Our Client was a Fortune 10 health insurer concerned about the potential of damage from intruder exfiltration of sensitive data (Personally Identifiable Information and Protected Health Information) or trusted user malfeasance. Their objective was to protect their customers and members from intruders and from internal and external exploitation of security holes.
Their original mission; protect data across 75,000 databases.
We worked with their program management staff framing the project scope, delivery, monitoring policies and standards and creating the technical and project management work team to integrate and implement the security plan. As the Chinese proverb says: “the journey of a 1,000 miles begins with a single step.” We had seen many projects fail due to unrealistic expectations so we worked with the team to direct appropriate first year expectations.
We helped the Client select IBM Guardium as the most appropriate software for data access monitoring. Once the software was selected, we were then able to guide the Client in budgeting and scheduling, as well as coordinating across all of their stakeholder support groups: DBAs, systems administrators, procurement, security and so forth.
The definition of the plan and policies required facilitation across varied administrative and bureaucratic procedures and processes which differed across database and operating platform types: one set of standards for Oracle on UNIX, another different set for SQL Server on Windows and a different set for MYSQL, mainframe DB2 and so on.
Our program management team defined appropriate monitoring metrics to report upwards on project progress and ROI. Through weekly program meetings, we reviewed issues and risks, devising appropriate response strategies to maintain forward progress according to plan.
At the conclusion of the first year of the program, active preventive monitoring, integrated with company SIEM and SOC, covered 6,500 databases. The largest first year deployment for this technology. Our program exceeded company objectives and received a five star rating, the only security program to do so. The Client sponsor was quoted as saying: “We could not have accomplished this without you”.