Zoro

Services Provided

ScaleSec provided security advisory services to Zoro regarding adopting and implementing NIST CSF. These services included documenting the current security controls within AWS and assigning a CSF profile tier. ScaleSec worked with Zoro to determine a target CSF profile tier and created recommendations to achieve the target tier.

ScaleSec is assisting Zoro in implementing these recommendations, including increasing logging and monitoring, hardening, encryption, IAM, and other security controls.

Engagement Outcomes

• Zoro now has a full NIST CSF profile documented
• Zoro has a roadmap to increase its NIST CSF scores to reduce risk
• ScaleSec assisted Zoro with implementing many improved controls

Background

Zoro approached ScaleSec for assistance with its internal governance framework. They decided to use NIST Cybersecurity Framework (CSF) as their primary framework. This is a great framework for companies to start with as it is easily mapped back to other frameworks, such as NIST 800-53, PCI DSS, ISO 27001, and SOC 2. ScaleSec has expertise with NIST CSF and worked with Zoro to help plan the implementation of controls to advance its CSF profile.

One Team of Subject Matter Experts to Advise and Remediate (Project Approach)

ScaleSec reviewed the information security posture of their entire AWS deployment, including computing, networking, storage, identity, and disaster recovery. The posture was mapped to NIST CSF controls, and recommendations for improving each were documented.

ScaleSec performed remediation work or guided the following AWS technologies:

• AWS EC2
  • Hardening, Patching, and File Integrity Monitoring
• AWS Marketplace
  • AMIs
• AWS VPC
  • Security Groups and Access Controls
• AWS IAM
  • SSO integration, Users and Roles
• AWS RDS
  • Encryption and Disaster Recovery
• AWS S3
  • Encryption and Access Control

The Value of a Trusted Partner and Ongoing Relationship

Working with the right partner is essential to the success of any NIST CSF implementation. Donna Mains, Senior Director of Technology Operations at Zoro, said ScaleSec was a great choice. ScaleSec and Zoro have collaborated on multiple cloud security and compliance initiatives for over a year.

Results

Zoro has adopted the NIST CSF governance framework and is on a path to increase its current profile to a tier that meets its desired risk profile. Completing each recommendation will increase security risk mitigation as Zoro furthers its security-first approach to information technology.

An Ongoing Partnership is Solidified

ScaleSec brought a solid team of cloud security and project management specialists. They involved us enough to keep us on schedule with security efforts and daily work. We always knew where we were in the process, what was needed from us to keep progressing, and our expectations of when each task would be completed. We have found a true and ongoing partnership in security and compliance with ScaleSec.

– Donna Mains, Senior Director of Technology Operations, Zoro