Technology by itself can not fully address an organization’s information security needs. The proper organizational structure, coupled with practical and actionable governance, is necessary. Depending on an organization’s specific requirements, activities may include: creating and staffing a Chief Information Security Officer (CISO) organization or Cyber Security Incident Response Team (CSIRT), drafting information security policies and standards or allocation of security responsibilities across different organizational groups and providing executive information security awareness training.
A major electric power utility with operations in China, Hong Kong, India and Australia engaged Parenty Consulting to develop a cyber incident response program to address all company operations. Of key importance was ensuring a consistent and effective response across a corporation that transcends both geographical and national boundaries. Additionally, this program had to go beyond traditional corporate IT incident response to address SCADA issues related to their electricity production and transmission facilities. We developed a program that drew on international standards and leveraged their existing organizational structure and physical emergency management framework.