Information Systems Planning and Policy(cyber-security )

User Generated

Enl_12

Computer Science

Description

Hi Eng.Audrey! How are you? I hop you are doing well! 😊

I have this quarter this class called is Information Systems Planning & Policy

Course Goals Organizations across every business sector require effective information systems planning and policy methodology to increase cyber resiliency. Business driven information/cyber security can mitigate business risk associated with the today’s economic environment and concern related to cybersecurity breaches. Every day they face an onslaught of attack on their information systems targeting critical information and data. New government laws and regulations place a premium on cybersecurity controls. Lawsuits lodged seeking damages in the wake of recent cybersecurity breaches are continuing to rise. Customers, shareholders, and investors are demanding effective controls to ensure protection of sensitive information, especially personal and financial data. Many organizations struggle to balance effective information protection without breaking the bank. This course examines cybersecurity as a business imperative through the eyes of the information security professional/manager/leader not the technologist. The primary objective of the class is to teach students how to examine the process of integration of infromation systems planning and policy as a primary component of an organizations’ business continutiy management strategy. By the end of this class, students should be able to: • Understand the concepts and tools that enable effective information systems planning and policy within today’s business environment. • Align organizational planning and policy goals to positively impact business practices. • Understand how IT enterprise frameworks can reduce organizational risk exposure and establish appropriate tolerance levels. • Conduct an organizational assessment and articulate the key developmental aspects of an organizational information systems planning and policy strategies.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If is it easy to you !

I have work this week writing 4-5 pages can you help me please!

Conduct research and write a synopsis of a recent (2015-present) company's cybersecurity breach: include relevant facts about the attack (e.g., target, systems, tactics, compromise) and then discuss the actions taken by the organization (discovery, assessment, remediation, communications). The paper should be written and referenced in APA format and be 4-5 pages in length.


1. Read Textbook Chap 3.(check the attachment)

2. Read Rothrock (2018) .(check attachment)

3. Watch Video: Top 5 Cyber Risks for BoD. ( check here)



I attached 3 files:

1- Info Systems Planning & Policy_chapter_3

2- Rothrock_The_Board's_Role_in_Managing_Cyber risk.

4- Chapter 2 & articles for more information if you need it..

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note from our prof:

‣ All work for this class will be presented in a professional format. This means that all papers will be CORRECT for grammar, spelling, punctuation, and typing style. Your work will be graded for BOTH content and appearance. Any written work must be typed.

‣ All final documents will be submitted through the assignment link in Blackboard. All this work will automatically be run through www.turnitin.com, a plagiarism testing system. Do not copy work that is not yours. Only submit original ideas. Any academic dishonesty such as plagiarism, submitting previous work, etc., will result in a failing grade for the course. Plagiarism is defined by Webster’s as a piece of writing that has been copied from someone else and is presented as being your own work: the act of plagiarizing or taking someone's words or ideas as if they were your own. Citations/Bibliographies should be made using APA format.

