Build Information Security Program for a Company

ICS 230 Final Project**Project Title: **Build Information Security Program for a Company
**Group work: **3 students each (random groups)
Scenario:
You’ve been appointed as a security professional to head a team responsible for
evaluating the current security measures of a chosen company. Your objective is to
recommend enhancements and create a thorough information security program in
accordance with ISO 27001 standards. Choose one of the five company types
provided below and tailor your analysis and improvement proposals to the specific
characteristics, business domain, and unique requirements of the selected company.
1. Company A: Tech Startup Expansion. The company is expanding rapidly,
and with more data and users, there are concerns about data breaches and
intellectual property theft.
2. CompanyB: Healthcare Provider with sensitive patient information. The
organization needs to comply with strict healthcare data regulations and
ensure the security and privacy of patient records.
3. **Company C: **Financial Institution handling sensitive financial data. The
company has faced recent cyber threats, and there’s a need to enhance
security measures to protect client financial information.
4. Company D: A large e-commerce platform with vast customer data. The
company faces constant cyber threats, and there’s a need to strengthen
security to ensure customer trust and prevent data breaches.
5. **Company E: **An international consulting firm with confidential client
information. The company deals with diverse clients worldwide, and there’s a
need to create a robust security program to safeguard client confidentiality.
Assumptions:
You may assume the following about the current security posture of the selected
company above:
1. There is a lack of emphasis on cybersecurity, a lack of a comprehensive
security program in the selected company.
2. For each option, assess the company’s assets and its existing IT
infrastructure as outlined below to identify potential vulnerabilities and areas
that require immediate attention.
3. Company assets may include:
a. Intellectual Property (IP): Company has developed several proprietary software
products and holds valuable source code, algorithms, and trade secrets, valued at
$5 million.
b. Customer Data: The company stores personally identifiable information (PII),
purchase histories, and contact details, valued at $2 million.
c. Financial data, and confidential business information of its clients. This data is vital
to the company’s operations and requires adequate protection with an estimated
value of $1 million.
d. Hardware Assets: Company possesses a range of hardware assets, including
desktop computers, laptops, servers, networking devices (routers, switches), and
peripherals with a combined value of $10 million.
e. Software Assets: The company uses various licensed software applications,
including development tools, project management software, collaboration tools, and
productivity suites, valued at $2 million.
f. Raw Materials: The company holds a stock of raw materials, including metals,
plastics, and electronic components, valued at $3 million. g. Finished Products:
Completed machinery awaiting shipment or installation, with an estimated value of
$6 million.
1. Existing Infrastructure: assume each company invested in technologies and
IT infrastructure that serves the company’s operational needs. However, it
lacks proper security controls and policies. The IT infrastructure may include:
2. Network Infrastructure: A wired and wireless network that interconnects all
office devices.
a. Internet Connectivity: The company has a high-speed internet connection to
facilitate communication and online services.
b. Servers and Storage:
I. Application Servers: Multiple servers running critical software applications,
including web servers, database servers, and version control systems.
II. File Servers: Centralized storage for documents, software code, and other
important files shared among employees.
1. End-User Devices: Standard desktop systems running Windows operating
system, Laptops for remote work and business travel, A mix of companyissued and personally-owned smartphones and tablets used for business
purposes.
2. Current Security Measures:
a.** Firewall:** A basic firewall is in place to filter incoming and outgoing network
traffic.
b. Antivirus Software: Each desktop and laptop have a basic antivirus solution
installed.
c. Virtual Private Network (VPN): No company-wide VPN is implemented, leaving
remote connections less secure.
d. Authentication: The company uses simple username and password
authentication for various systems.
e. Data Backup and Recovery: Data backups are performed irregularly on external
hard drives stored on-site. No off-site backup strategy is currently in place.
f. Access Control: The company uses simple username and password
authentication for various systems. User accounts are created for each employee,
but the password complexity and expiration policies are not enforced. Access rights
to various resources are loosely defined and not regularly reviewed.
g. Incident Response and Monitoring: Limited logging and monitoring capabilities
exist, with no central system for aggregating and analyzing logs. No formal plan is in
place to guide the company’s response to security incidents.
h. Encryption and KPI: There is no system wide use of encryption in company
communications or exchange of company emails.
