Enterprise Data Protection Program for a Pharmaceutical Company

The client, a clinical stage pharmaceutical company, dedicated to developing potential therapies for neurodegenerative diseases was seeking a partner to assist in developing a sustainable enterprise data protection program to mitigate data liability, support regulatory compliance and serve the needs of the business. As a result of the engagement, Triverus successfully delivered a baseline assessment to understand the client’s cyber security environment and identify gaps, a high-level program roadmap to improve the company’s data protection posture, a management model for program oversight and a foundational set of security policies and procedures.

Challenges

With several promising drugs in various clinical stages, the client was experiencing a steep growth trajectory, and as a result, the company’s data environment was growing exponentially in both size and complexity.  Like many organizations transitioning from clinical to commercial, this company was looking for assistance to address the Data Protection requirements associated with regulations and business operations.

Results

As part of the discovery phase, Triverus conducted a rapid NIST cyber security assessment across five high-level functional areas containing 24 categories and 106 tactical sub-categories to determine the client’s security posture. Findings revealed that a few areas had mature capabilities and that several other areas had deficiencies, and some of those significant. Risks were identified for each sub-category and prioritized as urgent, high, medium, and low. Triverus identified 36 recommendations containing 100 potential actions to mitigate these risks. A five-phase roadmap was constructed based on risk, priority, efficiency, prerequisites, and capability.

Triverus also delivered and assisted in the launch of an enterprise Data Protection Management model as a formal process to govern, administer, operationalize and continuously improve the protection of data. Formation of a Data Protection Committee (DPC) was recommended to act as a consultative resource and to provide program oversight including educating the company on the program, roles & responsibilities and policies and procedures. To enable the program,  Triverus provided 22 foundational security policies and procedures for client implementation.

How We Helped

As a result of the Triverus team’s expertise, leadership and direction, the client has a comprehensive understanding of its data liability environment, risks and is equipped with an actionable remediation roadmap, governance model and foundational security policies and procedures.