Reaping the Harvest of Good IT Governance

When Agrokor Group needed a way to help it enforce the vulnerability and risk management processes associated with ISMS, and prepare for future regulatory mandates, it turned to Qualys.

Its clear business vision and diligently applied strategy, over the course of 30 years, has helped Zagreb, Croatia-based Agrokor Group grow from a small, family-owned flower sales business to one of the largest retailers and providers of food and agriculture — including mineral water, meat, ice cream, and wine — in its region. In fact, the Agrokor Group is the largest privately-held company in Croatia and one of the leading regional companies, with consolidated total revenues of more than HRK 27.67 billion in 2008 and more than 38000 employees.

Today, Agrokor intends to build on that growth with steady expansion in the region, including the acquisition of a number of successful businesses: Ledo Čitluk, Sarajevski kiseljak, Velpro Sarajevo, Frikom, Dijamant, Idea, Ledo Hungary, and Fonyodi. And a crucial part of Agrokor’s continued growth and success depends on the health of its business-technology systems, including its mission-critical enterprise resource management systems, databases, underlying infrastructure, and thousands of desktops, hundred of servers, applications, routers, and switches, an more than 15 mid-range systems. “We are a large company with a vast IT infrastructure spread throughout the region,” says Ivo Pejakovic, chief information security officer at Agrokor Group. Some 350 full-time IT professionals currently manage Agrokor’s infrastructure.

Considering its growth and rapid expansion through acquisition, sound IT governance was crucial for continued success and to maintain an adequate level of security. That meant formalizing and bringing structure to its vulnerability and risk management program. Previously, the company’s security and IT teams had been employing ad hoc vulnerability management and patch deployment. “We wanted to build a systematic process for assessing and remedying vulnerabilities and misconfigurations,” says Pejakovic. Some of those processes would come through the implementation of an Information Security Management System (ISMS) based on ISO/IEC 27001. An ISMS provides organizations the roadmap necessary to manage information security. But to stay effective, ISMS processes need to become part of the day-to-day operations and built into the workflow of an organization.

To help enforce the vulnerability management processes associated with ISMS, Agrokor turned to Qualys. “In the beginning, we started with a pilot program that covered various portions of our infrastructure, such as externally facing systems, internal networks, and servers,” says Pejakovic. “The goal was to see how well Qualys dealt with different aspects of our infrastructure. After familiarizing ourselves with Qualys, we decided to cover all of our systems that are within the scope of our ISMS with Qualys.”

Today, Qualys provides Agrokor a powerful way to protect networks and applications within, and beyond, the scope of its ISMS implementation throughout the entire vulnerability management life cycle, including asset discovery, asset prioritization, vulnerability assessment and analysis, remediation, and fix verification.

As a direct result of Qualys’ Web-based, on-demand architecture, there are no additional operational or administrative burdens for Agrokor’s team to contend with. Once deployed, all system maintenance, vulnerability signature updates, and software enhancements are provided directly from Qualys’ Secure Operations Center. “This SaaS model makes Qualys very easy to manage and maintain,” Pejakovic says.

Additionally, Qualys’ centralized management and ability to delegate access to assessment reports and allow various groups to conduct independent scans of their own network segments has made it possible for Agrokor to federate many aspects of its vulnerability management process. “We now have a centralized vulnerability platform that is used by different members of the Agrokor Group so they can manage the infrastructure for which they are responsible. This allows us to bring consistency to our vulnerability management program,” Pejakovic says. “This simplifies vulnerability management control across our various business units and companies, and reduces operational costs,” he adds.

By turning to Qualys, Agrokor achieved the centralized vulnerability platform it sought to reduce risk and help implement ISMS. Building on that success, Agrokor will continue to expand the segments of its infrastructure it evaluates using Qualys, such as preparing pending regulatory mandates. “Some parts of our infrastructure may be subject to PCI DSS certification, and because Qualys is an approved scanning vendor, we will use Qualys in the process of achieving (and later maintaining) PCI DSS compliance,” he explains.

How Qualys Vulnerability Management Has Helped Agrokor Increase Security

• Provides clear visibility into what vulnerabilities may be present within the company’s infrastructure.
• Permits Agrokor to define specific levels of security that must be attained for various segments of the company’s systems.
• Agrokor now can systematically organize and prioritize security remediation activities.
• Detailed reporting helps speed vulnerability remediation and provides continuous vulnerability management status trending and progress reports.