Implementing a Security Strategy Roadmap to Enhance Maturity and Strengthen Business Confidence

Seiso engaged with MMIT, a Norstella company, to enhance their security program by developing a tailored, risk-based strategy aligned with business objectives. Through workshops, a comprehensive ISMS roadmap, targeted assessments, and robust incident response planning, Seiso helped MMIT to strengthen program maturity and achieve above-average risk assessment scores.

Client Situation

Managed Markets Insight & Technology (MMIT) is a leading provider of market access data, analytics and insights for the healthcare, pharmaceutical and life sciences industries. MMIT brings transparency to pharmacy and medical benefit information, partnering with pharmacy benefit managers (PBMs), payers and pharmaceutical manufacturers from pharmacy and therapeutics (P&T) to point of care.

MMIT is part of Norstella, one of the largest global pharma intelligence solution providers uniting market-leading companies that all have a shared goal of bringing life-saving therapies to market quicker. Each organization (Citeline, Evaluate, MMIT, Panalgo, and The Dedham Group) delivers must-have answers for critical strategic and commercial decision-making.

When Seiso’s former client landed a new position as a security leader at MMIT in late 2020, he quickly reached out to us for help with his information security program strategy. With so many things going on in so many directions, he needed an outside perspective to help him focus on what he should do and in what order.

Solution and Approach

Our immediate goal was to understand his objectives and get a sense of how mature their security program was. That allowed us to create an easy and effective roadmap to address their security needs.

We started with a Security Strategy Workshop to quickly identify areas of opportunity to improve MMIT’s security posture. In this collaborative workshop, we used our Seiso 10 Domains^SM framework to understand MMIT’s critical assets and develop a high-level mapping of their network, systems, and information flows.

From this, we were able to guide MMIT to select the best security frameworks to align with. The workshop also provided MMIT with a clear understanding of which security functions were meeting expectations and which needed attention.

This allowed us to build a Security Program Blueprint, a risk-based, prioritized ISMS roadmap, to bring MMIT’s security program to a desirable level with easier management. Seiso used a systematic planning methodology tailored to MMIT’s unique risk footprint and regulatory commitments. With this, they had a solid foundation for achieving and maintaining continual audit-readiness over time using a continuous improvement methodology.

With the blueprint in place, we formed a project team at Seiso to implement MMIT’s new security roadmap. We systematically reviewed each roadmap item and developed a plan to dive deep into the processes and fully understand how it worked. We used methods developed at Seiso to assess risks quickly, which we cataloged into a risk register. This allowed MMIT to prioritize the highest risks and inform management what should happen next.

Risk Identification

• Initial incident response processes and capabilities
• Escalation procedures
• Incident response reporting and communication
• Process for lessons learned

Penetration Testing

Seiso performed an external pentest against selected assets in the MMIT environment responsible for customer facing data transfer services and remote access portals.

Table Top Exercise

Seiso conducted an insider threat-based table-top exercise that escalated from a ransomware event with key stakeholders including incident response, security operations, data privacy, information security leadership and legal teams. This simulation tested Norstella and MMIT’s abilities to respond to a high impact security event that disabled physical locations in remote offices and was found to be an inside job by a privacy management leader, working with a special interest hacking group via extortion.

Annual Risk Assessments for SaaS

Seiso also supports the RJ Health division with an annual risk assessment in advance of their annual SOC 2 audit. RJ Health delivers industry standard specialty drug information including pricing, coding and reimbursement to support payer and provider alignment.

Results

With a security program maturity plan aligned to business strategy, the MMIT security team was able to demonstrate to their investors a clear roadmap to manage risks and improve competitiveness. Each security initiative was now more closely tied to business outcomes, which helped their senior management better allocate resources and make long-range strategic decisions.

The new approach, enabled with Seiso’s guidance and support, was comprehensive and informed risk-based decision making, on multiple time horizons.

This resulted in MMIT attaining a very favorable assessment score, which was higher than the average scores of other companies in their investor’s portfolio. This helped to cement confidence from investors and improve alignment across IT, security and business departments.