Great job everyone on the discussion. If you enjoyed this case I have a few other things you might like:
- Verizon’s 2015 Data Breach Investigations Report
- Deloitte Cyber Security Video 1: Companies Like Yours
- Deloitte Cyber Security Video 2: Evolved
I liked how you referred back to other topics that we have considered in the past 12 weeks.
Let me take you through our view of them:
IT Administrative Controls – really lax both inside both iPremier and at the ISP. I get the sense that very little is actually in control here. WoW on company equipment and company time? Poorly organized and poorly run.
IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company. How can this be for a company that runs on an e-platform? Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business. Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.
Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.
Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans. Even the CEO acknowledged that they needed a closer look at how they did things.
IT Services and Quality – Again, there does not appear to be a disciplined look at what IT services they are using/providing. Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.
Outsourcing – They picked the ISP because they knew someone? Really?
Monitoring – Doesn’t appear that they did much beyond the basics of operating a system. But then, if you haven’t defined any IT services, how could you monitor them?
Risk – No risk culture in the organization, no risk culture in IT. I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control. They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.
All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.
The whole idea of running an IT organization under control is that you have organizational discipline. This doesn’t eliminate the potential problems of a security attack or any other risk. It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur. This is the point of everything you will be learning in this program.
Thu & Rich