WK3

Before you begin read: https://www.blackstratus.com/best-practices-cybersecurity-compliance-audits/ Our class focuses on integrating several aspects of cybersecurity, information security, and information assurance. Part of an overall integrated approach to achieving a comprehensive information assurance program is compliance management. As you are aware there are a number of government regulations that affect both the public and private sector. Your organization is a financial services firm that has a decentralized management structure including the management of IT resources. Each regional division has its own IT support organization which reports to the region's Vice President. The Board of Directors has decided that the division IT support can remain as is but wants the CEO to establish a centralized IT security management program under a Chief Information Security Officer (CISO). The CISO will be responsible for ensuring that policies, procedures, and best practices are in place to implement and operate this program; he or she will have budgetary authority and staff support. You are being considered as one of the internal candidates for the CISO position. As part of the vetting process, you have been asked to prepare a position paper for the CEO and division VP's in which you provide background information about implementing an IT Security / cybersecurity compliance management. They have specifically asked you to make a recommendation regarding the use of compliance management tools. You can and should address additional best practices for IT security / cybersecurity compliance management. Your 5-7 paragraph position paper must answer the following questions (at a minimum). (You will need to write clearly and concisely to fit all required information into this restricted length.) What approach should the organization take in developing the IT Security Management program? (What standards or frameworks should be used?) What laws and regulations must be addressed by the IT Security Management Program in a financial services firm? What are the best practices that should be put into place to ensure compliance with these laws and regulations? (Hint: auditing compliance should be one of your top choices for "best practices.") Would you recommend that the organization invest in and use a compliance management tool? If so, which one and how would you justify the expense? Should this tool be for Governance, Risk, and Compliance (GRC) or specialized for IT security compliance or ??? (See https://www.esecurityplanet.com/products/top-grc-vendors.html for some ideas / lists of vendors) If not, explain why (in detail). Post your position paper as a reply to this topic. Remember to cite your sources and place your reference list at the end of your posting.