Our client is a large organisation within Australia’s Health Industry. The health and personal information is an important asset for health providers, so there is an ongoing focus on having sustainable information security controls to protect and safeguard the privacy and accuracy of information. With the ongoing business growth and new technology opportunities, getting your information security right is vital and getting it wrong could see you on the front page of the newspaper! When it comes to security, it’s all about managing risk.
To gain peace-of-mind that there are controls in place to protect the sensitivity and privacy of information, our client required an information security review to determine how well the information is being protected across their health organisation. The resulting review identified security shortfalls and the remediation treatment actions required to reduce security risk.
Terra Firma came on board to lead the information security review. Applying the proven Linus Secure methodology and security expertise, we took our client through a data discovery process as we reviewed their business exposure.
We commenced with the performance of a Data Sensitivity Analysis by utilising an agreed risk matrix and working with representatives from all areas of the organisation with the aim of identifying all of the categories of data held. We then assessed against the risk matrix the impact of each data category being exposed to people who shouldn’t see it (confidentiality), being incorrect (integrity), and not knowing when the data was last changed (accountability). The result was a defined level of sensitivity for each data category in each area.
The next element of our analysis involved the performance of a Controls Review of the organisation’s current business and technology environment. Key organisation representatives were interviewed and information gathered on where the data was stored and how it moved around the organisation. For each place where the data was stored, used or moved, we reviewed the layers of controls protecting the data, ensuring its integrity and monitoring the accountability.
All the findings formed the basis of our Information Security Gap Analysis performed across each of the data categories by assessing the effectiveness of the control layers against the level of each sensitivity. This exercise resulted in the production of gap analysis findings and a heat map identifying data security shortfalls, where they occurred and the criticality of each.
The final important stage of the review was the production of a set of Security Control Recommendations and Roadmap required to address each of the shortfalls identified through our gap analysis findings. Terra Firma provided expert advice on the various aspects of security controls, including the remediation steps, plan and roadmap on how they may be implemented.
Through this process our client’s concerns around information security gaps were validated and resulted in raising risk awareness within the organisation. Our client became better informed and educated on of the type and level of sensitive data ‘actually’ held and the treatment strategies to best manage the risk exposure impacts. The Business and IT Teams were also provided with a report for use as a basis for seeking funding for implementing both interim and long term solutions to mitigate their business and technology risks.
Our client was very happy with the result and the clear set of recommendations provided, with Terra Firma having subsequently been engaged to deliver some elements of the recommended roadmap.