The Client
Qwemtsín Health Society is a Kamloops, Canada-health facility providing innovative, high-quality medical and dental care services to three first nations communities in British Columbia. Since 1996, they have been offering a wide range of health programs, services and education.
Project Summary
Secure Shield manages the overall cybersecurity program on an ongoing basis, auditing the physical, administrative, and application aspects, all onsite. They also monitor internal and external networks for threats
The Challenge
What challenges were you trying to address with Secure Shield
I wanted to beef up the security at the organization. However, cybersecurity fell mostly in line with the folks that are doing operations, but I wanted to do more. I suggested making an investment there late last year but wasn’t able to justify a security team in-house. I wanted to look at a vendor that would provide that service for us long term
The Solution
What challenges were you trying to address with Secure Shield
What was the scope of their involvement?
Our engagement with Secure Shield ensures that we have adequate security as well as protection for the future. They took over the different security programs that we had in terms of physical controls, administrative controls, applications, and networks — both internal and external. We use them for the entire program as a way to help us safeguard ourselves from intruders.
The way it works is that a couple of these controls or phases are mostly one-off type engagements, although we want these more frequently. Part of the program that we have with them is that we expect them to come back, for example, to do a physical control every couple of years and then administrative controls annually. Both audits have been onsite, and that’s why I wanted to pick a local provider.
When they did the physical control, they spent the whole day here walking around the perimeters and checking the other tenants in our building to make sure that we are properly and adequately defended. The idea was to find a couple of weak points that we quickly addressed internally. There are a few more we continue to do which is good.
The administrative controls relate to HR policies, beta test policies, and so forth. We just got that report back, and even then they came and visited us both times before they produced a report. We are now in the process of digesting that report and determining which action items we want to take on.
When it comes to network and applications, we have them to do controls every couple of months or so. We could outsource the program in terms of one-off events, which we want to do more frequently than we have in the past. However, they’re not monitoring our network per se, but rather looking after us from a security perspective on an ongoing basis.
.
“Since our industry is so highly regulated, we wanted to be sure our security was performing as well as it possibly could. We are subject to customer audits, and Secure Shield helped us strengthen our policies and operating procedures to frame us in the best light with our clients. There is a lot of depth to their background in information security and physical security. They know how to provide full coverage and give good suggestions to eliminate gaps.”
Colleen Lessmann
Health Director
Qwemtsin Health Society
The Results
Could you share any evidence that would demonstrate the productivity, quality of work, or the impact of the engagement?
We have done the physical controls and just concluded the administrative controls. We’ve gotten the reports back from them and taken some action based on their feedback. We are taking on additional things at our own pace according to what we can afford. They knew that security is one of the aspects that I wanted to do better in, but I also have to be realistic about the plate that we have. As long as we’re making progress and getting good feedback, we should be happy.
They gave us a timetable of when to expect the reports as well. They asked us when we wanted the work and how the pace should be so that we don’t have to take on too much at the same time. So far, they’ve been right along with us in terms of our pace.
How did Secure Shield perform from a project management standpoint?
We communicated by email, phone, and in person. For example, there was an incident where we wanted to get some advice from them a couple of months ago, and that done through video. Most of the time, we do try to make it something more formal and have one-on-one meetings. When they came by recently to give us the audit reports for the administrative controls, we had them give our employees a seminar on how to better protect ourselves and how they can help us protect our data assets. I asked them to do it. It’s one of those add-ons that they do for free.
What did you find most impressive about Secure Shield?
What’s most impressive for me is the intimate relationship that we have with them. Obviously, security is a serious issue. We wanted our vendor to take the matters of security seriously but at the same time be pragmatic about implementing the solutions that best fit our needs. More importantly, we needed to have the framework to go about doing it, and they did. For every control that they audited, we got a score. Based on that score, we easily communicate with the rest of the company where we are at and how we can best improve the score over time. It’s not like something we have to do right away but yet something that we continue to work on in a multiyear fashion.
Related Case Studies/Projects
Trusting your IT management to an outside company is scary – we get it. Visit our case studies to see the results we’ve helped other businesses achieve.
Our Cybersecurity Frameworks
