Three Separate Assignments :
Assignment # 1: Aligning Security with Business Objectives
The security policy of an organization is not an one-for-all solution; it varies with the organization. As you begin your exploration of information assurance and risk management, consider how organizations in different countries, and even different states, are distinct, with their own structures, culture, and dynamics, as well as unique security-related regulations. Some of this may be due to the nature of the organization, its size, and its business use casesthat is, situations in which a technique may be used profitably. Other concerns can be attributed to the laws, regulations, and industry standards for its location. Even organizations doing business on the Internet may face regulations when doing business in another country or state.
To prepare for this Assignment, assume the role of a consultant working for a bank in your home country that is expanding its online banking to mobile devices. At the same time, it will be opening its first branch office in another country. Choose the location of the new office and use the Internet as well as the Learning Resources in this Week to research regulations and industry standards relevant to the new location. Also research the privacy laws (including Internet privacy regulations) that apply for both the locations. Examples could be the Gramm-Leach-Bliley Act (financial services regulation in Weeked States) or the California Breach Notification Law applicable for Weeked States scenarios. You will need to refer to Brotby, Layered Security and An Introduction to ISO 27001, ISO 27002….ISO 27008 in addition to other reading resources.
Write a 5- to 7-page paper explaining how to align the security policy of the organization with its business objectives, keeping in mind the regulations, privacy laws, and industry standards you have identified. Clearly state any assumptions, and provide citations for reputable sources used in your research.
Cover the following points:
Explain how the regulations, privacy-related laws, and industry standards you identified apply to this scenario.
Identify concerns you feel the bank will need to focus on because of expanding its online banking to mobile devices and opening its international branch office. Identify three areas where you will need to apply security controls to manage the risk involved in the scenario.
For each of these three areas, develop a key goal indicator (KGI) as explained in the textbook
For each KGI, indicate the security controls (these involve policies, processes, and tools) that will need to be developed and applied.
Justify how the key goal indicators and the security controls you have chosen align with business objectives and enable business processes.
Explain how industry standards and best practices are beneficial to implementing security policies that are aligned with business objectives.
Required Readings
Brotby, K. (2009). Information security governance: A practical development and implementation approach. Hoboken, NJ: Wiley.
Appendix B: Cultural Worldviews
In this appendix you are introduced to the cognitive orientations of people belonging to different cultures. You will investigate the manner in which a culture perceives and expresses its relation to the existing world.
Chapter 1, Governance OverviewHow Do We Do It? What Do We Get Out of It?
In this chapter you are introduced to the concept of governance in general as well as information security governance. You will explore different aspects of information security governance, including definitions, outcomes, and value of information.
Chapter 2, Why Governance?
In this chapter you are introduced to the benefits of information security governance to an organization. You will examine the different ways information security governance helps an organization.
Chapter 3, Legal and Regulatory Requirements
In this chapter you are introduced to the legal and regulatory requirements of information security governance. You will explore the different elements of information security governance that an organization needs to deal with as well as the compliance levels.
Chapter 6, Information Security Outcomes
In this chapter you are introduced to the six desired outcomes of an effective information security program. You will investigate each of the six outcomes and how they help define information security governance objectives.
Chapter 7, Security Governance Objectives
o Section 7.4 ISO/IEC 27001/27002
o Section 7.5 Other Approaches
In these sections you are introduced to the different standards and codes of practice that serve to provide different approaches to security governance. You are also introduced to a comprehensive set of actions that are required for security governance and can serve as a detailed basis for determining the desired state as well as objectives.
Cole, G.A. (2010). Table of laws and regulations: Consumer protection lawand more. Columbia, SC: Compliance Risk Management Consulting.
Cole, G. (2010, February 27). Table of laws and regulations: Consumer protection lawand more. Retrieved from http://www.bankersonline.com/tools/gac_lawsandregs.pdf. Used by permission of Gale Askins Cole.
