- During the implementation phases of the project, CRI Consultants developed a quality plan and prepared the framework for the implementation of the project. All required information was collected, also regarding the control measures in place for addressing legal and regulatory requirements. CRI Consultants further performed a GAP analysis to identify security procedure gaps/requirements. Based on the GAP analysis and ISO 27001, they developed all necessary security procedures to address the requirements and assisted the customer with the implementation of the above-mentioned procedures. Furthermore, CRI Consultants examined business-organisational, operational and technical levels for information security weaknesses that could be exploited by someone wanting to attack any of those weaknesses. Finally, a suitable network architecture design focusing on security aspects was proposed, and internal and external (black-box) penetration testing was performed.