Creating a mature cyber posture through security and compliance uplift
ADVANCED TELECOMMUNICATIONS & SPACE
Our client, in the advanced telecommunications and space industry, had been operating within another research organisation’s ICT environment and was now seeking to create their own resources with a key focus on a ‘secure from the start’ mentality.
Chamonix was engaged to facilitate the environment creation/transition which has now progressed to a security and compliance uplift to align with organisational goals. We took a staged approach, with initial security being applied followed by additional security layered over the top to meet desired security and compliance objectives.
This is an organisation that operates with a core internal employee base along with integrated external staff and collaboration with other public/private organisations to achieve business objectives. This means that employees operate under varied ICT conditions, such as device and/or application platform, and device management capabilities.
Our client is unique in that the organisation exists solely to securely collaborate with external parties.
Collaboration with other research centres and multi-national organisations worldwide are vital to our client’s business model, which presented the challenge of needing to be ‘secure-anywhere’, also referred to as a zero-trust security model.
The board were aiming to achieve DISP (Defence Industry Security Program) accreditation with a view to establishing a security baseline to the Essential Eight.
The Chamonix team created, migrated, and continues to support the ICT environment, having undertaken the technical planning, implementation, transition, as well as the subsequent security uplift.
As part of the solution, we recommended the M365 E3 + E5 Security licensing to meet the zero-trust, and collaborative properties required to facilitate the needs of our client. This allowed for a managed fleet of Windows corporate devices that were secure from the start of implementation, which in turn minimised inevitable organisational cultural change down the track.
The Chamonix team was able to meet the security and compliance objectives of our client while minimising cost by exclusively utilising SaaS platforms, which meant that there was no infrastructure overhead (application or server). This also included the hardening of MacOS devices to meet the same security and compliance objectives of Windows endpoints (where possible). All security policy controls were enforced (and can be reported on) via the Intune platform.
- Application control – Maturity level 3
- Patch applications – Maturity level 3
- Configure Microsoft Office macro settings – Maturity level 3
- User application hardening – Maturity level 3
- Restrict administrative privileges – Maturity level 3
- Patch Operating Systems – Maturity level 3
- Multi-factor authentication – Maturity level 2 (mobile app one-time password tokens for standard accounts accepted as a risk by the business, maturity level 3 compliant physical tokens have been implemented for all privileged accounts)
- Daily backups – Maturity level 3
Security controls applied to managed workstations were staged appropriately, keeping impact to business-as-usual to a minimum. Due to the remote workforce capabilities of the platforms and tooling applied; productivity suite use, collaboration, and audio-video conferencing capabilities were mirrored for users when required to work from home during the COVID-19 pandemic.
An uplift in security and compliance meant that this organisation could confidently demonstrate a transition to mature cyber posture to its external collaborators.