CSIA 485 UMGC Cybersecurity Strategy and Plan of Action Paper
Task #0: Read and Analyze the Background Materials If you have not already done so, read the Background information in this file. Next, review the Padgett-Beale M&A Profile 2020 which was posted to the LEO classroom. You should also review all materials from the classroom for Weeks 1 – 4 as these provide needed information about the Financial Services industry and the legal and regulatory requirements which apply to this industry. Task #1: Perform a Gap Analysis & Construct a Risk Register Using the information available to you, determine the most likely information technology/security gaps which existed at Island Banking Services prior to its being acquired by PBI. Next, determine which of these, if not addressed, will likely exist in the newly formed subsidiary PBI-FS. Document your analysis and evaluation in a Gap Analysis. Your Gap Analysis should address operating issues relating to confidentiality, integrity, and availability (CIA) of information, information systems, and information infrastructures owned or used by PBI-FS. Your analysis should also consider and use the People, Process, and Technology framework. Step 1: Identify 10 or more significant cybersecurity issues/challenges/risks which the background information and M&A profile indicate currently exist at PBI-FS / Island Banking Services. You are allowed to “read between the lines” but must be able to map your analysis and findings to specific statements from these documents. These items will become your “Gaps” for the Gap Analysis. Use one or more cybersecurity frameworks or standards (e.g. NIST CSF; People, Processes, and Technologies; Confidentiality, integrity, availability) to organize your analysis. Note: there was significant criminal behavior found at Island Banking Services. Your analysis must address internal weaknesses which allowed this to occur without being discovered by the employees who were not involved in the crimes. Step 2: Using your Gap Analysis (step 1) create a Risk Register in which you list 10 or more specific and separate risks. For each risk, assign a category (confidentiality, integrity, availability, people, process, technology) and a severity (impact level using a 1 – 5 scale with 5 being the highest potential impact). Step 3: Review the laws and regulatory guidance which apply to the Financial Services industry and companies like Island Banking Services. For each entry in your risk register, identify and record the laws, regulations, or standards which provide guidance as to how the identified risks must be addressed or mitigated. Record this in your risk register. Step 4: Review laws and regulations which apply to all companies, i.e. Sarbanes Oxley, IRS regulations for Business Records, SEC regulations and reporting requirements, etc. Review your Risk Register and either map these requirements to existing entries in your risk register or insert new entries for significant legal or regulatory requirements which you were not able to map to your previously identified risks. (Include risk related to non-compliance.) Step 5: Review section 1.2 Risk Management and the Cybersecurity Framework in the NIST Cybersecurity Framework v1.1 (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. CSWP. 04162018.pdf) Using this information, determine the best strategy for addressing (“treating”) each of your identified risks. Remember the four types of risk mitigation strategies (accept, avoid, control, transfer). Consider the business impact for each of your mitigation strategies (e.g. if you applied an “avoid” strategy across the board, the company would not be able to operate in the financial services industry because it would need to shut down all operations). Record your risk mitigation strategy for each risk in your risk register. For each of your “control” entries, include the corresponding control category and subcategory (if applicable) from the NIST Cybersecurity Framework (see Tables 1 and 2 in version 1.1). Examples: ID.AM Asset Management or PR.AC Identity Management and Access Control. Remember to cite your sources. Step 6: Develop a Cybersecurity Strategy that presents five or more specific actions (strategies) that the company should take to implement your recommended risk mitigations. Include information from your gap analysis, legal and regulatory analysis, risk analysis and proposed risk mitigations. Under each strategy include information about how the strategy will affect or leverage people, policies, processes, and technologies (hardware, software, infrastructure). Include examples and other pertinent information about Island Banking Services and Padgett-Beale. You should have at least one technology related strategy which includes an updated Network Diagram. This diagram must show the to-be state of the IT infrastructure including recommended mitigating or “control” technologies, e.g. intrusion detection, firewalls, DMZ’s, etc. (start with the diagram provided in this assignment file). Note: Your strategy will be presented to the Board of Directors by the executive who is leading the Merger & Acquisition Team so make sure that you write in appropriate language and include sufficient detail to explain your recommended strategy. Step 7: Develop and document a proposed plan of action and implementation timeline that addresses each element of the cybersecurity strategy that you identified previously (in step 6). Provide time, effort, and cost estimates for implementing your recommended actions (include appropriate explanations of your reasoning). Include the resources (people, money, etc.) necessary for completing each task in the timeline. Step 8: Develop a set of 5 or more high-level summary of recommendations regarding the next steps to take in mitigating the risks that you identified in steps 1-7. These recommendations should logically flow from your analysis and be supported by your Cybersecurity Strategy and Plan of Action. Putting It All Together Format your work for Steps 1-7 as a Cybersecurity Strategy and Plan of Action. The six major elements listed below should appear in this order in a single file. Your MS Word format document file must include:Format your recommendations from Step 8 as a Cover Letter / Recommendations Memo to accompany your Security Strategy document. Introduction (what is in this document and to what organization does it apply)Gap Analysis (Step 1)Legal & Regulatory Requirements Analysis (Steps 3, 4)Risk Analysis & Risk Register (Steps 2, 3, 4, 5)Cybersecurity Strategy (Step 6)Plan of Action and Implementation Timeline (Step 7) The Cybersecurity Strategy and Plan of Action is a comprehensive MS Word document that includes a separate title page followed by the six major elements (see list under step 7) and ending with a reference list. Your document must include a reference list and appropriate citations throughout. You will need 10 – 12 pages to fully document your strategy and plan. Use section headings and sub headings to organize your work. You may use internal title pages (section titles) to make it clear where each of the major elements begins and ends. Title pages and reference pages are not included in the recommended length. The Recommendation Memo is a 2 page, professionally formatted memorandum addressed to the Merger & Acquisition Team. This cover letter / memo should summarize why this package is being forwarded to the M&A team for “review and action.” The memo should introduce and provide a brief summary of the purpose and contents of the Cybersecurity Strategy and Plan of Action (name and describe each of the major sections). Use a professional format for your memo (consider using one of the MS Word templates). The memo does not include citations or references but, you may need to name laws or regulations. Notes on Constructing Your Network Diagram (for step 6): Your diagram must be based upon the provided network diagram with additions or deletions that are clearly your own work. You may use MS Word’s drawing tools, Power Point, or other drawing program. When you have completed your diagram, you may find it helpful to take a screen snapshot and then pasted that into your deliverable file(s). You may use commercial or “free” clip-art to represent individual end point devices or network appliances such as routers, firewalls, IDPS, etc.) Clip art does not need to be cited provided that it is clip art (not screen captures from another author’s work).