Unformatted Attachment Preview

Info Systems Planning & Policy SESSION FOUR (CHAPTER 3) Overview • Understanding the Cyber Domain • The Convergence of Cyber Risk & Operational Risk • Risk Ownership • Organizational Risks Threats to IP • Technical Risks • Human Risks • • Calculating Risks • • • Quantitative Risk Assessment Qualitative Risk Assessment Risk Decisions Overview (cont) • Communication Risk • Organizing for success • Additional Readings Discussion Understanding the Cyber Domain • Man-made domain • Dynamic environment • Cyberspace is fast • Without borders • Low barrier to entry • Cyberspace is viewed in variety of ways Convergence • Benefits of aligning cyber with operational risk • Look to the International Standards Organization 27K series • • Defining Cyberspace Defining Cybersecurity • Alignment Steps 1. 2. 3. 4. Governance & Ownership Taxonomies & Methods Skills and Capabilities Technology and Data Convergence of Risk and Resilience • Ferdinand Article • Cybersecurity more than Risk Management • Recognizing the limitations of a “Peanut Butter” Defense Methodology • International Approaches--European Network and Information Security Agency (ENISA) • Ferdinand’s Components of Cyber Resilience 1. 2. 3. 4. 5. 6. 7. 8. System Hardening Network Defense Access Control Risk Management Physical Security Procurement Control Monitoring (internal & external) Security Training (all employees all levels) Risk Ownership • Touhill: Cybersecurity is primarily about risk management • Risk is the potential of loss resulting from a given action • The world is full of risk • Risk is managed at every level but owned by the C-suite If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.---Sun Tzu, Chapter III, The Art of War Organizational Risks • Non-Technical Risks Checklists • Intellectual Property • Competitors • Storage • Internet Access • • Technical Risks • • Checklists Previous Incidents Organizational Risks • Technical Risks Malicious code • Probing • Staff certification • Software currency • Cloud Storage • Mobile Devices • Passwords • Vulnerability scans • Remote Access • Human Risks • Phishing • Social Media • Inadvertent Disclosure • Ignorance • Negligence • Apathy • Stupidity Human Risks (cont) • Curiosity • Lack of Leadership • Lack of Accountability Calculating Risk • Quantitative Risk • Qualitative Risk • Risk Decisions Communicating Risk • Risk must be communicated to be managed • Example: Ghostbuster’s communicating risk • Internal Risk Communication • The Five W’s • Regulatory Risk Communication • Shareholder Risk Communication Organizing for Success • Risk Management Committee • Chief Risk Officer Executive Cyber Security and Risk Management • Protect your Reputation • Put Cybersecurity on the agenda before it becomes the agenda • Ten Steps to reduce Cybersecurity Risk • • • • • • • • • • Information Risk Management Regime Home and Mobile Working Policy User Education and Awareness Incident Management Managing User Privileges Removable Media Controls Monitoring Secure Configuration Malware Protection Network Security Questions & Goodnight Homework Assignment--Overview FRONTIERS [CORPORATE GOVERNANCE ] The Board’s Role in Managing Cybersecurity Risks Cybersecurity can no longer be the concern of just the IT department. Within organizations, it needs to be everyone’s business — including the board’s. BY RAY A. ROTHROCK, JAMES KAPLAN, AND FRISO VAN DER OORD T oday, more than ever, the demands posed by issues of cybersecurity clash with both the need for innovation and the clamor for productivity. Increasingly, cybersecurity risk includes not only the risk of a network data breach but also the risk of the entire enterprise being undermined via business activities that rely on open digital connectivity and accessibility. As a result, learning how to deal with cybersecurity risk is of critical importance to an enterprise, and it must therefore be addressed strategically from the very top. Cybersecurity management can no longer be a concern delegated to the information technology (IT) department. It needs to be everyone’s business — including the board’s. Cybersecurity Enters the Boardroom Network breaches have become so routine that only the most spectacular events, such as the recent breach at the credit reporting agency Equifax Inc. that affected some 143 million U.S. consumers, make headlines. Corporate boards of directors are expected to ensure cybersecurity, despite the fact that most boards are unprepared for this role. A 2017-2018 survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyberrelated risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves. For example, following a 2013 data breach of Target Corp., in which the personal information of more than 60 million customers was stolen, a shareholder lawsuit charged directors and officers with having fallen short in their fiduciary duties by failing to maintain adequate controls to ensure the security of data. Although the board members were ultimately not found to be at fault, both the company’s CEO and CIO resigned. U.S. case law is based on and generally adheres to the “business judgment rule,” which sets a high bar for plaintiffs pursuing legal action against board members. Similar protections for directors are in 12 MIT SLOAN MANAGEMENT REVIEW WINTER 2018 place in most “common law” countries, including Canada, England, and Australia. The Equifax cyberattack and future corporate breaches may prompt more challenges to the business judgment rule. The view that directors are not sufficiently prepared to deal with cybersecurity risk has raised alarm bells in boardrooms nationwide and globally. Even as companies increase their investments in security, we are seeing more — and more serious — cyberattacks. If corporate boards are not sufficiently prepared to deal with cybersecurity, how will they be able to determine the effectiveness of current and proposed cybersecurity strategies? How can they know what operationally effective cybersecurity should look like and how it should evolve? And how can directors know what to ask so that they can make the right cybersecurity investment decisions? Asking the Right Questions In our work with dozens of companies and in surveys of executives, we have found that many directors currently cannot ask the right questions because they lack meaningful metrics to assess the cybersecurity of their business. In a 2016 poll of 200 CEOs conducted by RedSeal Inc., a cybersecurity analytics company in Sunnyvale, California, 87% of respondents reported needing a better way to measure the effectiveness of their cybersecurity investments, with 72% calling