Leading Edge Removals is an SME, based in Skelmersdale. The company
provides professional, high quality services to and from the UK to international destinations. Founded as a family business in 1954, it has many years of experience in the moving industry. It has grown from a local and regional removals company and recently has started international removals. A regional office is planned to be opened in Bristol. Both sites will offer a household storage facility. The company is ambitious and sees opportunities to expand, especially in the storage business (e.g. company archive and self-storage) and international removals. The company currently employs approximately 50 staff. The management team does not fully appreciate Information Security risks or measures needed to control them, and they are seen as a burden. The company has limited financial and technical resources and the most important thing, for them, is their need must fit their revenue. You are the newly appointed IT manager, in your previous job you worked in a large company, initially as a network administrator but subsequently you moved to Information Assurance, and had responsibility for internal security audits, based on ISO27001:2013. Your job description includes references to IT security and ensuring levels of service availability, but in your day-to day work in the company you notice that no serious consideration has been given to ownership of information and data, or access rights. Furthermore, the IT infrastructure has developed piecemeal with several servers of various ages running different systems (eg Accounts system, Moveware logistics system, Domain controller for user authentication). There have been some system failures recently, both hardware and software which have caused some significant delays and lost work time. Some users have also succumbed to phishing emails and have downloaded viruses. Security Culture certainly isnt a phrase that youd use to describe the situation. You are surprised to find that email is not hosted by the ISP, but is on a server running MS Exchange in the LAN, rather than DMZ. There are no company policies relating to information security, acceptable use etc. In addition, to this, your discussions with the MD shows that he has little understanding of information security governance as a process and his view of threats is limited to viruses, fire and server failure. He also gives the very strong impression that he considers it all your responsibility. You wonder if you should have taken the job, but its a bit too late for that, so you decide you need to take the initiative before you get landed with a career-limiting security incident. Youre familiar with ISO27001, but youre not sure if thats overkill for this company- particularly the costs involved. Youve also heard of the UK Governments Cyber Essentials programme and 10 steps to Cyber Security guidance from CESG which might be relevant. You also went to a recent Northern Chapter meeting of ISACA meeting where the Business Model for Information Security (BMIS) which you vaguely remember and might be relevant given the MDs attitude to security and the need for ROI. 1
Your Task Stage 1
Analyse the scenario:
Identify aspects of it that you do not understand and need to research
before moving forward Learning Goals. (Now)
Research Learning goals individually and produce short research
handouts (Between now and next session).
Share your learning and create and deliver a presentation which
discusses the following: (Next session) 1. What is Information Security Governance & why it is important 2. What are the major security risks? Categorise High, Medium, Low 3. An outline plan of action to improve the security of this company. ( Much of the discussion should focus on governance and security culture, with brief discussion on technical solutions) 4. What further information do you need from the company in order to propose a way forward?
Your Task Stage 2: Implementing the plan
Using the additional information, youve obtained from the company,
together with your research you should now consider the detailed actions that need to be taken to increase security, 1. There are two deliverables: a. A plan for influencing the board (actions/supporting information needed/ presentation) b. An assessment of the key features of ISO27001 and Cyber Essentials and their suitability for this company. c. A detailed proposal for securing the company assets and developing a security culture. It should identify key assets, risk, controls, (particularly data governance) and ROSI.
Resources
Alnatheer, M., Chan, T. & Nelson, K. (2012) Understanding And Measuring
Information Security Culture. Proceedings of the Pacific Asia Conference on Information Systems Bojanc,R., Borka J. (2008) An economic modelling approach to information security risk management. International Journal of Information Management.28, 413422 Brecht, M & Nowey, RT. (2012) A Closer Look at Information Security Costs, http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf [Last accessed 29-May-2015] British Standards ISO 27001 Overview: http://emea.bsiglobal.com/InformationSecurity/index.xalter [Last accessed 22-Sep-2014] HM Government (2015) Small businesses: what you need to know about cyber security: DBIS. ISACA, 2013. CISM Review Manual. Rolling Meadows: ISACA. ISO 22301:2012 Societal security -- Business continuity management systems --- Requirements ISO/IEC 27001:2013 Information technology Security techniques Information security management systems Requirements
ISO/IEC 27002:2013 Information technology Security techniques Code
of practice for information security controls ISO/IEC 27035:2011 Information technology Security techniques Information security incident management Melek,A. (2014) Cybersecurity: engaging with the board, ISACA Posthumus, S., & Von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), pp. 638-646. [Online]. Available from: http://www.sciencedirect.com/science/article/pii/S0167404804002639, [Accessed on 11/03/2015] Sonnenreich,W. Albanese,J. and Stout,B. (2006) Return on Security Investment (ROSI) A Practical Quantitative Model, Journal of Research and Practice in Information Technology, 38, 1, Stuntz,J. (2014) A Review of Return on Investment for Cybersecurity , McDonough School of Business Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011). Information security governance control through comprehensive policy architectures. In Information Security South Africa (ISSA), (pp. 1-6). IEEE. [Online]. Available from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6027522, [Accessed on 11/03/2015]