Information security maturity audit & consultancy for CGM

At a Glance

Service

Regulatory Compliance

Industry

Team & size

9 FTE, April 2023 – September 2023

Business need:

CompuGroup Medical (CGM) wanted to make sure their application security state across all services was at a high level. This required inspecting over 200 services, so CGM were looking for an application security provider to run an extensive yet swift audit.

Result:

As a result of our application security assessment, CGM gained a helicopter view of their security posture and got a detailed plan for improving the security framework. We also helped our Client build a transparent monitoring process on top of custom real-time security tracking tools.

Key Facts

CompuGroup Medical (CGM) provides top-tier medical software for healthcare businesses worldwide. The company was actively extending their offering with more services and wanted to make sure their information security compliance was high.

So, CGM engaged our IT security consulting team to conduct a complex audit, spot improvement areas, and help with forming a security optimization plan. We developed a custom approach to the audit, safeguarding that the process fits the timeframes set by the Client.

Performed a two-stage application security assessment of 260 services, complementing those with a detailed summary of the findings and suggestions for best-practices integration
Reviewed the overall CGM’s information security management framework and delivered a set of recommendations for its advancement
Established a reliable capability for continuous monitoring of the informational security state across all CGM’s services and markets

Assessment Model

We were looking for a process and technology-agnostic methodology to assess different services (API, app, web, desktop, etc.) and cover the whole development lifecycle. Our information security consulting experts chose the OWASP SAMM, DSOMM, and ASVS standards to set tailored evaluation criteria for each service and technical security controls.

As our team needed to assess hundreds of CGM’s services, we opted for a two-stage audit, shortening the assessment time-to-value. So, we thoroughly reviewed 60 critical services that involved sensitive data and prepared questionnaires to audit the rest swiftly.

Stakeholders’ self-assessment based on the custom questionnaires and instructions provided by our experts to navigate the Client’s team during the audit
Review and analysis of self-assessment results to prioritize services and select those that require additional inspection
Personal interviews and evidence checks with stakeholders to examine the security of prioritized services more deeply
Analysis of auditing results to prepare the infosec maturity report, including improvement areas and action points for refining information security compliance management of each service

Monitoring Process

As a leading medical software company, CGM strongly focuses on information security. Thus, the final goal of the app security audit and consulting was not only to check the information security level of each service but also to optimize the entire security framework.

Therefore, our experts both conducted the audit and established the necessary tools to enhance the Client’s IT security management framework and enable CGM to ongoingly monitor the effectiveness of their infosec initiatives.

Outlined the key security metrics that showcase the infosec maturity level across all CGM services
Developed a Power BI dashboard for real-time information security monitoring, historical data investigation, and emerging security trends tracking
Built a Power App enabling stakeholders to quickly update services security state and keep the dashboard indicators relevant

Testimonials

Jochen Klein

CISO

CGM

Despite the tough timeline, Sigma Software was able to manage the project perfectly from a technical and organizational perspective. The potential for improvement identified will help us to further strengthen our security posture and protect our customers' data appropriately.

Liza Kopylova

Senior Project Manager

Sigma Software

Collaboration with CGM was a rewarding yet challenging experience. We understood that a conventional method of auditing each service using the same criteria would be expensive, inefficient, and time-consuming. So, we chose a 'smart' approach for more efficiency and value. It allowed us to boost infosec awareness, pinpoint improvement steps after each audit, and provide accurate suggestions for general enhancements.

Let us discuss how our team can contribute to your success

Related Case Studies

Medical device monitoring platform migration to cloud

Sigma Software joined a complex project that unites several vendors and BigTech providers to support Siemens Healthineers in migrating their computer tomography (CT) monitoring platform to Azure Сloud

Pharmaceutical inventory management & stock control

We built a HIPAA- and ISO-compliant inventory management and stock control solution for medical products, devices & auxiliaries as part of a large eStock system covering nationwide medical procurement

Enhanced patient recruitment system for AstraZeneca

The patient recruitment system is intended for centralized patient database management and analysis to determine the patients suitable and available for clinical studies for AstraZeneca researches. The goal of the project was to systematize and enhance the process of COPD patients’ information gathering and recruiting for studies.

Sigma Software has offices in multiple locations in Europe, Middle East, Northern and Latin America.