Customer Solution Case Study
/ Audit Bureau Qatar Aims at International Recognition for High Level of Security
Overview
Country or Region:State of Qatar
Industry:Government—Regulatory agencies
Customer Profile
The Audit Bureau Qataris responsible for conducting independent audits of the accounts of all government departments and public sector bodies to ensure compliance with financial regulations and legislation.
Business Situation
The bureau needed a review of its security systems with the aim of becoming a regional leader in IT security by deploying a secure architecture based on a defence-in-depth security model.
Solution
Microsoft Services assigned its regional security architect for an initial audit followed by the deployment of multiple interlocking technologies working jointly with Audit Bureau Qatar experts.
Benefits
- Security is transformed in 18 months
- Bureau gains safe environment for new applications
- Partnership aims for international accreditation
- Technologies interoperate with core systems
Mahmoud Albatarni, IT Expert, President’s Office, Audit Bureau Qatar
The Audit Bureau Qatar is in charge of auditing the entire public sector, including financial institutions funded by the government. The department, which has 200 employees, wanted to become the leading audit bureau in the region for IT security, by building a more secure and reliable infrastructure. Working with Microsoft Services, the bureau underwent an initial review to resolve immediate priorities and then agreed a technology roadmap for a comprehensive security programme, deploying mainly Microsoft technologies. The products already implemented include the Active Directory service, Hyper-V virtualisation technology, and Microsoft SQL Server 2008 data management software. These technologies interoperate with the bureau’s network services and other third-party products. The organisation is now well on the way to achieving accreditation with an internationally recognised security standard.
Situation
The Audit Bureau Qatar is responsible for the independent auditing of ministries and other public sector bodies,including the country’s sovereign wealth fund, the Qatar Investment Authority. This mandate involves accounting for all government revenues and expenditure, ensuring that tenders and contracts comply with regulations, and verifying and publishing final accounts. The bureau—an active member of the International Organisation of Supreme Audit Institutions—also recommends any changes it believes necessary to accounting procedures, policies, and systems across government bodies in Qatar.
As a strong advocate for the use of IT—both for automation of in-house work and as an audit tool—the bureau wanted to build a more secure and reliable environment. Its long-term strategy is to develop and implement a scalable architecture based on a defence-in-depth security model.
Mahmoud Albatarni, IT Expert, President’s Office, Audit Bureau Qatar, says: “Data and transaction security is of paramount importance in this age of rapidly expanding commercial and government computer networks, and the emerging Internet economy in Qatar. The inherent challenges of security have become a top priority for all supreme audit institutions—Qatar is no exception.”
Microsoft security products detected 43 percent more malware and unwanted software in the Gulf states in 2008 compared to 2007, and Microsoft is strongly committed to working with customers in Qatar. Microsoft opened its Qatar-based branch in 2003 and today delivers the full range of Microsoft products and services through a team of more than 20 highly qualified people.
Robin Wright, Regional Security Architect, Microsoft Europe, Middle East, and Africa, says: “In the third quarter of 2008, the Audit Bureau Qatar invited Microsoft Services to undertake a review of the organisation’s security environment, which at the time was weak. Our initial assignment involved securing the then current Windows Server 2003 environment, but the project soon developed into a much longer term relationship.”
Solution
What is now the Audit Bureau Qatar Security Programme is a joint project between the bureau and Microsoft Services, which is committed to a technology roadmap that will soon put Qatar in the front rank of supreme audit institutions worldwide. The programme comprises a sequence of small individual deployments that encompass an enterprise security architecture, security awareness programme and presentation, and continuing work on the Active Directory security implementation. The technologies also interoperate with the bureau’s Cisco-based network services and with other third-party products.
The team deployed:
- Hyper-V. This allows the bureau to make the best use of its server hardware investments by consolidating multiple server roles as separate virtual machines running on a single physical machine. Wright says: “Without careful design, a Hyper-V implementation can leave an organisation vulnerable to security risks, but Microsoft Services ensured it went smoothly.”
- Microsoft SQL Server 2008. Microsoft technology provides rich security features to protect databases and network resources. By clustering the bureau’s database server, Microsoft Services has delivered maximum uptime and provided robust failover capabilities.
- Enterprise BitLocker. This isa full disk encryption Microsoft tool designed to protect sensitive data throughout the organisation.
- Windows Rights Management Services (RMS). Microsoft Services recommended Windows RMS to help safeguard digital information from unauthorised use.
In addition to these technologies, the bureau is using Microsoft System Center Data Protection Manager 2007, which delivers unified data protection for Windows-based servers, and personal and portable computers. Another related specialised application at the bureau is Audit Collection Services, part of Microsoft System Center Operations Manager 2007. The organisation has also invested in Microsoft Public Key Infrastructure (PKI) using Active Directory services. This provides an integrated PKI that helps users secure and exchange information with strong security and easy administration across the Internet, extranets, intranets, and applications.
In a further development, the bureau has included certificate life-cycle management featuresin the technology roadmap using Microsoft Identity Lifecycle Manager 2007. This includes smartcards from a third-party provider, business desktop deployment, Microsoft Exchange Server 2007 host filtering, and unified communications.
Benefits
Partnership with Microsoft Services has resulted in the Audit Bureau Qatar transforming its security infrastructure from weak in 2008 to becoming a leader in IT security within the Europe, Middle East, and Africa region. The organisation has deployed an interlocking suite of Microsoft security products that together meet best practice project management standards. Albatarni, on behalf of the bureau’s IT Committee,says: “The bureau previously had very simple security across all data and resources. Together with Microsoft Services, we’ve helped ensure that highly sensitive government data—both internal and external—is in a secure environment and safe from attack.”
Partnership Transforms IT Security at Audit Bureau Qatar in Just 18 Months
In 18 months the Audit Bureau Qatar Security Programme has transformed the security infrastructure of the organisation. It has also made staff aware of the importance of protecting the bureau against malware and hackers. Albatarni says: “Our commitment to the roadmap for technology is just one part of the success story. We’ve also raised awareness of the need for best practice within our team. This is an ongoing aim for the bureau.”
Audit Bureau Ready to Adopt New Technologies with Safe Environment
The transformation of the security environment means that the bureau is ready to migrate from earlier versions of the Windows operating system to Windows 7. Albatarni says: “With the peace of mind that comes from having a secure infrastructure, we are in a better position to enrich the work experience of our employees with new collaboration tools and unified communications.”
Partners Work Towards Gaining International Security Standard
Through the Audit Bureau Qatar Security Programme, the authority is seeking to achieve ISO/IEC 27001—the formal set of specifications against which organisations may seek independent certification of their information security management system. Wright says: “This will be a major step forward for us in the coming months, and it shows how far we’ve travelled in a short period of time.”
Microsoft Security Software Interoperates with Core Systems
The Microsoft security suite interoperates easily with the organisation’s core business systems and network services. Albatarni says: “While working effectively with Microsoft Services, we also use Cisco network services and HP hardware. But this hasn’t created any challenges—the Microsoft security technologies are highly interoperable, and, with Microsoft Services, we have a technical partner whose strength is to focus on what we as a customer want.”
Microsoft Server Product Portfolio
For more information about the Microsoft server product portfolio, go to: