Specialty Retailer Takes on Incident ManagementBy Darrin Morrissey
Aaron’s, a specialty retailer serving consumers through the sale and lease ownership of furniture, consumer electronics, computers, home appliances and accessories, had a problem.
Although it had a reliable process for incident gathering, the specialty retailer, which has more than 2,100 company-operated and franchised stores in the U.S. and Canada, lacked a way to manage this information in a secure manner.
The first goal of the incident management process is to restore normal service operations as quickly as possible and to minimize the impact on business operations. This ensures that the best possible levels of service quality and availability are maintained.
Aaron’s Information Assurance team housed incident information on a major vendor’s site. This created two problems. First, the site didn’t offer a workflow capability that could easily and efficiently assign tasks related to the incident.
The second issue involved security concerns. The company’s incidents included information related to HR issues, HIPAA compliance and potential IT security vulnerabilities—not the type of data a company wants accessible to just anyone.
So Aaron’s turned to the Keylight platform from LockPath, and has since found additional uses for the tool. LockPath provides solutions involving corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec).
What prompted IT decision-makers at Aaron’s to choose Keylight was how quickly the platform allowed them to establish vendor assessments and build an incident management program. Aaron’s initially purchased Incident Manager and was using the application within three weeks of installation.
"We continue to find benefits every time we try to do something new in Keylight," said Jim Moore, senior security engineer at Aaron’s.
For instance, Keylight’s Incident Manager application helped Aaron’s investigate the cause-and-effect relationship of certain incidents. Aaron’s noticed a downward trend in outside incidents. But instead of assuming that its defensive systems were working better than expected, an Aaron’s security engineer conducted a root cause analysis and discovered that the alerting services had become disabled, so incident alerts were not coming in as they normally would.
In addition, Aaron’s CIO reviews the dashboards and reports and can reinforce any policy changes that stem from risks identified from the risk validation team. According to Aaron’s, the CIO often spots trends while conducting his own review in Keylight that he then makes a point of emphasis companywide.
“It’s really good to have someone from the executive level looking in there, getting that information and helping to get a security direction from IT at that level,” said Moore.
Aside from the impact on incident management, Aaron’s has also used the tool to streamline vendor management. By setting up a workflow, company officials were quickly able to identify vendors that had not been vetted through an assessment process; they were enlisted through a standalone process that increased security and other risks. Now all current and prospective vendors go through a formal assessment process managed through Keylight.
“Aaron’s greatly benefits from having its incident and vendor information stored in a centralized location where it can be quickly accessed by those with the proper permissions, and kept secure from personnel who don’t,” Moore said.