top of page
Search

Case Study: The Impact of Turnover on Security and Availability

  • Ralph Labarta
  • Apr 23, 2024
  • 2 min read

A client recently experienced the departure of their CIO along with members of the IT staff. The management team raised concerns about the continuity of IT operations, knowing the process of recruiting, hiring and ramp-up of new resources would take time.


The management team had a general understanding of various IT challenges but did not have a clear grasp on the risks present. Our team quickly developed a streamlined approach to achieve the following objectives:


  • Understand the IT operating environment and the relationship to critical business processes.

  • Identify risks to system availability, security and processing integrity.

  • Capture knowledge from departing resources.

  • Identify interim steps to mitigate risk.

  • Set the stage for transition to new resources.


Our approach leveraged the SOC 2 framework to document and confirm what controls existed, their effectiveness, and what gaps would be created by the departure of key individuals.


The effort identified various risks and provided management with key information, highlighted as follows:


  • Clarification of CIO Role - The "CIO" role was redefined to a more tactical role that matched the observed IT environment.

  • Identification of Security and Availability Risks - Risks were identified and prioritized based on SOC 2 criteria, interviews, vulnerability scans, and other observed practices. Risks and potential mitigations were highlighted along with transition risks.

  • Transition Documentation - Transition documents, roles and responsibilities, project lists, vendor lists, etc. were reviewed and organized for reference by management and incoming staff.

  • IT Strategy - A high-level IT strategy was developed with recommendations for efficiency improvements.


While the overall assessment of the IT environment was positive, key risks were present in the environment that would be potentially exacerbated by the departure of key personnel. As in many environments, monitoring, logging and alerting functions were present but the absence of personnel could result in process breakdowns. A lack of cross training and/or use of outsourced resources, limits the ability of interim solutions to address the risks. As an interim solution, the client is engaging with vendor partners to fill gaps based on a prioritized list of risks resulting from our engagement.















Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.

© 2024 Techmar, LLC

bottom of page