Course Project – Organizational Security
l Security Management Plan
As a consultant with the Secure Inc. consulting firm, you have been asked to create a high-level information security management plan to be presented to the senior management of your latest client. The objectives of this project are to incorporate the assignments that you have been completing throughout the course into a high-level information security management plan. The paper should include a cover sheet, table of contents, executive summary, and properly cited references. You are welcome to select one of the sample organizations or your own selection as the basis for the development of your Organizational Security Management Plan.
Two sample organizations have been provided for you. Their descriptions follow:
Individual Project Option
If you do not choose Happy Health Systems or Mega-Corp, as an alternative you may choose an organization of your own to use for the course project. The organization must be comparable in size and complexity to one of the two sample organizations.
You must develop background information for your alternative organization comparable to that provided for the sample organizations. You will submit this background information to your instructor for approval. If using an existing organization, ensure that identifiers are altered to prevent revealing the identity or proprietary information about the organization.
If approved by your instructor, your individualized organization will be graded using the same scoring guide used to grade the standard course project.
To successfully complete this project, you will be expected to:
- Develop physical security recommendations for an organization.
- Develop recommendations for how biometrics can be used for authentication.
- Develop recommendations for implementation of a security awareness program for an organization.
- Review the security life cycle and configuration management.
- Identify the role of privacy and other regulations in organizations.
- Write recommendations for security awareness training for an organization.
To achieve a successful project experience and outcome, you are expected to meet the following requirements.
- Written communication:Text is free of errors that detract from the overall message.
- Parts of a paper:
- Title Page or Cover Sheet.
- Table of Contents.
- Executive Summary.
- Reference Page.
- Length of paper:No page length requirements. The plan will dictate the number of pages required to convey your design.
- List of references: A list of properly-cited references, including books, Web sites, articles, and other resources.
- APA formatting:Resources and citations are formatted according to the APA style and formatting guidelines
- Font:Arial, 10-point.
Unit 1 – Security Plan
Using one of the sample organizations or one of similar size and scope, create the Information Security Management Plan document and address the following:
- Describe what steps or phases you will follow to complete the plan.
- Identify the roles that will participate in the organizational security management planning.
- Identify the key components of what you will include in the organizational security management plan.
- Describe the chain of command or decision-making process that you will use to vet components of the organizational security management plan.
Unit 2 – Securing Events and Emergencies
Using the sample organization you have chosen for your project, write a short paper that addresses the following:
- Describe existing resources and procedures that support disaster recovery and business continuity planning.
- Identify the roles that will participate in the work of developing disaster recovery and business continuity planning.
- Describe the risks to organizational security management that can result from a failure to engage in disaster recovery and business continuity planning.
- Identify the steps to create an effective contingency plan.
Unit 3 – Security Policy and User Awareness Training
The primary way in which security policies fail is in not communicating and ensuring that staff know and follow the policy. Write a short paper that addresses the following:
- Describe the existing information security policies within the selected organization.
- Describe what policies you will develop as part of a plan for organizational security.
- Identify the steps you recommend relative to educating users about these policies.
- Identify the steps you recommend relative to ongoing information security policy awareness among all users.
Unit 4 – Management Model
The selection of a security model and best practices creates the foundation for effective secure operating system architecture. Write a short paper that addresses the following:
- Identify the security models that are most commonly used by the industry of your project organization.
- Describe briefly the benefits that the organization can experience through adoption of these particular security models.
- Describe the challenges to the organization through adoption of these particular security models.
- Select a particular security model to recommend and provide support for why this model is the optimal tool for the organization.
Unit 5 – Physical Security Risk Assessment
Using the framework of the security model that you selected in the last unit conduct a risk assessment and set of recommendations specific to the physical security issues that would impact organizational security:
- Identify how the security model addresses physical security risk assessment.
- Identify any specific physical security issues identified that are characteristic of the project organization.
- Identify what organizational roles will be assigned responsibility for conducting a physical security risk of information assets.
- Describe the communication strategy for ensuring all risks are identified and all stakeholders are included in the process.
Unit 6 – Recommendations for Managing Risk
Using the information that you gathered during the physical security risk assessment in the last unit, create a set of recommendations specific to mitigating any physical security issues identified that would impact organizational security:
- Quantify the specific risks to physical security of information assets that you discovered during the risk assessment.
- Identify potential controls that can be used to mitigate those risks.
- Identify specific controls that will be recommended as optimal for the particular environment of the project organization.
- Identify the roles within the organization that will be involved with mitigating physical security risks.
Unit 7 – Controls and Protective Mechanisms
Use the information that you gathered from the resources specific to implementing preventative controls that will impact the organizational security management plan. Write a short paper that addresses the following:
- Identify the role of biometric controls in providing both physical and logical access.
- Identify the role of tokens, smart or dumb cards, human escorts, and any other alternative appropriate for physical and logical access.
- Identify the roles within the organization that will be involved in decision-making about appropriate preventative controls.
- Describe how the organization will measure the effectiveness of these controls as part of the overall organizational security management plan.
Unit 8 – Privacy Considerations
Insider risk to information assets resulting from hiring practices and proper separation of duties and oversight are important components of an organizational security plan. Write a short paper and address the following:
- Identify hiring procedures that the organization can implement that will reduce the risk of insider threat to information assets.
- Identify information security related roles that will support the concept of separation of duties and proper oversight.
- Create an organizational chart that defines the reporting relationships of all of those security related roles.
- Describe the procedures and practices that will best balance the work of information security with the personal privacy rights of the user.
Unit 9 – Organizational Security Compliance
There is an increasing number of laws and regulations managing how organizations manage their information assets. Write a short paper and address the following:
- Identify existing laws and regulations that impact organizational information security procedures and practices.
- Identify some of the ethical issues surrounding application of organizational security.
- Develop recommendations for how the organization can ensure compliance with these existing laws and regulations.
- Identify the role of ethics in auditing and monitoring as components of an effective organizational security management plan.
- Privacy Considerations (3-4 pages Assignment)
Insider risk to information assets can sometimes require striking a balance between security and employee privacy and civil rights, both of which are important components of an organizational security plan. Write a short paper and address the following:
- Identify ways in which information security activities can impact employee privacy and civil rights.
- Describe the potential risk to an organization resulting from employee use of social media and other modern communication channels.
- Describe the potential risk to an organization resulting from employee use of personally owned devices such as smart phones and tablets.
- Evaluate the procedures and practices that will best balance the work of information security with the personal privacy rights of the user.
When complete, submit your document in the assignment area.
Housekeeping Access (1-page Discussion)
For this discussion, imagine this scenario:
In your role as information security specialist for a small urban hospital, your phone rings at 3:00 a.m. one morning and on the other end is a frantic night IT support person who claims that there has been a catastrophic failure of applications and medical devices that has brought the institution to its knees. You rouse yourself from your bed and head in to investigate and quickly discover that the source of the problem is that the power cord to a critical piece of networking equipment has been unplugged. You are able to restore operations; however, due to the lack of surveillance and monitoring equipment, you are unable to determine how the cord came to be disconnected. IT support staff claim that housekeeping staff were vacuuming in that vicinity and suspect that a housekeeper unplugged the power cord to make room for the vacuum.
Discuss what you suggest be done to mitigate the potential that such an incident would occur in the future. Include what controls you would recommend so that in the event such an incident were to happen again, it would be possible to determine what the circumstances were around these failures. Finally, discuss how you would approach notification of those who might be subject to the controls that you choose to implement and what some of the potential legal issues are that could impact those choices.