National Conference of State Legislatures. (2012). State security breach notification laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
World Bank. (n.d.). Global banking load database. Retrieved June 19, 2012, from http://www.gbld.org/
Assignment #2: Risk Management Planning and Stakeholders Roles
Information security governance requires involvement from stakeholders throughout the organization. Executives, business owners, technical experts, and legal experts assess, plan, and execute information security governance in the organization. In order to deal efficiently with information security governance you will have to understand the fit between it and the entire organizational structure.
To prepare for this Assignment, assume the role of computer security team leader in an organization that needs to mitigate a risk. You have been asked to design and test a process for assessing and mitigating risk in the organization but, before you do, you need to make sure you have the right people on your team.
Next, describe a particular type of risk that you think the organization is facing or may face in the near future. The risk should involve either the use of a new technology or a new administrative process.
You have complete authority to form your own team and identify any resources you would need to perform your job.
For this Assignment, write a 4- to 6-page paper aligning the security team with the overall organizational structure and outlining the responsibilities of the different stakeholders. Respond to the following in your paper:
What is the risk that you identified?
What are the skill sets you need on the team?
How would you determine whether a prospective team member possesses the required skill sets?
What critical items would you need to consider while forming the team, and why?
How does the information security function of your team fit into the larger organizational structure?
What are the roles and responsibilities (relevant to the risk management process) of the stakeholders who need to be involved in the entire process?
Clearly state any other assumptions you make for this scenario.
Required Readings
Brotby, K. (2009). Information security governance: A practical development and implementation approach. Hoboken, NJ: Wiley.
Chapter 1, Governance OverviewHow Do We Do It? What Do We Get Out of It?
o Section 1.6, Six Outcomes of Effective Security Governance
In this section you will examine the important outcomes that information security governance should be able to achieve.
Chapter 4, Roles and Responsibilities
In this chapter you are introduced to the different roles and responsibilities required at different levels of an organization to ensure efficient information security governance.
Chapter 7, Security Governance Objectives
o Section 7.1, Security Architecture
o Section 7.2, CobiT
o Section 7.3, Capability Maturity Model
In these sections you are introduced to security architecture; CobiTa well-developed, comprehensive framework providing both an approach and a methodology for defining the objectives of IT security governance; and Capability Maturity Modela process improvement approach based on a process model .
Snedaker, S. (2006). Syngress IT security project management handbook. Rockland, MA: Syngress.
Note: Retrieved from the Walden Library databases.
Chapter 3, Organizing the IT Security Project
In this chapter you are introduced to the common methods used for information technology project plans. You will explore the identification of IT security project teams and IT security project stakeholders and the definition of IT security project requirements, objectives, and processes.
Chapter 5, Forming the IT Security Project Team
In this chapter you explore the aspects of forming a security project team for an information technology project. You will investigate the methods used to identify IT security project team requirements, roles, and responsibilities; the competencies required from team members; and methods for organizing information technology project plans. You will explore how to identify IT security project teams as well as IT security project stakeholders.
Assignment #3: Incorporating Security Into IT Processes
Security in an organization does not reside in a silo; it is affected by other processes and vice versa. Therefore, security should be integrated into the overall IT process to make it effective.
You have already investigated the functionality and capabilities of identity and access management tools. The process for creating and removing supplier IDs should be incorporated into an identity and access management tool.
To prepare for this Assignment, refer to the case study Developing a Monthly Vulnerability Scanning Process from the media Selection and Evaluation of IT Solutions. This case study will provide you with an example of how to incorporate a security feature into the overall IT process.
For this Assignment, provide a 3- to 5-page report describing a process that incorporates security for managing supplier credentials into an identity and access management tool. Be sure to do the following in your report:
Develop a numbered outline with the steps in a workflow.
Identify the teams involved in this process, and explain the steps each team performs.
Explain shortcomings in the process that you may need to overcome.
Required Readings
Brotby, K. (2009). Information security governance: A practical development and implementation approach. Hoboken, NJ: Wiley.
Chapter 8, Risk Management Objectives
o Section 8.3.1, Recovery Time Objectives
In this section, you are introduced to the recovery time objectives. You will explore the organizational considerations for determining such objectives.