Diligent Case Studies Defense Contractor Closes GRC Gaps and Gains Executive Visibility Into Risk Exposure

Edit This Case Study Record

	Defense Contractor Closes GRC Gaps and Gains Executive Visibility Into Risk Exposure Diligent

Defense Contractor Closes GRC Gaps and Gains Executive Visibility Into Risk Exposure

Diligent

Technology Category	Application Infrastructure & Middleware - API Integration & Management Cybersecurity & Privacy - Cloud Security
Applicable Industries	National Security & Defense
Applicable Functions	Business Operation
Use Cases	Cybersecurity Regulatory Compliance Monitoring
Services	Cloud Planning, Design & Implementation Services Cybersecurity Services
Challenge	Despite their track record of success in delivering end-to-end solutions for collecting, processing and understanding sensor data, a leading defense contractor had significant gaps in several key areas related to governance, risk and compliance (GRC). They had resorted to leveraging a manual spreadsheet process for risk assessments, which made it nearly impossible to scale coverage and to report on assessment results. The lack of automated reporting capability made it difficult for leadership to get a true picture of the status of risks being tracked, and the vulnerability management team had no mechanism to drive accountability and timely remediation of problems. They also had difficulty demonstrating how their GRC strategy incorporated into required policies, procedures and controls. Additionally, as a government contractor, they had a number of federal mandates and standards to meet—including NIST 800-171. Read More
About Customer	The customer is a leading defense contractor that specializes in delivering end-to-end solutions for collecting, processing, and understanding sensor data. They have a successful track record and are known for their comprehensive solutions. However, they were facing significant challenges in the areas of governance, risk, and compliance (GRC). The company had resorted to using manual spreadsheet processes for risk assessments, which was not scalable and made reporting on assessment results difficult. The lack of automated reporting made it hard for the company's leadership to get a clear picture of the status of risks being tracked. The vulnerability management team also lacked a mechanism to drive accountability and timely remediation of problems. As a government contractor, the company had to meet several federal mandates and standards, including NIST 800-171. Read More
Solution	The organization turned to Diligent for help reaching two primary goals: standardizing their business processes, and gaining greater executive-level visibility into areas of risk exposure. The solution needed to be cloud-based, meet strict GovCloud security requirements, and provide the flexibility and the diversity needed to manage various functional work processes with consolidated views of risk information. To meet these goals, they implemented HighBond solutions, including IT Risk Management and Threat and Vulnerability Management. The organization used the harmonized content to create a common control framework. This allowed them to sync upstream policies and procedures with downstream risk assessment and other monitoring activities. They automated NIST 800- 171 assessments using IT Risk Management’s flexible records-based assessment question library. By using the out-of-the-box integration with Tenable Security Center, the organization increased management visibility into open vulnerabilities and enabled timelier remediation by IT personnel. HighBond’s flexible data model helped the organization ensure a legal basis within all of the organization’s policies, procedures, standards, controls, and assessment activities. Read More Log in to view content
Contents

Technology Category

Application Infrastructure & Middleware - API Integration & Management

Cybersecurity & Privacy - Cloud Security

Applicable Industries

National Security & Defense

Applicable Functions

Business Operation

Use Cases

Cybersecurity

Regulatory Compliance Monitoring

Services

Cloud Planning, Design & Implementation Services

Cybersecurity Services

Challenge

Despite their track record of success in delivering end-to-end solutions for collecting, processing and understanding sensor data, a leading defense contractor had significant gaps in several key areas related to governance, risk and compliance (GRC). They had resorted to leveraging a manual spreadsheet process for risk assessments, which made it nearly impossible to scale coverage and to report on assessment results. The lack of automated reporting capability made it difficult for leadership to get a true picture of the status of risks being tracked, and the vulnerability management team had no mechanism to drive accountability and timely remediation of problems. They also had difficulty demonstrating how their GRC strategy incorporated into required policies, procedures and controls. Additionally, as a government contractor, they had a number of federal mandates and standards to meet—including NIST 800-171.

About Customer

The customer is a leading defense contractor that specializes in delivering end-to-end solutions for collecting, processing, and understanding sensor data. They have a successful track record and are known for their comprehensive solutions. However, they were facing significant challenges in the areas of governance, risk, and compliance (GRC). The company had resorted to using manual spreadsheet processes for risk assessments, which was not scalable and made reporting on assessment results difficult. The lack of automated reporting made it hard for the company's leadership to get a clear picture of the status of risks being tracked. The vulnerability management team also lacked a mechanism to drive accountability and timely remediation of problems. As a government contractor, the company had to meet several federal mandates and standards, including NIST 800-171.

Solution

The organization turned to Diligent for help reaching two primary goals: standardizing their business processes, and gaining greater executive-level visibility into areas of risk exposure. The solution needed to be cloud-based, meet strict GovCloud security requirements, and provide the flexibility and the diversity needed to manage various functional work processes with consolidated views of risk information. To meet these goals, they implemented HighBond solutions, including IT Risk Management and Threat and Vulnerability Management. The organization used the harmonized content to create a common control framework. This allowed them to sync upstream policies and procedures with downstream risk assessment and other monitoring activities. They automated NIST 800- 171 assessments using IT Risk Management’s flexible records-based assessment question library. By using the out-of-the-box integration with Tenable Security Center, the organization increased management visibility into open vulnerabilities and enabled timelier remediation by IT personnel. HighBond’s flexible data model helped the organization ensure a legal basis within all of the organization’s policies, procedures, standards, controls, and assessment activities.

Impact #1	The organization now has a centralized framework that eliminates process redundancies, removes legal and control coverage guesswork, aligns teams to a better work quality, satisfies audit requirements, and accommodates easy onboarding of future regulatory initiatives without the need for process reengineering.
Impact #2	They also gained an automated risk assessment methodology that satisfies audit requirements, aligns with an industry-leading common control framework, and enables risk teams to more easily analyze risk exposure and identify systemic control improvements.
Impact #3	The security team has a system of accountability in place that enables them to track the aging of vulnerabilities and remediation against service-level targets.

Impact #1

The organization now has a centralized framework that eliminates process redundancies, removes legal and control coverage guesswork, aligns teams to a better work quality, satisfies audit requirements, and accommodates easy onboarding of future regulatory initiatives without the need for process reengineering.

Impact #2

They also gained an automated risk assessment methodology that satisfies audit requirements, aligns with an industry-leading common control framework, and enables risk teams to more easily analyze risk exposure and identify systemic control improvements.

Impact #3

The security team has a system of accountability in place that enables them to track the aging of vulnerabilities and remediation against service-level targets.

Download PDF Version

Overview

Defense Contractor Closes GRC Gaps and Gains Executive Visibility Into Risk Exposure

Operational Impact