PBL 2: Problem Statement: SME Security Governance

Version 3: 17th September 2015

Scenario

Leading Edge Removals is an SME, based in Skelmersdale. The company

provides professional, high quality services to and from the UK to
international destinations. Founded as a family business in 1954, it has
many years of experience in the moving industry. It has grown from a local
and regional removals company and recently has started international
removals. A regional office is planned to be opened in Bristol. Both sites will
offer a household storage facility. The company is ambitious and sees
opportunities to expand, especially in the storage business (e.g. company
archive and self-storage) and international removals.
The company currently employs approximately 50 staff. The management
team does not fully appreciate Information Security risks or measures
needed to control them, and they are seen as a burden. The company has
limited financial and technical resources and the most important thing, for
them, is their need must fit their revenue.
You are the newly appointed IT manager, in your previous job you worked in
a large company, initially as a network administrator but subsequently you
moved to Information Assurance, and had responsibility for internal security
audits, based on ISO27001:2013.
Your job description includes references to IT security and ensuring levels
of service availability, but in your day-to day work in the company you notice
that no serious consideration has been given to ownership of information
and data, or access rights. Furthermore, the IT infrastructure has developed
piecemeal with several servers of various ages running different systems (eg
Accounts system, Moveware logistics system, Domain controller for user
authentication). There have been some system failures recently, both
hardware and software which have caused some significant delays and lost
work time. Some users have also succumbed to phishing emails and have
downloaded viruses. Security Culture certainly isnt a phrase that youd use
to describe the situation. You are surprised to find that email is not hosted by
the ISP, but is on a server running MS Exchange in the LAN, rather than
DMZ.
There are no company policies relating to information security, acceptable
use etc. In addition, to this, your discussions with the MD shows that he has
little understanding of information security governance as a process and his
view of threats is limited to viruses, fire and server failure. He also gives the
very strong impression that he considers it all your responsibility.
You wonder if you should have taken the job, but its a bit too late for that,
so you decide you need to take the initiative before you get landed with a
career-limiting security incident. Youre familiar with ISO27001, but youre
not sure if thats overkill for this company- particularly the costs involved.
Youve also heard of the UK Governments Cyber Essentials programme and
10 steps to Cyber Security guidance from CESG which might be relevant.
You also went to a recent Northern Chapter meeting of ISACA meeting where
the Business Model for Information Security (BMIS) which you vaguely
remember and might be relevant given the MDs attitude to security and the
need for ROI.
1

Your Task Stage 1

Analyse the scenario:

Identify aspects of it that you do not understand and need to research

before moving forward Learning Goals. (Now)

Research Learning goals individually and produce short research

handouts (Between now and next session).

Share your learning and create and deliver a presentation which

discusses the following: (Next session)
1. What is Information Security Governance & why it is important
2. What are the major security risks? Categorise High, Medium,
Low
3. An outline plan of action to improve the security of this company.
( Much of the discussion should focus on governance and security
culture, with brief discussion on technical solutions)
4. What further information do you need from the company in order
to propose a way forward?

Your Task Stage 2: Implementing the plan

Using the additional information, youve obtained from the company,

together with your research you should now consider the detailed actions
that need to be taken to increase security,
1. There are two deliverables:
a. A plan for influencing the board (actions/supporting information
needed/ presentation)
b. An assessment of the key features of ISO27001 and Cyber
Essentials and their suitability for this company.
c. A detailed proposal for securing the company assets and
developing a security culture. It should identify key assets, risk,
controls, (particularly data governance) and ROSI.

Resources

Alnatheer, M., Chan, T. & Nelson, K. (2012) Understanding And Measuring

Information Security Culture. Proceedings of the Pacific Asia Conference on
Information Systems
Bojanc,R., Borka J. (2008) An economic modelling approach to information
security risk management. International Journal of Information
Management.28, 413422
Brecht, M & Nowey, RT. (2012) A Closer Look at Information Security Costs,
http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf [Last
accessed 29-May-2015]
British Standards ISO 27001 Overview: http://emea.bsiglobal.com/InformationSecurity/index.xalter [Last accessed 22-Sep-2014]
HM Government (2015) Small businesses: what you need to know about
cyber security: DBIS.
ISACA, 2013. CISM Review Manual. Rolling Meadows: ISACA.
ISO 22301:2012 Societal security -- Business continuity management
systems --- Requirements
ISO/IEC 27001:2013 Information technology Security techniques
Information security management systems Requirements

ISO/IEC 27002:2013 Information technology Security techniques Code

of practice for information security controls
ISO/IEC 27035:2011 Information technology Security techniques
Information security incident management
Melek,A. (2014) Cybersecurity: engaging with the board, ISACA
Posthumus, S., & Von Solms, R. (2004). A framework for the governance of
information security. Computers & Security, 23(8), pp. 638-646. [Online].
Available from:
http://www.sciencedirect.com/science/article/pii/S0167404804002639,
[Accessed on 11/03/2015]
Sonnenreich,W. Albanese,J. and Stout,B. (2006) Return on Security
Investment (ROSI) A Practical Quantitative Model, Journal of Research and
Practice in Information Technology, 38, 1,
Stuntz,J. (2014) A Review of Return on Investment for Cybersecurity ,
McDonough School of Business
Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011). Information security
governance control through comprehensive policy architectures. In
Information Security South Africa (ISSA), (pp. 1-6). IEEE. [Online]. Available
from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6027522,
[Accessed on 11/03/2015]