Group project

Information Systems Security Management 545: Security Policies, Standards and Management

Project Description: An organization has recently undergone a serious Cybersecurity breach where

millions of customer’s record were leaked / stolen. This organization has no Information Security

Management Program (ISMP), Information Security Management Framework (ISMF), Security

Governance, Policy, Standard, Baseline, Guideline or Procedure in place. Further, numerous

vulnerabilities and threats are prevalent in the organization; thus, the reason for a successful

Cybersecurity attack as launched by the attacker. Your group is contracted as a team of Smart

Cybersecurity Professionals that will assist this company to gradually transition from its current reactive

security stance to a proactive security stance. Note: The organization chosen for your group project must

be a genuine one. Furthermore, for this project, your tasks include the following:

1. Defines roles and responsibilities for each member of your group (Senior Manager, Chief

Information Security Officer, Cyber Security Professionals, Compliance Analyst and Auditor). You

may want to include a RACI chart

2. Create a Project Charter and clearly define your project’s goals, objectives and deliverables

3. Select a real organization whose current security posture matches the description above

4. Identify the organizational structure, mission and vision of your selected organization as well as

how they conduct their business (business model)

5. Examine the security posture of the company both before and after the attack

6. Develop a complete ISMP for your selected company leveraging all steps required for the

creation of a solid ISMP as discussed in class

7. Employ a Threat Model approach (including risk assessment and analysis) which identifies

possible / potential risks (vulnerability * threat) present in the organization

8. Design a complete ISMF for your selected organization which comprises the following

components:

o Framework Core :

Ensure to elaborate on the five functions of a Framework core (Identify, Protect, Detect,

Respond, Recover) and how they can be applied to help strengthen your selected

organization’s security posture

o Framework Tier :

Your goal is to recommend and describe how the organization can attain a MINIMUM of

Tier 3

o Framework Profile :

Create a roadmap for your selected organization that aligns with its business goals,

mission, vision and requirements and assists them to reduce risks to an acceptable level

9. Recommend a Security Governance approach that will be beneficial to your selected organization.

10. Design Strategic, Tactical, and Operation Security Plans applicable to your selected organization

11. Develop and Implement the following using industry best practices / frameworks like ISO

27000:2018, NIST, PCI DSS, ITIL, COBIT, TOGAF, etc

o Program Policy

o Issue-specific Policy

o System-specific Policy

o Standards

o Baseline

o Guideline (Optional)

o Procedures

12. Suggest an Asset Management and Security approach that could assist your selected organization

ensure the confidentiality, integrity and availability of its assets

13. The experience of a Cybersecurity breach comes with some lessons learned. List about 7 things

that your organization could have done to avert or prevent the breach from occurring. Did your

selected organization learn any lessons from the breach? If yes, then list all possible lessons

learned

14. In addition to (13) above, propose preventative measures or controls to your selected

organization’s management to help thwart future reoccurrences of such security breaches

15. Prepare a comprehensive report that covers all tasks (tasks 1 – tasks 14) listed above

16. Prepare a 20-minute presentation detailing how your group achieved its project goals, objectives

and deliverables.