CPower Energy Management

Employee Security & Access

CPower Energy Management - Employee Security & Access

Background

Since its formation in 2014, CPower has experienced continual growth both in their client base and in the internal resources needed to support the new clients. In response to that growth, CPower desired to formalize and document their security policies and processes to ensure standard best practices are followed by all users and compliance with audit requirements is met. Additionally, documented policies would simplify the ability to provide consistent, accurate content for use in RFP responses.

Approach

The project’s main objective was to document the current state IT security policies and procedures and identify and address policy and process gaps. The primary deliverables for this effort included the creation and documentation of needed policies and processes such that users have a “go-to” information source approved by CPower management. The project scope included:
  • Develop initial project plan and timeline
  • Create an inventory of systems and policies to address (in-scope, key systems, owners, etc.)
  • Determine gaps in existing processes and policies and prioritize needs with CPower management
  • Document policies and processes and develop new policies as needed
  • Review with key stakeholders and provide PDF and Word versions of final approved content

Results

To create the deliverables, Navigator:
  • Researched RFP responses and other documentation, and interviewed key stakeholders (both internal and third-party provider resources) to determine existing information and to identify gaps in policy and process
  • Identified and prioritized in-scope systems and policies with CPower management
  • Identified two different target audiences needing policy and process information, including content needed for users of CPower technology and content needed for RFP responses
  • Developed 13 documents:
    1. Security and Acceptable Use Policy 
    2. Access Control Policy 
    3. Application Support Policy
    4. Business Continuity and Disaster Recovery
    5. Change Management Policy
    6. CPower Application Security Policy
    7. Data Center Operations
    8. Data Security Policy
    9. IT Roles
    10. Malware Defense Policy
    11. Monitoring and Logging Policy
    12. Network Security Policy
    13. Software Development Policy
The resulting documents supplied approximately 80% of the information requested in subsequent RFP’s. The result of an Independent Auditor’s review of the Acceptable Use Policy stated that the “the policy looks great! It covers all aspects of backup procedures, access security, BYOD and change management as well as data segregation. These are the key areas we are concerned with from the IT audit perspective. I feel this will remediate the prior year recommendation of lack of documentation of significant procedures."

The project was completed two weeks early and under budget by 20%.