Gigasol: Cybersecurity Policy Assignment #2
agenda
Company Profile – Gigasol
Background Information
Your Role
Tasks
Notes
Glossary
2
Recent economic changes have led to a three-way merger between organizations controlled by the same investment group to form Gigasol.
Gigasol – Profile
Blogosoft is a small software startup with 45 employees.
Supervar is a value-added reseller of IT hardware and software with 600 employees.
WearItTech is a boutique electronics manufacturer specializing in wearable devices. They have 300 employees.
3
Blogosoft was founded in Silicon Valley in 2006.
The company has a very “laid back” culture and the management believes in a hands off approach.
As such, policies have not been changed since the initial employee handbook was created.
The CEO of the company is worried that too many policies hamper creativity and create an unpleasant work environment.
Blogsoft
4
Supervar started in a garage in 1998 and has since grown to over 600 employees located throughout the United States and Canada.
Supervar focuses on value-added services for major software and hardware vendors.
It currently has a cybersecurity policy outlining expectations of employee conduct and protection of their e-commerce site.
Supervar
5
WearItTech was founded in 2010.
As a boutique electronics manufacturer, it maintains only a small webpage with contact information.
Schematics and other specifications are sent via email.
No cybersecurity policy exists.
WearItTech
6
The new company, Gigasol, has been formed from the merger.
The executive team of all three companies have taken roles within the new organization, with the CEO of Blogosoft becoming the CEO of Gigasol.
The new CEO wants to maintain the culture of his software startup, but take advantage of the capabilities and channels of the other companies.
The CIO, formerly of Supervar, is concerned that the lack of policy will result in inconsistent use and protection of information assets. He believes that a new set of policies should be created.
Gigasol
7
Role
Newly hired as the Director of Cybersecurity
Scenario
Your first assignment is to reconcile the cybersecurity policies of the three organizations into a new overarching policy for all Gigasol employees and operations.
The CEO has expressed concern that formalizing cybersecurity policy will negatively impact the organization.
The CIO does believe that formalizing policies should be a directive from upper management to ensure the proper use and protection of information assets.
Your Role and the Scenario
8
Gigasol is still in the process of combining operations. Multiple sites are being consolidated in various cities. The organizational structure of the company has been solidified at the highest levels, but the rank and file workers still report to the original organizational structure. This has resulted in friction between different departments as policies have not been uniformly implemented.
CURRENT ISSUES
9
Regardless of its size or degree of detail, the information security policy needs a clearly defined scope. This involves:
• The enterprise’s definition of information security
• The responsibilities associated with information security
• The vision for information security, accompanied by appropriate goals, metrics, and rationale of how the vision is supported by the information security culture and awareness
• Explanation of how the information security policy aligns with other high-level policies
• Elaboration on specific information security topics such as data management, information risk assessment, and compliance with legal, regulatory and contractual obligations
CURRENT ISSUES
10
In 2010, three leading global information security organisations—ISACA, ISF and International Information System Security Certification Consortium [(ISC)2]—joined forces to develop 12 independent, non-proprietary principles that will help information security professionals add value to their organisations by successfully supporting the business and promoting good information security practices. These principles are structured in support of three tasks:
COBIT 5
Source: ISACA, COBIT® 5 for Information Security, USA, 2012, p. 29
11
1. Support the business:
• Focus on the business to ensure that information security is integrated into essential business activities. • Deliver quality and value to stakeholders to ensure that information security delivers value and meets business requirements. • Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholder expectations are managed, and civil or criminal penalties are avoided. • Provide timely and accurate information on information security performance to support business requirements and manage information risk. • Evaluate current and future information threats to analyse and assess emerging information security threats so that informed, timely action to mitigate risk can be taken. • Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security.
COBIT 5
12
2. Defend the business:
• Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner.
• Protect classified information to prevent disclosure to unauthorised individuals.
• Concentrate on critical business applications to prioritise scarce information security resources by protecting the business applications in which a security incident would have the greatest business impact.
• Develop systems securely to build quality, cost-effective systems on which business people can rely.