Project Requirements:
You are tasked to build a security program for the selected company that includes
the following elements/components. Perform the following tasks with respect to the
selected company:
1. Initial Security Analysis: Perform a thorough analysis of the selected
company current security infrastructure, policies, strategies, and procedures.
Identify at least three weaknesses, vulnerabilities, and potential risks.
Evaluate the existing security controls and their effectiveness. Evaluate the
effectiveness of current security controls and strategies (e.g., cryptographic
algorithms), if they exist. Make sure to include administrative/physical/logical
controls in your analysis.
2. Risk Assessment: Perform a risk assessment statistical technique to
prioritize security threats based on their potential impact and likelihood.
Develop a risk management plan that outlines strategies for mitigating
identified risks.
3. Improvement Suggestions: Based on the analysis, propose specific
improvements and recommendations for addressing identified vulnerabilities.
Prioritize suggested improvements based on risk severity and potential
impact. Consider both technical and non-technical aspects of security.
4. Technology Recommendations: Suggest specific security technologies and
tools that can enhance the organization’s defense mechanisms. Justify your
recommendations based on the identified threats and vulnerabilities.
Investigate 2 new security tools that you recommend the company use to
enhance its security posture. You need to demonstrate how to use each tool
by providing screenshots explaining how each tool is used.
5. Information Security Program Development: Develop an Information
Security Program tailored to the selected company needs. Include policies,
procedures, and guidelines for data protection, access control, incident
response, and more. The program shall address the following components:
a. Policy and Procedure Development: Create comprehensive security policies
and procedures tailored to the organization’s needs. Minimum requirements is to
develop a system-specific p[policy and issue-specific policy that also include
guidelines for data protection, access controls, incident response, and employee
training.
b. Training and Awareness Program: Develop a training and awareness program
for employees to ensure they understand and adhere to the new security measures.
Consider the following as components of SETA (Social Engineering attacks,
Phishing Attacks, Web Safety).
c. Monitoring and Incident Response Plan: Design a robust monitoring system for
detecting and responding to security incidents promptly. Develop an incident
response plan outlining the steps to be taken in case of a security breach like (data
theft, DDoS attack, and Natural disaster).
d. GRC and Laws/Regulations: Devise how GRC and data protection laws in UAE
can be used to support company program compliance with ISO 27001 and data
protection laws of UAE.
6. Implementation Plan: Create a phased implementation plan for deploying
proposed improvements and the information security program. Include timelines,
resource requirements, and responsibilities for each phase.
**7. Continuous Improvement for the program: **Explain how the Plan-DO-CheckAct cycle can be used to continuously improve the security program of the company.
8. Peer feedback and constructive criticism. Highlight the key challenges faced
and solutions implemented.
References in APA style
Deliverables:
Students will deliver the following:
1. Primary resource: A full PDF report that addresses the above requirements
(use this template).
2. Secondary Resource: Additional Appendices as needed (source code, excel
sheets, description of any security tools you have used, what is it used for,
and how to use it along with screenshots from each tool to demonstrate it).
Academic Integrity /disclaimer:
Group must confirm that the work submitted for the assignment is entirely their own
and no use for artificial intelligence (AI) tools or any other unauthorized means to
generate answers or complete any part of this assignment. Any violation of academic
honesty policies may result in disciplinary action, including but not limited to, a failing
grade for the assignment or the entire course.
Project Key Assessment Criteria:
The project will mainly be assessed along the below elements:
•
•
•
•
•
•
•
Thoroughness of the initial security analysis.
Effectiveness and feasibility of improvement suggestions.
Completeness and relevance of the information security program.
Clarity and practicality of the implementation plan.
Creativity and engagement in the training and awareness program.
Thoughtfulness in the monitoring and incident response plan.
Compliance with ISO 27001 standard
•
•
Compliance with laws and regulations as mandated by UAE official bodies for
data protection
Policy and Procedure Development.