Case Study 1 - Risk Management

A local Asset Management company with a focus on REO Management requested an independent assessment of an existing IT security infrastructure as part of their overall Risk Management plan. Working with the CEO and CIO, Pratt Brown & Associates, LLC provided a well-qualified CISSP who performed a detailed risk management analysis.  This analysis included an on-site visit to the client and an in-depth questionnaire designed to uncover potential risk factors, both internally and with third party vendors. The end deliverable, a completed IT Security Risk Assessment, provided the client with an overall rating for each area with potential risks cited. Recommendations for Risk mitigation were identified based on current industry standards.

In agreement with the CISSP recommendations, the client decided to move forward with implementing an updated IT Security Infrastructure plan. Based on the assessment, Pratt Brown & Associates, LLC's CISSP worked in conjunction with the IT group to establish Best Practice policies, provide equipment recommendations, mitigate physical risks, and assist and advise the IT Network group's implementation of a modified network infrastructure roll out. The initial project requirements were completed within a 3 month timeframe.

An IT Security Risk Assessment and the resulting IT Security Infrastructure Risk Management plan should be performed on-site in conjunction with the CEO, CTO/CIO, and key IT employees. The initial assessment should include a review of both physical and internal infrastructures and will usually last up to 4 hours for most small to medium size businesses. Your deliverable should include a completed review of your current practices and a Statement Of Work document that clearly states options to mitigate identified risks based on best practices and industry standards. You will need to determine your company's  tolerance for the areas of risk identified. A customized plan can then be implemented by internal staff or in conjunction with the consultation of a Certified Information Systems Security  Professional. The success of an IT Security Infrastructure Risk Management plan hinges on the ability to implement the course of actions for new or modified work flows and user roles within your existing security processes and procedures. Once identified by IT, new standards and best practices should be well communicated across groups prior to rolling out to company employees.

Pratt Brown and Associates, LLC recommends a yearly audit by an independent CISA once a long term IT Security Infrastructure Risk management plan is implemented.