Assignemnt:
Short Essay (30 points). Please restrict your answer to three (3) pages (double spaced) or less.
Global Corporation, Inc. (GCI) is a fictional multi-national company providing outsourced financial services to a variety of clients across many industries, including commercial and government entities. GCI specializes in billing and invoicing services, in which GCI receives relevant data from its clients and stores the data in a central database server and processes the data to produce the invoices, monthly statements, and other billing items that are sent to GCI's clients' customers. GCI employees serve the company's customers both on-site at customer locations and while working in GCI facilities. GCI employees routinely store data related to multiple clients on their company-issued laptops and flash drives.
GCI's Chief Information Officer, having read of the numerous data breaches reported among commercial and government organizations, has become concerned about the risk to GCI's customers and potentially the company's reputation if GCI were to experience a similar breach. She has tasked you, the Director of Information Security, to create a new corporate policy regarding the protection of client and company confidential data stored on employee computers, particularly laptops and flash drives. Respond to each of the following, taking into account material we have studied in this course regarding threats and vulnerabilities, as well as Stallings and Brown (Chapter 14.2) discussion of the characteristics of effective security policies. Cite these and other pertinent sources used in your answer. Be specific but fully explain and give reasons for your answers.
a. Summarize the primary vulnerabilities and potential threats that exist for GCI related to the practice of storing sensitive data on laptops. In your opinion, which of the risks GCI faces are most significant to the company?
b. What measures would you propose to senior management to try to prevent a breach of data held by GCI? Your response should include recommendations for mitigating vulnerabilities identified in part (a).
c. Write a succinct policy statement specifying employee and company responsibilities for protecting client and corporate data, such as the data stored on employee laptops and flash drive. Be sure to address requirements for protecting the data from theft, and for rendering the data unusable should it be compromised. In your Policy, focus on these items:
• Scope and purpose including business, legal, regulatory requirements
• Security requirements (Confidentiality and integrity of customer and enterprise data, availability, authentication and authorization and auditing requirements if any)
• Assignment of responsibilities
• Security awareness and training
• Any legal sanctions/penalty for non-compliance by employees
• How and when policy reviewed and updated
• Timeframe for implementation of security requirements