the absence of meaningful metrics a “major PLEASE NOTE THAT GRAY AREAS REFLECT ARTWORK THAT HAS BEEN INTENTIONALLY REMOVED. THE SUBSTANTIVE CONTENT OF THE ARTICLE APPEARS AS ORIGINALLY PUBLISHED. challenge.” Often, executives as well as directors spend too much time studying technical reports on such things as the numbers of intrusion detection system alerts, antivirus signatures identified, and software patches implemented. To improve the situation, companies need to address two issues. First, directors need to have basic training in cybersecurity that addresses the strategic nature, scope, and implications of cybersecurity risk. Within companies, managers involved in operations, security specialists, and directors alike need to adopt a common language for talking about cybersecurity risk. Second, top management needs to provide meaningful data about not just the state of data security as defined narrowly by viruses quarantined or the number of intrusions detected, but also about the resilience of the organization’s digital networks. This means having strategies to sustain business during a cybersecurity breach, to recover quickly in its aftermath, and to investigate needed improvements to the digital infrastructure. Networks constantly change, so tracking cyber risks and vulnerabilities over time and adapting accordingly is essential. A few decades ago, when business computers were networked into systems of record, it made sense for organizations to focus exclusively on preventing outside attacks and protecting the network perimeter. However, now that computers have become systems of engagement, strategies geared toward perimeter defense are inadequate. Today’s organizations have vast numbers of network connections and human-machine interactions taking place at all hours of the day and night. In this context, security strategies must extend far beyond the walls of a single organization to reflect interactions with suppliers, customers, and vendors. Networks are permeable, and the relevant question is no longer “Will the organization’s cyberstructure be compromised?” but “What do we do when SLOANREVIEW.MIT.EDU it is breached?” For organizations, the old challenge of detecting and neutralizing threats has expanded to include learning how to continue doing business during a breach and how to recover after one. In other words, it has expanded from security alone to security and resilience. Increasing Resilience Resilience is essential in any effective cyberdefense strategy. Our cyberadversaries are competent, determined attackers and only have to succeed once. Resilience assumes that attacks are immutable features of the digital business environment and that Resilience assumes that attacks are immutable features of the digital business environment and that some fraction of these attacks will inevitably result in breaches. some fraction of these attacks will inevitably result in breaches. Therefore, creating sufficient resilience both to continue doing business while dealing with a breach and to recover in the aftermath of a breach is the most critical element of a contemporary cyberdefense strategy. Adequate organizational resilience is about operating the business while fighting back and recovering. Maintaining this level of performance requires the ability to measure an organization’s digital resilience much the way a board oversees its financial health. For board members, no fiduciary obligation is more urgent than overseeing and, where necessary, challenging how executive leadership manages the risks to the company. Managing cybersecurity risk today requires protecting the digital networks essential to conducting business by ensuring effective security and a high level of resilience in response to those inevitable cyberattacks. This can be accomplished through policy, selection of leadership, and allocation of resources. It is a whole-enterprise issue, requiring both full board engagement and superior execution by management. The 2017-2018 survey by NACD reveals that public company board members are significantly more skeptical about their company’s cybersecurity efforts than are C-suite executives. Just 37% of respondents reported feeling “confident” or “very confident” that their company was “properly secured against a cyberattack”; 60% said they were “slightly” or “moderately” confident. Other surveys, including the 2016 poll of CEOs by RedSeal, pointed to similar weaknesses. Given the disconnect between the risk levels and degree of preparedness, we believe that most companies need to become more realistic about their vulnerability. The problem isn’t a lack of investment. In 2017, worldwide spending on information security was expected to reach $86.4 billion and to further increase to $93 billion in 2018, according to Gartner Inc. However, cybercrime losses are rising at more than twice the rate of expenditure increases. Many CEOs continue to focus their attention on keeping hackers out of their networks rather than building resilience for dealing with hackers once they have broken in. Although most CEOs believe that cybersecurity is a strategic function that starts with executives, RedSeal found that 89% of CEOs surveyed treat it less as a whole-business issue than as an IT function, in that the IT team makes all budget decisions on cybersecurity. Best Practices Building on insights from the surveys cited above, we have developed a fourpart approach to help organizations manage cybersecurity more effectively WINTER 2018 MIT SLOAN MANAGEMENT REVIEW 13 FRONTIERS The Board’s Role in Managing Cybersecurity Risks (Continued from page 13) and formulate digital resilience strategies. It involves educating company leadership; developing a common language for management and corporate directors to discuss cybersecurity issues; understanding the difference between security and resilience; and making both security and resilience strategic corporate imperatives. 1. Educate company leadership. Cybersecurity risk shouldn’t be treated strictly as an IT issue. In terms of risk management, both security and resilience need to be managed as issues of importance to the entire enterprise. Increasingly, directors and senior management are being held accountable for the security and resilience of networks and data. Board members must therefore understand the issues at stake and accept their fiduciary responsibility for their organization’s cyberdefense posture. Company leadership must have an unambiguous understanding of the key elements of security and resilience. Both management and directors need to be aware of (1) the limitations of security (no practical cybersecurity strategy can prevent all attacks) and (2) the need for resilience (strategies to sustain business during a cyberattack and to recover quickly in the aftermath of a breach). In order to be effective, directors need sufficient knowledge to understand and approach cybersecurity broadly as an enterprise-wide risk management issue. Directors need to understand the legal implications of cybersecurity risks as they relate to their company’s specific circumstances. 