Who needs an Information Security Program?

Anonymous

Question Description

Please consider using.

Length: 5 to 7 paragraphs

Purpose: Provide background to the Red Clay leadership and answers the following question: Why should our company adopt an ISO/IEC 27001 compliant Information Security Program?

Type: Briefing Paper – keep in mind that a briefing paper should stand alone and give the reader everything s/he needs to answer a question or get enough information to understand a need. The audience are not all technical, so keep your language in non-geek-speak or explain technical ideas/concepts.

Suggested headings/sections include:

Introduction – You might consider providing a general description of what a security standard is and explaining at the general level how Red Clay can benefit from implementing a formally documented information security management system (program). Make sure your introduction has at least two sources (see rubric). You might also cover the purpose of the briefing paper.

ISO/IEC 27001 – What It Is – You might consider providing background about what the standard is and how it can help Red Clay.

ISO/IEC 27001 – Standard Requirements – You might consider providing more details about what the standard requires and provide specific examples of how the standard requirements relate to the Red Clay scenario.

ISO/IEC 27001 – Policies that Support Red Clay Security Program – You might consider addressing the standard's requirements for policies to support the information security program that include specific policy examples and how those policies would support Red Clay.

Summary – Recap what you wrote about.

Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the end of your posting.

http://www.iso.org/iso/home/standards.htm

http://www.itgovernance.co.uk/files/Infosec_101v1.1.pdf

http://www.isaca.org/Groups/Professional-English/iso-iec-27000-series/GroupDocuments/The%20new%20standard%20ISO27001.pdf

http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002-for-Business-Benefit_res_Eng_1108.pdf

http://www.enernex.com/wp-content/uploads/2011/09/Cyber_SandyBacik.pdf

https://www.appliedtrust.com/sites/default/files/assets/resources/every-company-needs-a-security-program.pdf

