A major player in the retail food service industry, this company is a leader of the fast casual dining category with more than 280 cafes worldwide with annual revenue exceeding $300 million. The management team recently turned its attention on determining how to perform comprehensive vulnerability management given the size of their IT infrastructure. Meeting industry and regulatory compliance requirements was a top priority.
The company had become a Level One merchant and is now required to meet tougher PCI requirements and needed expertise in getting the IT environment to an acceptable level. There were several challenges imposed by the client including:
With over 4,000 vulnerabilities company wide, all servers, workstations, routers, switches, printers would all require remediation.
IT policy and procedures were not defined in the environment, and a culture change would be required in order to meet more stringent requirements posed by PCI.
Reports must comply with PCI standards, yet still had to be disseminated in such a way that remediation could be carried out in a cohesive, expeditious manner.
A subset of the IT assets were in the field and could not be relied upon to be on the network at all times.
TBG Security Solution
The challenges posed by the project allowed TBG Security to apply TBG’s proven vulnerability management solution. We instituted an assessment methodology that met all of the requirements posed by the client by tailoring our flexible vulnerability management approach to the client’s environment including:
Applying best practices remediation techniques for each device based on the specific make/model/version of devices.
Hardening servers and workstations
Developing and deploying a patch management solution that allows a granular level of control for IT.
Working with IT to develop IT/Security policies and procedures, and communication strategies for the impending corporate culture shift from enabling these changes.
Once all scanning has been performed, PCI reports are generated to depict the environment from an external audit perspective.
Developed custom software to monitor the environment for machines appearing on the network to allow for total coverage of the IT environment scope.
Impact on client’s business
TBG’s methodology for performing vulnerability remediation in a dynamic, diverse environment has proved a manageable approach which fits nicely into the client’s broader vulnerability and risk management initiatives. TBG Security is able to produce customized, reports which meet the requirements of both internal and external consumers. By implementing this flexible approach to vulnerability management, our client now far exceeds the requirements of the PCI Standard. Commoditized scanning and management solutions, which are prevalent in the industry today, do not allow for this level of customization.