Mondelēz International, Inc. empowers people to snack right in over 150 countries around the world, leading the future of snacking with iconic global and local brands such as Oreo, belVita, Cadbury, Milka, Toblerone, Jacob Douwe Egberts and many others, being one of the largest snack companies in the world. The company operates in more than 80 countries and employs around 80,000 in its factories, offices, research and development facilities, and distribution activities worldwide.
As Mondelēz continues to invest in digital technology and leverage insights from its data, the company needed to transform the way employees think about cyber-risk and privacy breaches. The goal was to create a holistic security documentation framework, supplemented by robust and sustainable governance, knowledge and exception management processes. It had to be tailored to address customer’s specific needs.
Why was this formalized security framework needed?
- To improve the quality of information security documents and their management.
- To ensure the necessary cybersecurity and privacy controls to stay safe and compliant.
- To improve user behaviour towards cybersecurity.
- To unify and align requirements, thus reducing effort, time, and operational costs.
- To provide controlled access to documentation for each specific audience.
BRIGHT and Mondelēz joint forces to develop security policies, standards and procedures to increase cybersecurity maturity and strengthen security controls. The project consisted of two main stages. First, the creation of Security Policies and Standards framework and documents. Second – the development and implementation of their knowledge and exception management processes.
The overall scope of the project included:
- Detailed assessment and security standards’ management process consulting;
- 12 S-level policies and 18 Security Architecture standards for the 12 established security domains;
- Security Documentation Governance process development;
- Design and implementation of a centralized Lifecycle Management process on the ServiceNow platform;
- Establishing Security Policies and Standards Catalogue in ServiceNow;
- Architecture and development of a detailed Security Exceptions Management process integrated with the Policies and Standards Catalogue.
Our team designed and implemented a governance framework and documented the security policies, architecture standards and procedures. Thus, we put the necessary cybersecurity and privacy controls in place. The Information Security Policies define the management intent and high-level requirements across different areas of IT security. The Information Security Standards link to a policy and define the specific actions, processes and system configurations needed to comply with this policy.
BRIGHT delivered a centralized and automated process lifecycle for creating and managing security policies and standards. In addition, we created a centralized platform to communicate policies and standards within the organization’s Technology Center. The Knowledge Management platform is the go-to location for all security policies, standards, procedures and how-to guides. Employees are able to easily review the policies and standards that apply to their activity.
However, together with the client’s team, we recognized that there may be urgent business needs that require a deviation from these policies, standards, and procedures. Therefore, we’ve developed an exception management process. A seamless way for these non-conformances to be documented and authorized.
The Exception Management process is a systematic approach to manage the exception requests and their lifecycle. All exceptions are tied to a standard and policy and are a part of the organization’s centralized platform.
BRIGHT’s project team actively participated in all training, awareness and educational initiatives and conducted a series of demo sessions to ensure a seamless transition. The team assisted with the creation of complete documentation for the end- and the back-end users.
Leveraging the platform’s capabilities, we delivered a personalized solution tailored to Mondelēz multi-tenant Technology Center’s needs. Each decision was aligned with all organizational towers, balancing the business requirements and other tenants’ constraints.
BRIGHT and Mondelēz established 12 security domains, covering a wide range of possible security requirements. Twelve policies and eighteen vendor related and technology agnostic standards were created. Together we improved the security framework to align it more closely with established industry standards, mitigate cybersecurity risk and ensure compliance. The framework is sustainable and ready to scale with the company and its needs.
The delivered solution:
- Increases the team’s efficiency;
- Establishes roles and responsibilities;
- Eliminates manual effort;
- Increases visibility;
- Ensures traceability of requests and their resolution.