COBIT 5
13
3. Promote responsible information security behaviour:
• Act in a professional and ethical manner to ensure that information security-related activities are performed in a reliable, responsible and effective manner.
• Foster an information security-positive culture to provide a positive security influence on the behaviour of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact
COBIT 5
14
Transforming Cybersecurity: Using COBIT® 5 explains cybersecurity policy as follows:
The purpose of a cybersecurity policy is to clearly and unambiguously express the goals and objectives as well as the boundaries for security management and security solutions. As such, the policy also serves to define the role and scope of cybersecurity within general information security.
COBIT 5
15
Provide a brief summary of the case.
How will you allay the CEO’s concerns about cybersecurity policy?
What should be your first steps?
Select 3 cybersecurity policies from the lists on pages 17-19 and develop separate policy documents for each policy.
How do you envision implementing the new policy?
What steps need to be taken to ensure the policies fit changing business needs?
assignment Tasks – grading rubric on page 23
16
NOTES
Source: ISACA, Transforming Cybersecurity: Using COBIT® 5, USA, 2013, Fig. 29
17
ISACA,
NOTES
Source: ISACA, Transforming Cybersecurity: Using COBIT® 5, USA, 2013, Fig. 29
18
NOTES
Source: ISACA, Transforming Cybersecurity: Using COBIT® 5, USA, 2013, Fig. 29
19
NOTES
Source: ISACA, Transforming Cybersecurity: Using COBIT® 5, USA, 2013, Fig. 29
20
Governance—Ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making;
and monitoring performance and compliance against agreed-on direction and objectives. Conditions can include the cost of capital, foreign exchange rates, etc. Options can include shifting manufacturing to other locations, sub- contracting portions of the enterprise to third parties, selecting a product mix from many available choices, etc.
Governance, risk management and compliance (GRC)—A business term used to group the three close-related disciplines responsible for the protection of assets and operations
Guideline—A description of a particular way of accomplishing something that is less prescriptive than a procedure.
GLOSSARY
21
Policy—Generally, a document that records a high- level principle or course of action that has been decided on. The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams. In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions and the manner in which compliance with the policy will be checked and measured.
Procedure—A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes.
GLOSSARY
22
Submission: To receive full points, the following rubric will be used for grading:
Grading rubric
| Points | |
| Submission of a professional-looking Word document that includes written responses to all items listed on page 16. See rubric on next page for additional details (this also includes proper punctuation, grammar, clarity of thought, sections are clearly marked, APA 6.0 style guidelines are used properly). | 19 |
| Electronic file naming convention is properly used and attached to the assignment submission. A single Naming convention to use is: INT72633_Fall 2018_Assig#2_YourName. | 1 |
| Total | 20 |
23
Grading rubric
| Superior (90-100%) | Acceptable (60 – 89%) | Not Acceptable (0 – 59%) | |
| Solutions | Evidence of a superior assignment may include or demonstrate: A comprehensive answer to all questions. All solutions include a clear, logical explanation or a walk- through example. A student understands the course material and assignment requirements very well. | Evidence of an acceptable assignment may include or demonstrate: A student can answer the majority of questions. A student can answer the majority questions directly. Most solutions include a clear, logical explanation or a walk-through example. | Evidence of an unacceptable assignment may include: A student cannot answer the majority of questions. An answer that does not directly answer the question. Most solutions do NOT include a clear, logical explanation or a walk- through example. |
| Quality of Writing | Evidence of a superior assignment may include or demonstrate: Clear, unambiguous writing that includes proper sentence structure, idea development, paragraph development, and grammar. A thorough proofread that has eliminated all typographical errors. Adherence to APA style requirements. | Evidence of an acceptable assignment may include or demonstrate: Relatively clear writing that includes proper sentence structure, reasonable idea and paragraph development, and few grammatical errors. Few typographical errors. Adherence to APA style requirements with only a few exceptions. | Evidence of a not acceptable assignment may include or demonstrate: Unclear, poorly developed writing that lacks proper sentence structure and idea and paragraph development. Numerous grammatical errors. Numerous typographical errors. Little adherence to APA style requirements. |
24
