Design and implement Cybersecurity program

From scratch design and build of people, processes and tools needed to deliver cybersecurity program. The company had already had 2 cybersecurity related events in the 2.5 years prior to when I started.

Summary of environment when I started:
Firewalls - Sonicwall systems, but an MSSP that was terminated 18 months prior to my arrival maintained the registration for the primary, rendering it useless to Innovate. All licensing renewals were done through the primary and were expired so it was offline. The Secondary had no licensing active and was basically a router.

VPN: Again, two Sonicwall appliances, but they were both End-of-Life and had known security vulnerabilities, there were actually step by step instructions online for how to compromise the devices.

Account management: No deprovisioning or account review processes. There were 400+ active user accounts with less than 60 active employees.

Privileged access: All users had full Admin rights to all desktops. Multiple non admin users had Admin level access to the VPN software and a former MSSP that had been terminated still had Admin level access to Edge systems.

Encryption: Despite having both PII and PCI data, there was no encryption of data at rest and in most cases data in transit was unencrypted as well.

External access: Only one application was hosted in the cloud, the loan origination application, but there was a direct connection to the on-premise Loan Management system. The "firewall" had been opened to the ports required to establish database and application-level communications, but was NOT restricted to a IP Whitelist and was open to the world on those ports.

Document and data access: Over 70% of the company had unrestricted access to core applications, file server and Document Management system, not just IT resources. No Role-Based access attempts were made to secure data.

DR/BCP: There were documented BCP and DR plans, but they were not accurate or ever tested. In fact, the backup site had never been setup and there were no active data backup or offline storage activities in place.

End User Training: There was no mandatory Cybersecurity Awareness Training in place, despite being required of Financial Services companies.

End User Compute: No standardization, 90% of systems were still Windows 7 which was End-of-Life prior to my arrival. Remote work plan was to send all users home with a 13' Chromebook, users would all log in with the same Google account and then Remote Desktop to their workstations at their onsite desks. This prevented the dialer used for Call Center activities from transmitting audio to their Chromebooks so they would then dial into the Call Center software from their personal cell phones and access sensitive customer and client data.

Processes and Policies: Most were undocumented, those that were documented were incomplete or inaccurate.

Post project status:

Firewalls: First, regained ownership and licensing of the primary and activated it to prevent future data loss risks. Then replaced it with NextGen Firewall and implemented vendor best practice rules and controls.

VPN: Implemented MFA/SSO solution and integrated with VPN, controlled access to onlt IT Admin level resources

Privilege Access: Implemented user provisioning, de-provisioning and access review policies and procedures, reduced active user accounts to only those required.

Encryption: Created data encryption policy and procedures and established secure encryption methodologies at all levels of data (in-transit and at-rest).

External Access: Implemented IP Whitelisting policies to all applications and forced access through secured and controlled channels.

Document and Data Access: Designed and implemented Role-Based security policies, access requests with management level approvals and policy controls to restrict access to amount needed to complete job only.

DR/BCP: Complete review and overhaul of DR/BCP configuration. Aligned with corporate technology strategy of Cloud-first and implemented data backups based on source points and vendor best-practices. Implemented bi-annual testing and reviews, documented results and reported to CIO and board.

End User Training: Implemented Cybersecurity awareness training corporate wide, with monthly online required training and testing, scheduled test phishing emails to track user awareness and report to IT/Leadership on results.

End User Compute: Deployed brand new laptops tied to Azure In-Tune for image control and policy provisioning/enforcement. Automated patch management, eliminated privileged access to users, enforced MFA compliance, virus software installation and scans, password policy enforcement and other critical security configurations.

Processes and Policies: Complete review of all IT policies and procedures. Created or corrected every policy to align with Cybersecurity strategy. Centralized policy storage, communicated to all users, enforced user review/acceptance and integrated policy reviews with on-boarding process.