Managing Cyber Risks Across A Global OrganizationSIGS Technology Conference,17 May 2017
Rick Rietdijk, Nestlé
Introduction
2
2015 Objective:
All our local IT organizations to become "ISMS Ready" by end of 2015
Nestlé Headquarters - Vevey, Switzerland
The way our company is organized
Geographies*• AMS• EMENA• AOA
*Matching IT organization - "GLOBE"
4
• 40+ local IT organizations – across the markets• 6 shared services organizations – across the zones• 12 global "business solutions" / support teams
ISMS … Looking back
2012-2013 – The start
•Build knowledge and skills•ISO/IEC 27001:2005 standard•Risk management methodology
•Coaches•Start training ISO standard
•One ISMS implementation ISO/IEC 27001:2005 certified
2014 – Picking up the pace
•Repeatable implementation approach•Onsite workshop, risk management methodology
•Existing operations review meetings•Templates
•Continued training on ISO standard
•Eight (8) new ISO/IEC 27001:2013 certifications
2015 – The challenge
• ….
6
The challenge
… by end 2015 !
2015 GLOBE Objective:…. Target is set to 40 ….
All local GLOBE and shared servicesorganizations "ISMS ready" …7
×
ISO/IEC 27001:2013 certifications
Actions taken to achieve the objective
• Extend the coaching network• Coaches and head coaches
• Fine tune & industrialize the approach• Compact timelines for an implementation
• Initial workshop to certification: 12-16 weeks!• "ISMS Ready Assessment" introduced
• Master planning for all locations• Manage resources: coaches, local ISMS owner and lead, external auditors• Set milestone dates: workshop, ISMS ready assessment, certification audit
• Management support• Progress reported at GLOBE level
GO FOR IT8
…The one tool to manage them all…
• Enterprise management• Risk management• Policy management• Incident management• ISMS
10
Approach towards Archer implementation• Configuration workshops – plan without coaches• Focus on basic functionality – minimum to start
managing ISMS through Archer, extend later• Integrations – add later as required• Define migration approach
• Around risk assessment• Combination of data import and manual completion
• Data import templates• Leverage coaches for tool & process training
• Further screen and workflow simplifications – after pilots and coaches training
11
Our Archer journey
Q3 Q4 Q1 Q2 Q3 Q4
12
Migrations to ArcherWorkshops,Configuration
Tests
First config to prod,Training materials,Data import templates,Pilot imports
Training pilots & coaches,Simplifications
Security Incident Mgmt,Metrics
Exceptions Mgmt,Global Filter,S&C Accelerator pilot
Application Inventory,ControlLibrary,Mgmt Dashboard
2015 2016
Archer training
Maturity of ISMS and Archer usage
Evolve the Archer solution
• Management support• Top down - alignment on objectives• Bottom up - ISMS implementations by local teams
• Rapid and thorough implementation approach• Commitment
• Dedicated team• Sustainable
• Awareness• One repository
Key success factors
13