https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

Unformatted Attachment Preview

Red Clay Renovations Company Profile Valorie J. King, PhD 4/6/2018 Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 413: Cybersecurity Policy, Plans, and Programs Table of Contents Company Overview ....................................................................................................................................... 1 Corporate Governance & Management ................................................................................................... 1 Operations ................................................................................................................................................ 4 Acquisitions ............................................................................................................................................... 5 Legal and Regulatory Environment ........................................................................................................... 5 Policy System ............................................................................................................................................ 6 Risk Management & Reporting ................................................................................................................. 6 IT Security Management ........................................................................................................................... 7 Information Technology Infrastructure ........................................................................................................ 8 Enterprise Architecture............................................................................................................................. 8 Operations Center IT Architecture............................................................................................................ 9 Field Office IT Architecture ..................................................................................................................... 10 System Interconnections ........................................................................................................................ 11 Tables Table 1. Key Personnel Roster ...................................................................................................................... 3 Table 2. Red Clay Renovations Office Locations & Contact Information ...................................................... 4 Figures Figure 1. Red Clay Renovations Organization Chart ..................................................................................... 2 Figure 2. Overview for Enterprise IT Infrastructure ...................................................................................... 9 Figure 3. IT Architecture for Operations Center ......................................................................................... 10 i Company Overview Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristics. The company’s primary line of business is Home Remodeling Services (NAICS 236118). Corporate Governance & Management Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock is not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer (CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for the BoD. The three additional members of the BoD are elected from the remaining stock holders and each serve for a three year term. The BoD provides oversight for the company’s operations as required by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit of the stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibilitycorporations.html). The BoD has adopted a centrally managed “Governance, Risk, and Compliance” (GRC) methodology to ensure that the corporation meets the expectations of stakeholders while complying with legal and regulatory requirements. The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for the company and are responsible for implementing the business strategies, policies, and plans approved by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board considers all matters related to the acquisition, management, and operation of the company’s information technology resources. The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR, and HR have over 20 years each with the company. The Director for M&M has ten years of service. The Director of ITS / CISO has been with the company less than two years and is still trying to bring a semblance of order to the IT management program – especially in the area of IT security services. This is a difficult task due to the company’s failure to promptly hire a replacement for the previous director who retired two years ago. 1 CSIA 413: Cybersecurity Policy, Plans, and Programs Figure 1. Red Clay Renovations Organization Chart 2 CSIA 413: Cybersecurity Policy, Plans, and Programs Table 1. Key Personnel Roster Name & Title Josiah Randell CEO Isabelle Bromley Office Location Wilmington Office Phone No. 910-555-2158 email Wilmington 910-555-2150 Isabelle_Bromley@ redclayrennovations.com Wilmington 910-555-2152 nr@redclayrenovations.com Wilmington 910-555-2159 morgan@redclayrenovations.com Owings Mills 667-555-5000 julia@redclayrenovations.com Wilmington 910-555-1000 ed@redclayrenovations.com Owings Mills 667-555-6260 Erwin_Carrington@hq.redclayrenovations.com Owings Mills 667-555-6370 Eric_Carpenter@hq.redclayrenovations.com Owings Mills 667-555-6400 an@redclayrenovations.com Ownings Mills 667-555-6900 rn@redclayrenovations.com Owings Mills 667-555-8000 en@redclayrenovations.com Baltimore 443-555-2900 Charles@balt.redclayrenovations.com Baltimore 443-555-2900 Erica@balt.redclayrenovations.com Philadelphia 267-555-1200 William@philly.redclayrenovations.com jr@redclayrenovations.com Executive Assistant to Mr. Randell Natalie Randell Chief of Staff Morgan Randell CFO Julia Randell COO Edward Randell, Esq Corporate Counsel Erwin Carrington CIO & Director IT Services Eric Carpenter CISO / Deputy CIO Amanda Nordham Director, Customer Relations Rebecca Nordham Director, Marketing & Media Eugene Nordham Director, Architecture & Services Charles Knox Manager & Architect in Charge, Baltimore Field Office Erica Knox Office Manager & ISSO, Baltimore Field Office William Knox Manager & Architect in Charge, Philadelphia Field Office 3 CSIA 413: Cybersecurity Policy, Plans, and Programs Alison Knox-Smith Philadelphia 267-555-1200 Alison@philly.redclayrenovations.com Office Manager & ISSO, Philadelphia Field Office Operations Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact information for each location is provided in Table 2. Table 2. Red Clay Renovations Office Locations & Contact Information Location Baltimore Field Office Philadelphia Field Office Operations Center (Owings Mills) Wilmington Office Mailing Address 200 Commardy Street, Suite 450 Baltimore, MD 21201 1515 Chester Street Philadelphia, PA 19102 12209 Red Clay Place Owings Mills, MD 21117 12 High Street Wilmington, DE 19801 Phone Number 443-555-2900 267-555-1200 667-555-6000 910-555-2150 The Operations Center is the company’s main campus and is located in suburban Baltimore, MD (Owings Mills). The Owings Mills facility houses the company’s data center as well as general offices for the company’s operations. These operations include: accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management. There are approximately 100 employees at the Operations Center. Day to day management of the Owings Mills facility is provided by the company’s Chief Operating Officer (COO). The company’s Chief Executive Officer, corporate counsel, and support staff maintain a presence in the company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center. Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager. Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm. Each office operates and maintains its own IT infrastructure. The company’s architects, project managers, and other support personnel frequently work from renovation sites using cellular or WiFi connections to access the Internet. Many field office employees are also authorized to work from home or an alternate work location (“telework site”) one or more days per week. 4 CSIA 413: Cybersecurity Policy, Plans, and Programs Acquisitions Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015 (NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential construction project undertaken by Red Clay Renovations. RMS also provides Web design and social media services for Red Clay Renovations to promote its services. RMS employees work primarily out of their own home offices using company provided equipment (computers, video / audio production equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent entity. Red Clay senior management is working to change this, however, starting with bringing all IT and IT related resources under the company’s central management. As part of this change, Red Clay has set up a media production facility (“Media Studio”) in its headquarters location which includes office space for RMS personnel. The production facility and RMS operations are under the management control of the Director, Marketing & Media Services. Legal and Regulatory Environment The firm is licensed to do business as a general contractor for residential buildings in three states (DE, MD, PA). The company’s architects maintain professional licensure in their state of residence. The company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states. The company collects, maintains, and stores personal information from and about customers over the normal course of doing business. This includes credit checks, building plans and drawings for homes, and information about a customer’s family members which needs to be taken into consideration during the design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.). When renovations are required due to a medical condition or disability, the company works with health insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the home and to obtain reimbursement from insurers. This sometimes requires that the company receive, process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as provided by the customer. The company’s legal counsel has advised it to be prepared to show compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field offices and in the operations center. Red Clay began offering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118). These services are primarily offered out of the Baltimore and Philadelphia field offices. A large percentage of the company’s “smart home” remodeling work is financed by customers through the Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides assistance in filling out the required paperwork with local FHA approved lenders but does not actually 5 CSIA 413: Cybersecurity Policy, Plans, and Programs process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and accepts credit card payments for services. As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy filing, there are substantial criminal penalties for failure to protect business records from destruction or spoliation. Policy System The company’s Chief of Staff is responsible for the overall organization and management of the company’s collection of formal policies and procedures (“policy system”). The company’s policies provide guidance to employees and officers of the company (CEO, CFO, and the members of the Board of Directors) with respect to their responsibilities to the company. Policies may be both prescriptive (what “must” be done) and proscriptive (what “must not” be done). Responsibility for writing and maintaining individual policies is assigned to a designated manager or executive within the company. Each policy identifies the responsible individual by title, e.g. Director of Human Resources. The major policy groupings are:      Human Resources Financial Management Information Technology Employee Handbook Manager Deskbook Selected policies are published as an Employee Handbook and a Manager’s Deskbook to communicate them to individual employees and managers and to ensure that these individuals are aware of the content of key policies which affect how they perform their duties. Risk Management & Reporting The company engages in a formal risk management process which includes identification of risks, assessment of the potential impact of each risk, determination of appropriate risk treatments (mitigation, acceptance, transfer), and implementation of the risk management strategy which is based upon the selected risk treatments. For information technology related risks, the CISO working in conjunction with the IT Governance Board is responsible for identifying and assessing risks. Corporate-wide, high level risks which could impact the company’s financial performance are disclosed to shareholders during the annual meeting and in the Annual Report to Investors. For the current year, the following high level cybersecurity related risks will be disclosed. 6 CSIA 413: Cybersecurity Policy, Plans, and Programs 1. Cyber-attacks could affect our business. 2. Disruptions in our computer systems could adversely affect our business. 3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home controllers), fails to provide adequate security for our residential clients. The company’s risk treatments for cybersecurity related risks include purchasing cyber liability insurance, implementing an asset management and protection program, implementing configuration baselines, implementing configuration management for IT systems and software and auditing compliance with IT security related policies, plans, and procedures. The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT Security Program and how this program contributes to the company’s risk management strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of the company’s implementation of security controls. During the discussion period, members of the corporate board asked about audits of policy compliance and assessments as to the degree that employees were (a) aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing audit reports for these items before the next quarterly meeting of the corporate board. The corporate board also asked the CIO about future plans for improvements to the IT Security program. The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability management program. The CIO also reported that the CISO is working with the IT Governance Board to restart the company’s security education, training, and awareness (SETA) program. SETA activities had fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The CISO has also determined that the System Security Plans for the field offices are out of date and lacking in important security controls. These plans have been scheduled for update in the near future to ensure that the company’s risk management strategy for cybersecurity risks is fully implemented. IT Security Management The company’s Chief Information Security Officer (CISO) is responsible for providing management oversight and technology leadership for the company’s Information Technology security program. This program is designed around the ISO 27001/27002 requirements but is not fully compliant. For cost reasons, the Chief Information Officer (CIO) has decided not to pursue implementation of CobiT or ITIL standards for managing IT systems and services. A less costly alternative, using NIST guidance documents, was approved at the CISO’s suggestion. The CISO’s selected guidance documents include:    NIST SP 800-12 “An Introduction to Computer Security: The NIST Handbook: NIST SP 800-18 “Guide for Developing Security Plans for Federal Information Systems” NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” 7 CSIA 413: Cybersecurity Policy, Plans, and Programs   NIST SP 800-100 “Information Security Handbook: A Guide for Managers” NISTIR 7621 “Small Business Information Security: The Fundamentals” The CISO has determined that the closest fit for the level of security required by law for the company’s IT systems is the “moderate level” as defined in the FIPS 199/200 standards and specified in NIST SP 800-53 Revision 4. The company has created its own minimum security controls baseline which is used for developing system security plans. Under the company’s existing IT Security Management Plan, the following individuals are responsible for the security of its IT systems. 1. Chief Information Officer: designated approving official for all IT systems certification and authorization. 2. Chief Information Security Officer: responsible for developing security plans and procedures. 3. Chief Financial Officer: responsible for negotiating and providing oversight for contracts and service level agreements for IT services. 4. Chief Operating Officer: responsible for approval ...
Purchase answer to see full attachment

Tutor Answer

EagleEye1
School: Purdue University

Attached.

Running head: INFORMATION SECURITY PROGRAM

Information Security Program
Students Name
Institution Name

1

INFORMATION SECURITY PROGRAM

2

Introduction
A security standard is a documented instruction that every unit has to adhere to be safe if it is
to operate effectively. In the case of the Red Clay Company, a security standard comes in play
when the company would like to advance its activities in enhancing the renovation of homes
using advanced technology (Valorie J. King, 2018). The first benefit that the Red Clay Company
would experience is the ability to keep their data and vital information safe from intrusion.
Additionally, a security program guarantees confidentiality, integrity and the availability of the
data to the right persons. The primary motive behind the implementation of a security standard is
to ensure the safety of the information in the Red Clay Company that is considered vital to its
su...

flag Report DMCA
Review

Anonymous
Excellent job

Similar Questions
Related Tags

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors