Client Profile
A national and a global leader in communications.
Challenges
Processing credit card transactions stores and transmits an extensive amount of private consumer data, which has led to numerous laws protecting vulnerable consumers. Implementing an IT-compliant Governance, Risk and Compliance (GRC) program had become a time-consuming challenge for the client as a result continual audits by regulatory bodies charged with enforcing these consumer protection laws. Preparation and consistency is an important part of positive audit performance, and it was clear that greater automation, visibility, transparency and report generation capabilities were necessities to streamline the auditing process.
CBI quickly identified two challenges that would impede the client’s goal of implementing a GRC program: software integration and implementation. With a system that is responsible for massive amounts of data, the logistics were the main hurdle. From importing the client’s current database assets with minimum risk to effectively scanning the systems for configurations to assess and ensure security, streamlining the client’s systems and processes presented a complicated obstacle.
Solution
After analyzing the client goals, as well as the challenges and variables involved in meeting those goals, CBI determined that the Symantec Control Compliance Suite (CCS) was the ideal solution to streamline data-gathering and compliance processes. CCS automates all necessary processes, from information gathering and dashboard functionality to executive presentations and advanced reporting capabilities.
To remedy the implementation concerns and minimize the scanning load on the client’s existing systems, CBI transformed a non-technical portion of CCS into a questionnaire distributed to users via a Web form. Any security information that was gathered from the questionnaire would be compiled into a central evidence database—a mechanism that is compliant with auditor demands and satisfies all relevant regulatory standards. Because CCS can identify where the company might be at risk, the client would be able to remediate those issues before the auditors even arrive. Once that powerful and flexible new infrastructure is in place, it would have the ability to access an auditor-requested report, with a few simple clicks of a mouse.
Results
The CBI solution of implementing CCS into the company’s infrastructure produced seamless functionality, complete with automated data collection, coordination and reporting. This increased efficiency and accuracy ensured compliance with all application regulatory framework obligations, including Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI DDS). The CCS solution performs ongoing risk assessments and, if vulnerabilities are detected, evaluates possible resolutions, ensuring that the client will earn exemplary risk ratings from auditors scoring on the Common Vulnerability Scoring System (CVSS).
CBI trained and educated company personnel, enabling the client to independently operate CCS on an ongoing basis, confirming a future of sustainable compliance. The CBI integrated solution maximizes the value of the collected data from both a compliance and risk assessment point of view. Because the system automatically weights data/assets on a risk scale level with a focus on compliance, the client receives data that applies specifically to their policies and to relevant regulations and audit frameworks around the world.
Just one week after CBI began the project, an on-site project manager stated: “I know in my heart that we have the right guy here.”