2. Develop a common language. Boards must have adequate access to cybersecurity expertise, and their discussions about cybersecurity risk management should be a regular part of each board meeting agenda, with sufficient time allotted. Moreover, board engagement regarding cybersecurity issues should not be restricted to yearly or semiannual reports. A proprietary 2017 McKinsey survey on chief information security officer (CISO) and board reporting found that CISOs who had less-than-productive board interactions felt they needed more time with the board to explain and examine critical issues. One CISO who responded to the survey observed that “board members have to be able to ask questions that may be perceived by others to be ignorant.” No question can be considered bad or inappropriate. Digital security specialists, like all subject-area experts, must be able to communicate effectively with board members and other leaders. Meetings with CISOs and other security professionals mean Resilience (the ability to respond to incidents and breaches) should be prioritized over the forlorn hope of security alone as a silver bullet. nothing if technical experts and directors are unable to understand one another. Information security executives must be capable of presenting information at a level and in a format that is accessible to nontechnical corporate directors. Ideally, assessments of cybersecurity, digital resilience, and cybersecurity budgeting should be expressed using metrics that objectively and unambiguously score issues of risk, reward, cost, and benefit. That said, directors should make themselves conversant in basic principles relevant to digital networking and security. The goal is for CISOs and other IT executives to engage in frank, mutually intelligible dialogue with the board and appropriate subcommittees. Wherever possible, IT and CISO reports should be focused on prioritized items on which the 14 MIT SLOAN MANAGEMENT REVIEW WINTER 2018 board can take action, especially those that can be addressed by the whole company. 3. Distinguish between security and resilience. Companies should create a clear distinction between digital security and digital resilience. Digital security focuses on essential security measures, including providing such traditional defenses as effective antivirus and antimalware software, adequate firewalls, and employee education in safe computing practices. Digital security is, therefore, a security issue. In contrast, digital resilience is a business issue, which relates to how the whole organization conducts business in a digital environment. For example, balancing data accessibility with the necessity of protecting customer data and intellectual property involves a trade-off between security and interactivity that affects the customer experience, customer service, customer retention, acquisition of new customers, and so on. It is therefore a business issue. To the degree that an element of an organization’s security implementation impedes business (for example, by arbitrarily restricting access to data), it may provide adequate security. But it is a poor business practice, which makes the company more liable to fail and therefore less resilient. In assessing the organization’s strategic cybersecurity policy, the board must balance resilience against security, with priority given to resilience. Over time, your network will be penetrated. Therefore, resilience (the ability to respond to incidents and breaches) should be prioritized over the forlorn hope of security alone as a silver bullet. Security will not enable you to continue to conduct business during a breach. Resilience will. The board must provide necessary leadership in advocating for whole-enterprise resilience policies and practices. 4. Make security and resilience strategic business issues. Directors must set the expectation that management will establish SLOANREVIEW.MIT.EDU an enterprise-wide cyber-risk management framework with adequate staffing and budget. The board’s discussions with management concerning cybersecurity risk should include identifying which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach. In concert with top management, the board should create a clear statement of its role in overseeing, evaluating, and challenging the company’s digital security and resilience strategies. The statement should clearly define and assign responsibilities and must delineate the differing roles of the board and senior management. Within the board itself, cybersecurity and digital resilience must be the responsibility of all directors and not be relegated to a committee or subcommittee. Nevertheless, boards should consider assigning one cyber-savvy director to take the lead on issues of security and resilience, and, when recruiting new directors, companies should seek out people with appropriate cybersecurity expertise. The board should continually reassess the overall budget for security and resilience and redirect investments as necessary. Given the reality that the number and seriousness of breaches are growing, it is clear that most organizations need to evaluate their cybersecurity investments more clearly and effectively. Improving the ability to measure and quantify cyber-related risks is vital to this step, because it allows cybersecurity and resilience to be evaluated for their impact on the entire business. Ray A. Rothrock (@rayrothrock) is CEO and chairman of RedSeal Inc. James Kaplan (@jmk37) is a partner in the New York office of McKinsey & Co. Friso van der Oord (@ Frisovanderoord) is director of research at the National Association of Corporate Directors in Washington, D.C. Comment on this article at http://sloanreview.mit.edu/x/59221. Reprint 59221. Copyright © Massachusetts Institute of Technology, 2018. All rights reserved. PLEASE NOTE THAT GRAY AREAS REFLECT ARTWORK THAT HAS BEEN INTENTIONALLY REMOVED. THE SUBSTANTIVE CONTENT OF THE ARTICLE APPEARS AS ORIGINALLY PUBLISHED. WINTER 2018 MIT SLOAN MANAGEMENT REVIEW 15 Reproduced with permission of copyright owner. Further reproduction prohibited without permission.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

