Information Security Compliance
The customer is a utility company required an independent assessment of its current Process Control Domain (OT) security standard and procedures including the current security operating model against relevant standards including but not limited to:
- ISO 27001
- IEC 62443
- SANS Top 20 critical controls
The primary objective of the project was to perform an independent risk based audit to assess OT security governance, security processes and procedures, security configuration controls implementation in the systems being used and the physical area of where these controls are implemented and propose an improvement. A strategy comprising a design of a new or improved controls that comply with ISA 62334, relevant standards and ensure robust and resilient operation.
The result of this audit discovered weaknesses/gaps with respect to security best practices and standards in OT security governance including policies and procedures; weaknesses in security configuration controls in operating systems, network devices, and the system that are being used; business continuity management; and physical security of the control areas. The audit team followed the ISACA’s IS Audit and Assurance Standards; Professional Practices Framework for IS Audit/Assurance.
EGCD team also proposed a strategy for:
- Organization Governance.
- OT network architecture design.
- Legacy System.
- Knowledge management.
- Training and knowledge transfer.
In addition to the audit and recommendation, we also ensured that all processes, procedures and tools which were created during the audit repeatable utilized and knowledge was transferred to relevant teams. A wider and systematic knowledge transfer process was created for all staff.