Business Case Scenario: Aloe Insurance AS (henceforth referred to as Aloe) is a Norwegian financial services firm listed on the Oslo Stock Exchange.
Problem Task 1: Presentation (Power point with voice recording)
Explain to the members what Information Security is Motivate why Information Security is important, considering the context of the organization and threat landscape Summarize where Information Security fits into and forms part of the larger ICT governance and corporate governance structures within the firm Highlight the results from your preliminary risk landscape analysis (Task 2)
State the risks that you identified and their severity rating
Motivate the severity of the risks by explaining how it could impact the firm
Suggest any mitigating control (not device/system/technology specific, see e.g. ISO27002 control/s that could mitigate the risk)
Briefly motivate why implementing controls in isolation won't be as effective as implementing an ISMS
Outline and briefly explain the phases that Aloe will have to undertake if they were to implement an ISMS based on the "ins2outs" 7-step approach discussed in Lecture 6
You need to outline to the executive, the phases of an ISMS implementation and briefly explain each phase to them (i.e. requirements, outputs etc.), walk them through the phases
To add value to your presentation and to solidify the importance and need for information security management within Aloe, you want to outline potential risks that already exist within Aloe, considering the context of the firm (industry, revenue, services, client data processing and storage etc.). Therefore, in preparation for this presentation to ExCo, you want to have meetings with various managers within the broader ICT function to identify obvious risks in their current processes. The point of this exercise is to emphasize to the executive, that without any extensive analysis or audit, you are able to identify major information security risks in the organization.
As such, you had meetings with various department heads, and operational ICT staff, to assess and gain a high-level overview of existing information security risks that have been overlooked in the past, and doing so without conducting an extensive risk assessment (due to 2 week time limit, and also because an extensive information security risk assessment will be conducted as part of the ISMS roll-out). Notes from your meetings are detailed below:
"...We are running monthly backups to our onsite server on our ClaimHub system, which stores and processes all insurance claims. Our data center is quite impressive, didn't even need to set up a secondary site, got all we need here..."
"...we had some issues with processing timeframes for new life insurance applications, so we resorted to just setting up a network share drive for all the guys in the life insurance department so they could copy the application and supporting docs like ID's etc. to the network for everyone to access easily, we sent an email to the department telling people they should respect privacy and only work on their own client documents..."
"...all employees have access to the ClaimHub system, we did of course lock down the Admin account, about 8 of us in the infrastructure team have access to the Admin account so we can easily implement changes to the system code and so forth when we're having issues..."
"...when an insurance claim has been processed on ClaimHub, it is sent to our client relations team in Bergen. We set up an ftp link with the AloePay system so the two systems can communicate and share data. The team in Bergen can therefore easily view newly processed claims and make any payouts to clients..."
Problem Task 2: Supporting Document
Prepare a report to hand out at the ExCo meeting, detailing the risks that you were able to identify during your meetings with ICT staff:
Summary of the organization (0.5 page). This is as explained in your own words, a summary of what Aloe does, the industry in which it operates and its value proposition.
Introduction outlining what you did
Explain in a short paragraph the process you followed to come to the conclusions in the report (extrapolate from the scenario and fill in any blanks regarding methodology you followed etc.)
Detail the identified risks:
Each risk should be contained in its own sub-section,
No longer than one page per risk
As seen in Figure 1, each risk should document the following:
Describe the risk within context of Aloe, explaining what the risk is and why it is a risk
Give the risk a risk rating (Figure 2), based on your professional judgment, considering the impact and likelihood of the risk materializing (Figure 3) in the organizational context
Summarize the potential impact this risk could have on Aloe, should it materialize
Outline potential control/s that could be implemented to mitigate this risk (reference any control from ISO27002) and explain why it could mitigate the risk
Attachment:- Case study-Aloe Insurance AS.rar