Running head: ENTERPRISE SECURITY PROPOSAL
Enterprise Security Proposal
Name
Course
Tutor
Date
1
ENTERPRISE SECURITY PROPOSAL
2
Enterprise Security Proposal
Introduction
Many organizations consider information security as their number one concern. In the
last five years, CIOs of many big companies have explained why information security is now
taking the top slot among great concern to organizations. Several companies' business models
heavily rely on data capturing, mining, analysis, sharing, and storage. Insecurity in data
management can lead to huge losses to an organization, some of which can be detrimental to its
going concern. Internally, organizational IT departments are often met with challenges of
dividing and distributing responsibilities related to information security throughout the
organization. An enterprise comprises many departments undertaking related or unrelated
activities. It is such settings that present complexity when it comes to rolling out a
comprehensive enterprise-wide security plan.
Furthermore, it is important to note that not all departments in an organization will
always agree while implementing respective policies. It is always characteristic of these
departments to compete in terms of interests. Division and distribution of information security
responsibilities, if not properly handled, can stir problems instead of addressing them.
Proposed Plan
Assurant is a U.S based global provider of risk management products and services.
Headquartered in New York City, the company was founded in 1892 and now controls 0.9% of
the insurance market share. Assurant currently has a presence in more than 100 countries, with
$5.6 billion direct premiums written. Over the years, the company has had a history of
information security challenges, with the most memorable incident being the massive data theft
ENTERPRISE SECURITY PROPOSAL
3
that occurred in 2018. Recent information security-related complaints from the organization
show that the company's entire IT infrastructure security has never been addressed. For such a
reason, we come up with a comprehensive enterprise security proposal for the company.
Establish Security Oversight Board
Several strategies can be used to develop a comprehensive enterprise-wide security plan.
In this proposal, we suggest a strategy that involves a security oversight board at the helm of all
information security-related matters. The board's composition includes the management
representatives from the corporate functional office and all organization's business units. There
has to be the information security committee under the board whose actual responsibility is to
divide and distribute information security responsibilities among the organization's departments
as the need may demand. Being an oversight body, the board can choose to be involved in the
day-to-day information security activities in the organization or supervise the committee's
activities.
Assignment of Responsibilities to Governance Categories
Education, Training, and Awareness
Under the supervision of the board, the committee will ensure that all governance
categories of IT information security are assigned responsibilities and periodically updated as
required by the already laid down policies. For instance, the committee will conduct periodic
training and awareness to the organization's employees, especially those exposed to critical
organization data and systems (Multi-dimensional enterprise-wide security: An action plan,
2020). Due to information technology's changing nature, the committee must conduct education,
training, and awareness exercises every six months (infosec.gov.2020). Such an opportunity will
ENTERPRISE SECURITY PROPOSAL
4
expose the organization’s employees and other system users to the latest information security
updates.
Regulatory and Legal Requirements
Another governance category that the committee, also under the close supervision of the
board, will undertake its compliance to industry regulations and those laid out by the
professional organizations concerned with enterprise information security. Additionally,
compliance with the legal requirements will also be necessary.
Audit and Validation
Another governance category that the committee will also undertake will include audit
and validation of the company's systems and protection mechanisms. These will include
penetration tests, configuration reviews, and controls validation, moving all point-in-time
validation procedures to continuous validations, and finally, automating security system
validation.
Policies, procedures, and standards
Finally, the governance category is policies, procedures, and standards. The
implementation committee will review the already existing policies and recommend necessary
changes. Policies are simply the operating principles that an organization uses. Common
information security policies that the committee will try to enforce include password policies and
company document handling policies. On the other hand, procedures refer to a step-by-step
outline of how things are done. In the organization, the committee will issue or enforce the
procedure of system user authentication. Finally, we talk about standards. These are rules and
ENTERPRISE SECURITY PROPOSAL
5
controls that the committee will rely on while enforcing the above-listed policies. For instance,
we have the ISO standards of the requirements for establishing, implementing, maintaining, and
continually improving an information security management system within the context of the
organization (Tricomi, 2020).
Other Core-Security Dimensions
Another important area that the security committee will ensure they assign
responsibilities to includes the core-security dimensions. These are other important elements of
any information security plan and include the end-users organization employees, business
partners, organization customers, and suppliers. The committee will define their roles and scope
as far as the security management is concerned.
Conclusion
The adoption of this proposal is subject to the review and approval of the organization's
administrative management. It provides a clear picture of how the company, Assurant, can
manage its information security going forward.
ENTERPRISE SECURITY PROPOSAL
6
References
(www.infosec.gov.hk)I. (2020). Infosec: IT Security Standards and Best Practices. Retrieved 11
September 2020, from https://www.infosec.gov.hk/en/useful-resources/it-securitystandards-and-best-practices
Multi-dimensional enterprise-wide security: An action plan. (2020). Retrieved 11 September
2020, from https://searchsecurity.techtarget.com/feature/Multi-dimensional-enterprisewide-security-An-action-plan
Tricomi, K. (2020): Policies, Procedures, and Standards | BPMInstitute.org. (2020). Retrieved 11
September 2020, from https://www.bpminstitute.org/resources/articles/policiesprocedures-and-standards
Purchase answer to see full
attachment