Select an organization that you would like to develop an IT governance strategy for, using ISO 27001, Information Security Management System (ISMS). You can find ISMS on the Internet or in this unit’s reading. The organization should be one you are familiar with from having worked there.In your paper, include the following:Define and discuss the ISO 27001 Information Security Management System in terms of the Deming Cycle of continuous improvement of Plan-Do-Check-Act (PDCA)Brief description of the organization and type of business engaged in.High level information security policy that defines management’s overall objective for information security as it relates to business requirements and relevant laws and regulations.Information security direction for the organizationInformation security objectives for the organizationInformation on how the organization will meet contractual, legal, and regulatory requirementsA statement of commitment to continuous improvement of the ISMS.High level risk assessment (for purposes of this paper, discuss the top 3-4 risks only)Define a risk management framework that will be usedIdentify risks and describe the riskAnalyze and evaluate the risks in terms of severity and impactStatement of ApplicabilityIdentify selected controls to address identified risks (again only the top 3-4 risks)Explanation of why these controls were selectedConclusion paragraphThis is a short version of an IT governance strategy but will provide a good understanding of the elements that must be included for this ISO 27001 ISMS.Assignment Requirements4-5 pages of content (exclusive of cover sheet and references page), using Times New Roman font style, 12pt, double-spaced, using correct APA formatting, and include a cover sheet, table of contents, abstract, and reference page(s)At least 1 credible source cited and referencedNo more than 1 table or figureNo spelling errorsNo grammar errorsNo APA errors

CompetencyIn this project, you will demonstrate your mastery of the following competencies:Analyze the design of a risk mitigation plan for its inclusion of best practices in the fieldIdentify legal and ethical considerations in risk analysis and mitigation within an information technology environmentScenarioYou are a risk management consultant and have been contacted by the chief information officer (CIO) of Workers Werks Credit Union (WWCU), a mid-size but growing credit union, to conduct an evaluation of its current IT cybersecurity risk management plan. Data privacy is a big concern in the banking sectors, and the CIO is concerned that WWCU’s current plan is outdated and has significant weaknesses.In your conversation with the CIO, you gather the following information about the situation:Current plan: The credit union adopted the current cybersecurity risk plan three years ago, but the CIO is concerned about possible gaps in the plan and would like to update it.Workforce: The credit union has experienced significant revenue growth, and the number of employees with access to its IT infrastructure has grown exponentially in the last five years.WWCU now has nearly 1,000 users with different levels of access to its central database.Strategy: The credit union is looking to expand into new markets in the coming year and will need to make significant changes to its IT infrastructure.Compliance: The CIO is concerned not only about legal compliance but also ethical issues related to the protection of personally identifiable information (PII) of its customers. The company has set these priorities related to legal and ethical compliance:Address the current legal environment (domestic and international)Anticipate emerging issuesMeet industry ethical standards (e.g., SANS IT code of ethics)Match best practices for risk planning within the industryDirectionsRisk Analysis ReportThe CIO is asking you to prepare a 3–4 page report that evaluates the company’s current IT Security Risk Management Plan, linked in the Supporting Materials section.The report should contain the following:Scope: Evaluate the scope and comprehensiveness of the current plan.How does the plan describe its objectives?How does the plan balance risk and cost?In what ways does the plan cover the business objectives end to end?How does the plan address all stakeholders who could be impacted by a cybersecurity attack?Risk: Determine how the current plan identifies risks.How does the plan identify the risks, vulnerabilities, and threats that could impact mission-critical business functions and processes?How does the plan identify industry-related risks (internal and external)?Impact: Analyze how the identified risks might impact the organization’s assets.How does the plan identify key assets and activities that need to be protected?How does the plan estimate the financial impact of losses?How does the plan address business continuity and asset replacement?Mitigation: Evaluate the current plan’s mitigation recommendations.How effectively does the plan translate the risk assessment into a risk mitigation plan?How does the plan prioritize risk elements?Legal Compliance: Assess how the plan addresses legal considerations.Non-Compliance: Determine how the plan anticipates the implications of non-compliance.Ethical Considerations: Assess how the plan aligns with current ethical codes within the cybersecurity field.

One of the responsibilities placed on managers in today's On-Demand Economy is that of ensuring that the business processes are held to a high degree of cybersecurity. Because the concept of data-on-demand is an operational necessity that places the enterprise's and customers' resources at risk to potential fraudulent hacks, all employees, including those that sit in the loftiest of office spaces, must be trained, made aware of the various methods and practices that can lead to vulnerabilities, and held to very high standards of compliance with standard cybersecurity practices.The growth of mobile technologies and the IoT have played a significant role in the On-Demand Economy environment. A downside to the proliferation of such technologies is the cracks and doors into the corporate and agency networks that have been opened along the data path, allowing for an increased level of black hat intrusions and reconnaissance.Case Study AssignmentConduct research on various methodologies and solutions relating to the implementation of effective cybersecurity programs that may be utilized to thwart outside-agency attacks on an enterprise’s networks. Your approach here should be to seek out scholarly source data relating to examples of the various cybersecurity measures that top management and IT departments might provide for employees and contractors, including data access enforcement, network intrusion detection and prevention systems, and real-time responses to incidents and attacks. You could focus your research on any one of the various types of defenses such as anti-malware applications, Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), biometric access, rogue app monitoring, mobile kill switch, or remote wipe capability technologies.