Corden Pharma Adopts CIS Controls as their Framework
Corden Pharma, a Global Contract Development Manufacturing Organization, adopts the CIS Controls as their Framework.
The organization with cGMP compliant facilities across the globe serves other companies in the pharmaceutical industry on a contract basis to provide comprehensive services from drug development through manufacturing. We spoke to John Nord, Manager of IT and Business Systems who stated, “We are trying to meet the different security requirements for 20-30 customers. We needed a more standardized security program for our company to be able to provide to our customers. The CIS Controls fit that need.”
Implementing the Controls
The organization was using NIST along with several other frameworks. “In 2015, I came across the CIS Controls and fell in love with the CIS Controls spreadsheet. We adopted the CIS Controls as our framework going forward,” explained Mr. Nord. He said the team went through the spreadsheet and identified which systems met various controls and where they did not have a requirement met. They vetted solutions based on the CIS Control description and implemented those solutions. The organization went live with their security program in June 2016. The rollout went very well and he noted that customers are happy. One customer’s feedback indicated Corden Pharma is one of the top five companies they work with and they were impressed with the small/mid-sized IT shop having such a program in place.
“In 2015, I came across the CIS Controls and fell in love with the CIS Controls spreadsheet. We adopted the CIS Controls as our framework going forward.”
- John Nord, Manager of IT and Business Systems
Mr. Nord said that implementing the CIS Controls can be overwhelming at first. But he also said the CIS Controls are not as daunting as the NIST framework or similar frameworks. The CIS Controls provide a lot of detail to find the right solution to meet the multiple areas of the CIS Controls. For Mr. Nord, “The biggest challenge was finding the right solution for our company so we can adhere to the particular section of each CIS Control.”
Tools and Risk Assessments
Corden Pharma uses multiple tools for management of images, patches, inventory as well as software deployment, AV threat detection, firewalls, etc. to make sure they are meeting all of those areas. Risk assessments were performed for areas where automated tools were not available to determine the importance to meet based on their threat vectors and threat tolerance.
Mr. Nord explained, “I think Cobit 5 is great for a non-technology implementation here at Corden Pharma. It's great from a framework perspective, but one reason I use the CIS Controls is because it actually is where the rubber meets the road. You can have actionable items at the end and not just a bunch of documentation for committees and unenforceable policies. The CIS Controls meets the needs of companies and that is why I used them and will continue to use them in the future.”
In our discussion, we learned that some of the CIS Controls were quite complex and beyond the organization’s needs and were excluded from the program. Mr. Nord stated, “Some CIS Controls do not quite fit that are above what we were trying to accomplish with this program. A Red Team penetration testing is still being worked on for internal implementation and the first penetration test will take place later in 2017”.
Management Buy-In and Commitment to Data Security
The organization has a 2-page introduction to their IT security program and part of that spells out the use of the CIS Controls and how they use that to take data security seriously.
Corden Pharma is audited all the time by their customers. As a contracting manufacturing organization, the FDA, DEA, and others on their customer list visit on a regular basis.
About John Nord
John Nord is Manager of IT and Business Systems at Corden Pharma. He holds a Master’s Degree in Information Systems Security from Colorado Technical University along with a BS in Computer Information Systems from Strayer University. He holds numerous industry certifications and is a member of a number of technology groups. He has developed partnerships with leading technology companies, has developed assessment tools, and designed compliance frameworks around Cobit5, NIST and the CIS Control models.