Case study: Safaricom
Organization: Safaricom Limited
Industry sector: Telecommunications service provider (13 million customers)
Head Office: Nairobi, Kenya
Safaricom sees sound management of risk as a vital enabler for delivering innovative services that customers can rely on, and was one of the first Kenyan companies to set up a dedicated Risk Management function.
Its risk team made an early decision to automate risk activities so as to reduce reliance on manual processes and stretched security specialists, whilst increasing the accuracy and validity of risk management activity; and to focus on the security of company and subscriber data. To these ends, with the aid of an external consultant team led by Jason Finlayson of Security Risk Solutions Ltd, Safaricom:
- established a Corporate Information Security Office
- established an Information Security Management System (ISMS) in line with the ISO27002 Code of Practice for Information Security Management
- conducted an extensive comparative evaluation of automated tools that would assist internal risk management
- selected Citicus ONE to support the information risk management cycle, which is the nucleus of an ISMS
- conducted a pilot implementation, assisted by Citicus Limited, for its most critical systems from mid 2007 to mid 2008
- rolled out a full implementation in 2008-9, based on the successful pilot.
Anthony Gacanja, manager of Safaricom's Corporate Information Security Office comments:
"The use of external consultants experienced in a wide range of companies/industries in the risk arena, enabled Safaricom to leverage global industry trends as well as local information risk concerns. Identifying Security Risk Solutions Ltd as a local provider with international experience, was a key enabler to quick adoption of risk management practices and the use of Citicus ONE facilitated the ISMS implementation through its measurable and repeatable information risk management process. Since 2007, Citicus Limited has continued providing support and training, which has added immensely to entrenching risk awareness within Safaricom.
Safaricom is currently focusing on implementing a full incident reporting and monitoring process using Citicus ONE and is looking to extend its use of Citicus ONE into other areas of risk.