The files below contain complete work of your assignment. Kindly check it and let me know if you need clarification.

Running Head: SECURITY MEASURES TO COUNTER CYBERATTACKS

Security Measures to Counter Cyberattacks
Name
Institutional Affiliation
Date

1

SECURITY MEASURES TO COUNTER CYBERATTACKS

2

Security Measures to Counter Cyberattacks
Introduction
Security is an issue that requires paramount consideration in any business organization. As
computer technology advances day by day, security threats continue to emerge. There is,
therefore, need to stay vigilant to counter these threats when they happen (Cuthbertson, 2018).
Any Organizations require strong and secure information systems and security policies to better
their resilience in cyber-security. Business institutions are required to lay down policies that can
help mitigate the many business threats associated with today’s economic situation and concern
that relate to cybersecurity attacks (Taylor, 2013).
With the alarming cases and sophistication security attacks, paramount attention is needed to
safeguard sensitive organizational and personal data, as well protect national security.
Information technology comes with advantages and disadvantages. With the alarming cases and
sophistication security attacks, paramount attention is needed to safeguard sensitive
organizational and personal data, as well protect national security. The state of cybersecurity is
an issue that requires paramount consideration as attacks can happen at any moment of the day
(Pemberton, 2015).
The current cyber news on latest hacking activities in the US as per the Homeland Security
Department (DHS) disclose that electrical ...


Anonymous
Really helpful material, saved me a great deal of time.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags