Instructions
Your security consulting firm has been retained by an insurance company to help it develop and implement a risk reduction program for companies purchasing cybersecurity liability insurance. The next task on this multi-year contract is to develop a set of program plans for organization-level information security programs for small businesses (i.e., up to 100 employees, no more than five offices / work locations). These documents must be tailored to specific industries and, due to the high percentage of Internet-based businesses seeking cybersecurity insurance, must address state, federal, and international laws, regulations, and standards.
-
To begin this assignment, your team (group) must select one industry or business type from the list below, which links out to the U.S. Small Business Administration website, http://www.sba.gov. (If you wish to use an industry or business type not in this list you must first obtain permission from your instructor.)
- Next, read Information Security Program Background Information and Concepts (below).
- Investigate how businesses in your selected industry use information technology to do business. Research your industry, using the UMUC library and the Internet. As a starting point, use the business guides found at http://www.sba.gov/category/navigation-structure/starting-managing-business/managing-business/business-guides-industry
- As a team, complete the information security program requirements gathering and analysis exercise using the provided worksheet (below).
- Finally, each team (group) is to produce an executive-level briefing outlining the organization-level information security program plan, tailored to your chosen industry or type of business, using information from your completed worksheet. Use the outline provided below as a guide for writing your program plan briefing. Organization-level information security program plans describe/specify the required organization and management structures (people and processes), as well as the technologies used to implement required information security protections and countermeasures.
Outline: Information Security Program Plan
- Introduction
- Security Policy and Planning
- Personnel Management
- Physical Security Management
- Data Security Management
- Software Security Management
- Hardware Security Management
- Network Security Management
- Business Continuity/Disaster Recovery
- Incident Reporting and Management
Worksheet: Information Security Program Plan
Copy this table into your own Word document and fill it out.
Security area |
Responsible party/office of primary responsibility (OPR) |
Policy statement |
Countermeasures/risk mitigation strategy |
Known vulnerabilities/risks |
Acquisition (systems/services) |
|
|
|
|
Asset management |
|
|
|
|
Audit and accountability |
|
|
|
|
Authentication and authorization |
|
|
|
|
Business continuity |
|
|
|
|
Compliance management |
|
|
|
|
Configuration control |
|
|
|
|
Data* |
|
|
|
|
Hardware* |
|
|
|
|
Identity management |
|
|
|
|
Incident management |
|
|
|
|
Maintenance procedures |
|
|
|
|
Media protection and destruction |
|
|
|
|
Network* |
|
|
|
|
Operations |
|
|
|
|
Outsourcing |
|
|
|
|
Personnel* |
|
|
|
|
Physical environment* |
|
|
|
|
Planning |
|
|
|
|
Risk assessments |
|
|
|
|
Security policy and planning* |
|
|
|
|
Software* |
|
|
|
|
Training |
|
|
|
|
Security areas marked with an asterisk (*) must be addressed as a major section in your group’s information security program plan. The remaining sections should be addressed as subsections or within a subsection underneath one or more of the major sections.