Create a comparison about the differences in policies and procedures that would result from Project Options #1, #2, and #3, regardless of which option you selected.
Create a comparison about the differences in policies and procedures that would result from Project Options #1, #2, and #3, regardless of which option you selected. (HINT: this is where you discuss how the differences in size, complexity, and industry sector of organizations will impact the strategies, policies, and procedures that are developed.
Project Option #1 (Small Business)
Financial Services company, privately owned (LLP), providing brokerage services for investments and loans, with a primary office in San Diego (Kearny Mesa) and three field offices (in Vista, Poway, and El Cajon)
Small Business – 40 employees in total; 1 Branch Manager and 6 staff at each field office, and the Management Team, an Office Manager, and 15 staff at the main office
Management team consists of the Owner/CEO, CFO, and COO; they contract with third parties for all IT services, which are managed by the COO; they have no internal IT staff and no cybersecurity staff
Company’s Mission: To provide the best brokerage services for our customers, with high rates of return and lowest fees
The company has a Business Plan which includes a Risk Management Plan (not a separate plan); there is an Operations Strategy, which includes a section on the use of information technology systems; there is an Emergency Management Plan, which includes disaster recovery and business continuity for the staff and physical facilities and equipment; the CFO maintains a set of procedures for compliance with federal laws and regulations; there are no other formal policies or procedures
They use PCs running Windows 10; an office application suite runs locally on each PC; shared financial applications run from cloud-based services; email is provided through cloud-based services with the capability to send digitally signed, encrypted messages; shared file storage is provided through cloud-based services, with the ability to encrypt files or entire folders/directories; they have a secure Fax machine in each office
Your role (individual or team): you report to the COO, who knows you have at least some training or education in cybersecurity, so he has tasked you with developing a high-level Information Security Strategy, along with creating a prioritized list of potential InfoSec policies and procedures that you believe are needed for the company to be more secure, and you are to create a draft version of the highest priority policy
You will be presenting all of this information to the Management Team, the Office Manager, and three Branch Managers
Project Option #2 (Medium-sized Business)
Transportation/Delivery Company, privately owned (LLC), providing transportation and delivery of products and merchandise from retail and wholesale businesses to customers and other businesses in six states in the southwestern USA; with its primary office in Las Vegas, NV, and branch offices in Ontario, CA, Sacramento, CA, Salt Lake City, UT, Denver, CO, Phoenix, AZ, and Albuquerque, NM
Medium-sized business – 1,700 employees total; includes 650 drivers, 780 stock workers (load/unload trucks), and 170 office or administrative staff split among the locations
Management Team consists of the President/CEO, COO, CFO, CIO, and six Regional Vice Presidents (one for each branch); they have an internal IT department with 23 staff, which includes 5 positions who have dual roles as System Administrators and Cybersecurity Analysts (one of them is a senior position who supervises the other four) – these 5 are located in Las Vegas; however, there are three IT staff at each branch location
Company’s Mission: To transport and deliver a wide variety of products safely and on time, meeting all customer expectations.
The company has a Business Plan, Risk Management Plan (separate), Business Operations Strategy; several operational policies and procedures related to receiving, packaging, loading, and transporting products; driver and vehicle safety policies; each branch location has its own Emergency Management Plan; there are two or three information security policies which are 5 years old or more, related to customer privacy and protecting customer data, along with a general policy on user accounts and system access
The company primarily used PCs running Windows 7 and Windows 8.1; a standard office application suite runs locally on each PC; the IT staff have several devices running Linux for network and security monitoring; business applications and the company website are managed by the IT staff and hosted on their own servers, located in two data centers, one in Nevada and the other in Texas (for redundancy); the Management Team have the ability to encrypt their email messages and attachments; all employees can encrypt files stored locally on their PC or on network file servers (using Microsoft BitLocker)
Your Role (individual or team): you are the senior SysAdmin/Cyber Analyst (with a team of four others); you report to the CIO, who has tasked you with developing a high-level Information Security Strategy, along with creating a prioritized list of potential InfoSec policies and procedures that you believe are needed for the company to be more secure, including replacement of the current outdated policies, and you are to create a draft version of the highest priority policy
You will be presenting all of this information to the Management Team, some will be attending remotely via a web conference session
Project Option #3 (Large Organization)
Technology Manufacturing Company, employee-owned (stock options), providing electronic components used in computers, digital audio/video equipment, navigation systems, and other consumer and commercial digital equipment; they do not sell directly to consumers, they sell to large-scale manufacturers and value-added resellers that incorporate the components into end-user products; they have manufacturing facilities in San Diego, CA, San Jose, CA, San Antonio, TX, Atlanta, GA, St. Louis , MO, and Boulder, CO, with administrative offices in San Diego, CA, Austin, TX, and Denver, CO
Large business – 15,250 employees total; there are 5 operating divisions – Research & Development, Marketing & Sales, Engineering, Manufacturing, and Administration (which includes management, IT, human resources, information security, accounting, and legal); staff is spread out at all of the locations, with slightly higher counts in San Jose, San Antonio, and San Diego; the IT department provides all technology support and has 5 supervisors and 120 staff under the CIO; the information security department monitors the networks, workstations, and servers, manages any computer emergency incident response, and has 3 supervisors and 30 staff under the CISO
Executive Management consists of the President/CEO, COO, CFO, CIO, CISO, Internal Legal Counsel, and the Senior Vice President for each division; there is a Board of Directors composed of 16 elected employee/owners representing each division and location
Company Mission: To make reliable electronic components of the highest quality and to provide excellent customer service
The company has a full range of business governance documents that are reviewed on a regular basis – Business Plan, Risk Management Plan (separate), Business Operations Strategy (related to the products they develop), Technology Strategy (related to the office and manufacturing systems), Emergency Management Plan, including both Disaster Recovery and Business Continuity which cover emergency operations for all divisions and critical job functions, as well as how to protect and recover data stored on their computer systems; there are several operating policies and procedures for ensuring protection of company intellectual property (trade secrets) and what to do if corporate espionage is suspected; there are a series of Information Technology policies related to what types of hardware and software are to be purchased and used for different job functions, general asset management procedures, and a Change Management Policy with formal Change Review Board; there is a multi-purpose Information Security Policy which covers Identity & Access Management (i.e., User IDs and passwords, and there is strict access control to sensitive or confidential information), Acceptable Use Policy (i.e., don’t use company computers for personal business and don’t surf inappropriate web sites), and a Security Incident Response Plan; most of the InfoSec policies are at least 2 years old, but not more than 5 years old
The company primarily used PCs running Windows 8.1 and Windows 10 with a standard office application suite running locally on each PC; the Research & Development, Engineering, and Manufacturing divisions use Unix-based drafting and design workstations, as well as for systems that automate the manufacturing processes; the IT and information security departments have several devices running Linux; business applications (including email) and the company website are managed by the IT staff and they are all hosted through Cloud services; all employees can encrypt email and file attachments, as well as files saved on their local PC or in the shared Cloud services storage areas; the company monitors (data logs and video surveillance) and tracks physical access into facilities and interior rooms, as well as tracking computer system access
Your Role (individual or team): You are one of the three information security supervisors, reporting to the CISO, who has tasked you with reviewing the current sets of security policy documents, provide a new Information Security Strategy statement, create a prioritized list of InfoSec policies, including replacing or updating any current policies, providing some procedures for the top priority policies, and a draft of the highest priority policy
You will be presenting this information to the CISO, CIO, COO, Legal Counsel, and three of the division VPs
