Case Study: Security Uplift and Managed SOC
Client: Large not-for-profit organisation
The organisation transformed from having no formal security governance to a fully governed, monitored environment with 24x7 SOC coverage, achieving measurable improvements in security posture and board-level visibility.
The Challenge
A large not-for-profit organisation faced significant security challenges:
- Low level of security maturity across the organisation
- Predominantly on-premise infrastructure with limited cloud adoption
- Large data sets of sensitive personally identifiable information (PII)
- No formal governance framework for managing cyber security risk
Our Approach
Using an existing maturity assessment as a baseline, Fortian established a comprehensive information security uplift program in consultation with the client. The program incorporated multiple streams:
Governance Stream
Providing foundational frameworks to manage risk and accountability:
- Security Policies & Standards – Developed an overarching information security governance framework, supported by security policies aligned with VPDSS and supporting standards
- Privacy Assessment & Information Asset Discovery – Performed discovery to identify, classify and record all information assets; developed a privacy impact assessment (PIA) framework and process
- ICT Strategic Plan – Developed a three-year strategic plan aligned with corporate strategy, outlining the future direction of ICT
- ICT Risk Management – Established a risk register with integration into the existing organisational risk framework; incorporated high-risk ICT items in the corporate risk register
- ICT Management Reporting – Developed ICT Steering Committee Terms of Reference, quarterly compliance reports, and established ongoing quarterly meetings
- Third Party Governance – Developed a third-party risk management framework; reviewed all ICT contracts for right of audit; conducted third-party assessments
Technology Stream
Delivering tactical and strategic initiatives to improve technology platforms:
- Network Access Management Controls – Implemented service account authorisation, password policies, and end-user account procedures including termination processes
- Cloud App Single Sign-On – Developed and implemented an SSO strategy across critical systems including finance, HR, payroll and learning; implemented multifactor authentication and VPN for secure remote access
- System Backups – Documented a corporate backup testing regime across all critical systems with quarterly compliance reporting
- Tactical Technical Controls – Secured insecure ports/services, upgraded remote admin access, replaced end-of-life systems, and upgraded encryption
- Incident Management – Developed a security incident management and response plan incorporating data breach reporting and improvement processes
- Endpoint Device Management – Implemented endpoint device management to protect against mobile data leakage and support secure enterprise mobility
- Security Assurance Remediation – Remediated critical and high security assurance findings
- Security Assurance – Performed independent penetration testing and established an annual testing program
Business Stream
Increasing the level of organisational security maturity:
- Business Continuity – Developed a disaster recovery plan for all information assets, including transition of file systems to cloud
- Security Training & Awareness – Incorporated security training into mandatory L&D and induction programs; identified a privacy officer role
- Physical Security – Reviewed and secured physical access to ICT infrastructure at all locations
Delivery Approach
Fortian utilised a hybrid delivery and collaborative approach to reduce cost to the client:
- Commenced with the Governance (foundation) framework and controls
- Once the governance framework and management directives were defined, delivered the technical and business project streams
- For greater security visibility and assurance, rolled out Fortian's 24x7 Managed Security Operations Centre (SOC)
The Outcome
The program delivered significant information security benefits and organisational return on investment:
- Operating efficiencies through cost and time savings
- Improved visibility and accountability through governance reporting
- Capability to support future growth of the organisation
Specific outcomes included:
- Awareness of the security and threat environment – both internally and more broadly
- Ongoing improvement in security posture, matched to risk posture and threat environment
- Assurance that security is monitored and incidents are escalated by resources with appropriate security capability
- Foundational cyber security framework and associated controls defined and implemented
- Board visibility of cyber security posture through regular reporting
Why Fortian
Fortian's collaborative delivery approach and breadth of capability – spanning governance, technical implementation, and managed security operations – enabled the client to achieve a comprehensive security transformation within a single program of work, reducing complexity and cost while ensuring consistent outcomes.
