https://thompsoninfosec.com/case-studies/ Recent content in Case Studies on Thompson InfoSec Hugo -- gohugo.io en © 2026 Jonathan Thompson Sat, 28 Mar 2026 00:00:00 +0000 https://thompsoninfosec.com/case-studies/google-workspace-security-assessment/ Sat, 28 Mar 2026 00:00:00 +0000 https://thompsoninfosec.com/case-studies/google-workspace-security-assessment/ <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem 2rem; padding: 1.5rem 1.75rem; margin: 1.5rem 0; background: rgba(34, 211, 238, 0.04); border-top: 3px solid #22d3ee; border-radius: 0.5rem;"> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Industry</div> <div style="font-size: 0.95rem; font-weight: 500;">Public Technology Company</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Scope</div> <div style="font-size: 0.95rem; font-weight: 500;">89 CIS controls + extended checklist</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Framework</div> <div style="font-size: 0.95rem; font-weight: 500;">CIS Google Workspace Foundations</div> </div> </div> <div style="margin: 0 0 2.5rem; padding: 1.25rem 1.75rem; background: linear-gradient(160deg, #0a1628 0%, #1b2d4f 50%, #1e3a5f 100%); border-radius: 0.5rem;"> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.5rem;">The Outcome</div> <div style="color: #ffffff; font-size: 1.0625rem; line-height: 1.55;">33 prioritized findings (5 critical, 11 high, 17 medium) with a tiered remediation roadmap covering OAuth hygiene, admin sprawl, DMARC enforcement, and AI controls.</div> </div> <h2 class="relative group">The Challenge <div id="the-challenge" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-challenge" aria-label="Anchor">#</a> </span> </h2> <p>A publicly traded technology company had never had an independent security review of its Google Workspace environment. The tenant had grown organically: administrators were added as needed, third-party applications were connected without formal approval, and configuration decisions were made reactively rather than against a security baseline. The company needed a clear picture of its exposure and a prioritized path to remediation.</p> https://thompsoninfosec.com/case-studies/iso-27001-certification/ Wed, 25 Mar 2026 00:00:00 +0000 https://thompsoninfosec.com/case-studies/iso-27001-certification/ <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem 2rem; padding: 1.5rem 1.75rem; margin: 1.5rem 0; background: rgba(34, 211, 238, 0.04); border-top: 3px solid #22d3ee; border-radius: 0.5rem;"> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Industry</div> <div style="font-size: 0.95rem; font-weight: 500;">Regulated Technology</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Engagement</div> <div style="font-size: 0.95rem; font-weight: 500;">6 months</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Frameworks</div> <div style="font-size: 0.95rem; font-weight: 500;">ISO 27001, SOC 2, HIPAA, HITRUST</div> </div> </div> <div style="margin: 0 0 2.5rem; padding: 1.25rem 1.75rem; background: linear-gradient(160deg, #0a1628 0%, #1b2d4f 50%, #1e3a5f 100%); border-radius: 0.5rem;"> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.5rem;">The Outcome</div> <div style="color: #ffffff; font-size: 1.0625rem; line-height: 1.55;">First-try ISO 27001 pass with zero major nonconformities. SOC 2 and HIPAA completed on the same timeline. Policy library consolidated from 45 to 25.</div> </div> <h2 class="relative group">The Challenge <div id="the-challenge" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-challenge" aria-label="Anchor">#</a> </span> </h2> <p>A regulated technology company found itself without dedicated GRC staff, six months before a scheduled ISO 27001 certification audit. The ISMS had fallen into disarray: governance meetings had gone dormant, policies had proliferated without coherence, evidence collection processes had broken down, and several required technical controls were either missing or incomplete.</p> https://thompsoninfosec.com/case-studies/network-security-assessment/ Tue, 24 Mar 2026 00:00:00 +0000 https://thompsoninfosec.com/case-studies/network-security-assessment/ <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 1rem 2rem; padding: 1.5rem 1.75rem; margin: 1.5rem 0; background: rgba(34, 211, 238, 0.04); border-top: 3px solid #22d3ee; border-radius: 0.5rem;"> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Industry</div> <div style="font-size: 0.95rem; font-weight: 500;">Regulated Technology</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Scope</div> <div style="font-size: 0.95rem; font-weight: 500;">3 continents · multi-site firewalls · colo + AWS</div> </div> <div> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.25rem;">Drivers</div> <div style="font-size: 0.95rem; font-weight: 500;">First independent network review · upcoming compliance</div> </div> </div> <div style="margin: 0 0 2.5rem; padding: 1.25rem 1.75rem; background: linear-gradient(160deg, #0a1628 0%, #1b2d4f 50%, #1e3a5f 100%); border-radius: 0.5rem;"> <div style="color: #22d3ee; font-size: 0.7rem; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 0.5rem;">The Outcome</div> <div style="color: #ffffff; font-size: 1.0625rem; line-height: 1.55;">First unified view of network security risk across all environments. Top two findings actionable within days. Full 6-month remediation roadmap aligned to operational capacity.</div> </div> <h2 class="relative group">The Challenge <div id="the-challenge" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-challenge" aria-label="Anchor">#</a> </span> </h2> <p>A regulated technology company with operations across three continents had grown its network infrastructure organically over several years. The environment included next-generation firewalls at several office locations, a colocation data center, and an AWS account supporting cloud-hosted security appliances and remote analyst access. The company had no recent independent review of its network security posture and needed an assessment ahead of upcoming compliance requirements.</p>