Scenario:
You’ve been appointed as a security professional to head a team responsible for evaluating the current security measures of a chosen company. Your objective is to recommend enhancements and create a thorough information security program in accordance with ISO 27001 standards. Choose one of the five company types provided below and tailor your analysis and improvement proposals to the specific characteristics, business domain, and unique requirements of the selected company.
Company A: Tech Startup Expansion. The company is expanding rapidly, and with more data and users, there are concerns about data breaches and intellectual property theft.
CompanyB: Healthcare Provider with sensitive patient information. The organization needs to comply with strict healthcare data regulations and ensure the security and privacy of patient records.
**Company C: **Financial Institution handling sensitive financial data. The company has faced recent cyber threats, and there’s a need to enhance security measures to protect client financial information.
Company D: A large e-commerce platform with vast customer data. The company faces constant cyber threats, and there’s a need to strengthen security to ensure customer trust and prevent data breaches.
**Company E: **An international consulting firm with confidential client information. The company deals with diverse clients worldwide, and there’s a need to create a robust security program to safeguard client confidentiality.
Assumptions:
You may assume the following about the current security posture of the selected company above:
There is a lack of emphasis on cybersecurity, a lack of a comprehensive security program in the selected company.
For each option, assess the company’s assets and its existing IT infrastructure as outlined below to identify potential vulnerabilities and areas that require immediate attention.
Company assets may include:
a. Intellectual Property (IP): Company has developed several proprietary software products and holds valuable source code, algorithms, and trade secrets, valued at $5 million.
b. Customer Data: The company stores personally identifiable information (PII), purchase histories, and contact details, valued at $2 million.
c. Financial data, and confidential business information of its clients. This data is vital to the company’s operations and requires adequate protection with an estimated value of $1 million.
d. Hardware Assets: Company possesses a range of hardware assets, including desktop computers, laptops, servers, networking devices (routers, switches), and peripherals with a combined value of $10 million.
e. Software Assets: The company uses various licensed software applications, including development tools, project management software, collaboration tools, and productivity suites, valued at $2 million.
f. Raw Materials: The company holds a stock of raw materials, including metals, plastics, and electronic components, valued at $3 million. g. Finished Products: Completed machinery awaiting shipment or installation, with an estimated value of $6 million.
Existing Infrastructure: assume each company invested in technologies and IT infrastructure that serves the company’s operational needs. However, it lacks proper security controls and policies. The IT infrastructure may include:
Network Infrastructure: A wired and wireless network that interconnects all office devices.
a. Internet Connectivity: The company has a high-speed internet connection to facilitate communication and online services.
b. Servers and Storage:
I. Application Servers: Multiple servers running critical software applications, including web servers, database servers, and version control systems.
II. File Servers: Centralized storage for documents, software code, and other important files shared among employees.
End-User Devices: Standard desktop systems running Windows operating system, Laptops for remote work and business travel, A mix of company-issued and personally-owned smartphones and tablets used for business purposes.
Current Security Measures:
a.** Firewall:** A basic firewall is in place to filter incoming and outgoing network traffic.
b. Antivirus Software: Each desktop and laptop have a basic antivirus solution installed.
c. Virtual Private Network (VPN): No company-wide VPN is implemented, leaving remote connections less secure.
d. Authentication: The company uses simple username and password authentication for various systems.
e. Data Backup and Recovery: Data backups are performed irregularly on external hard drives stored on-site. No off-site backup strategy is currently in place.
f. Access Control: The company uses simple username and password authentication for various systems. User accounts are created for each employee, but the password complexity and expiration policies are not enforced. Access rights to various resources are loosely defined and not regularly reviewed.
g. Incident Response and Monitoring: Limited logging and monitoring capabilities exist, with no central system for aggregating and analyzing logs. No formal plan is in place to guide the company’s response to security incidents.
h. Encryption and KPI: There is no system wide use of encryption in company communications or exchange of company emails.
Project Requirements:
You are tasked to build a security program for the selected company that includes the following elements/components. Perform the following tasks with respect to the selected company:
Initial Security Analysis: Perform a thorough analysis of the selected company current security infrastructure, policies, strategies, and procedures. Identify at least three weaknesses, vulnerabilities, and potential risks. Evaluate the existing security controls and their effectiveness. Evaluate the effectiveness of current security controls and strategies (e.g., cryptographic algorithms), if they exist. Make sure to include administrative/physical/logical controls in your analysis.
Risk Assessment: Perform a risk assessment statistical technique to prioritize security threats based on their potential impact and likelihood. Develop a risk management plan that outlines strategies for mitigating identified risks.
Improvement Suggestions: Based on the analysis, propose specific improvements and recommendations for addressing identified vulnerabilities. Prioritize suggested improvements based on risk severity and potential impact. Consider both technical and non-technical aspects of security.
Technology Recommendations: Suggest specific security technologies and tools that can enhance the organization’s defense mechanisms. Justify your recommendations based on the identified threats and vulnerabilities. Investigate 2 new security tools that you recommend the company use to enhance its security posture. You need to demonstrate how to use each tool by providing screenshots explaining how each tool is used.
Information Security Program Development: Develop an Information Security Program tailored to the selected company needs. Include policies, procedures, and guidelines for data protection, access control, incident response, and more. The program shall address the following components:
a. Policy and Procedure Development: Create comprehensive security policies and procedures tailored to the organization’s needs. Minimum requirements is to develop a system-specific p[policy and issue-specific policy that also include guidelines for data protection, access controls, incident response, and employee training.
b. Training and Awareness Program: Develop a training and awareness program for employees to ensure they understand and adhere to the new security measures. Consider the following as components of SETA (Social Engineering attacks, Phishing Attacks, Web Safety).
c. Monitoring and Incident Response Plan: Design a robust monitoring system for detecting and responding to security incidents promptly. Develop an incident response plan outlining the steps to be taken in case of a security breach like (data theft, DDoS attack, and Natural disaster).
d. GRC and Laws/Regulations: Devise how GRC and data protection laws in UAE can be used to support company program compliance with ISO 27001 and data protection laws of UAE.
6. Implementation Plan: Create a phased implementation plan for deploying proposed improvements and the information security program. Include timelines, resource requirements, and responsibilities for each phase.
**7. Continuous Improvement for the program: **Explain how the Plan-DO-Check-Act cycle can be used to continuously improve the security program of the company.
8. Peer feedback and constructive criticism. Highlight the key challenges faced and solutions implemented.
References in APA style
Deliverables:
Students will deliver the following:
Primary resource: A full PDF report that addresses the above requirements (use this template: https://docs.google.com/document/d/1NLQJ1VJC-sRB9l91L14L4d24-pxf-Wne/edit).
Secondary Resource: Additional Appendices as needed (source code, excel sheets, description of any security tools you have used, what is it used for, and how to use it along with screenshots from each tool to demonstrate it).
Academic Integrity /disclaimer:
Group must confirm that the work submitted for the assignment is entirely their own and no use for artificial intelligence (AI) tools or any other unauthorized means to generate answers or complete any part of this assignment. Any violation of academic honesty policies may result in disciplinary action, including but not limited to, a failing grade for the assignment or the entire course.
Project Key Assessment Criteria:
The project will mainly be assessed along the below elements:
Thoroughness of the initial security analysis.
Effectiveness and feasibility of improvement suggestions.
Completeness and relevance of the information security program.
Clarity and practicality of the implementation plan.
Creativity and engagement in the training and awareness program.
Thoughtfulness in the monitoring and incident response plan.
Compliance with ISO 27001 standard
Compliance with laws and regulations as mandated by UAE official bodies for data protection
Policy and Procedure Development.
