Assignment: Final Project Milestone One: Statement of Work

The CISO of the organization reaches out to you, the senior information security officer, and tasks you with creating an agency-wide security awareness program. He states that he will give you all of his support to complete this project (remember, this is the first component of security awareness program). He hands you a security gap analysis (the second component of a security awareness program) that was conducted, which shows 10 major security findings. These 10 deficiencies will be translated into deliverables in the SOW. The CISO asks you to develop the SOW in order to establish the foundation for developing the agency's security awareness program. (See the Case Document for more details on the gap analysis.)

Based on the scenario provided in the Case Document, develop the SOW. Be sure to include the purpose of the proposal, address the security concerns of the chief executive officer (CEO), explain why the security awareness proposal will be vital to the organization, describe how the security posture will be addressed, clarify how human factors will be assessed, and list any organizational factors that will contribute to the status of the security posture. The SOW should also address the scope of the work, project objectives, business needs, business goals, technical requirements, deliverables, tasks to achieve the deliverables, high-level schedule of completing the deliverables and tasks, and personnel and equipment requirements. The SOW will serve as the basis for developing the final proposal.

Project Guidelines

Overview

The final project for this course is the creation of a security awareness program proposal.

In any type of enterprise, the security of property, information, products, and employees is of critical importance. Many security threats are caused by malicious intent, but, more often than not, security threats occur because of unintentional human error. In the final project for this course, you will evaluate the current security climate of an organization and develop a plan for mitigating against both malicious and unintentional human errors that could compromise the security of the organization. In addition to developing mitigation strategies, you must appropriately communicate those plans to the diverse, affected stakeholder groups for effective implementation. Ultimately, this assessment prepares you to successfully develop security awareness programs that not only protect the security of an organization's information, but also enhance the health of the overall security culture.

In this assignment, you will demonstrate your mastery of the following course outcomes:

• Determine the current security postures of various organizations by evaluating relevant human factors and applicable information security policies, practices, and processes

• Devise mitigation strategies that effectively protect against potential malicious and unintentional threats to organizations' security postures

• Propose strategies for appropriately resolving inoperative organizational factors that contribute to unhealthy security cultures in organizations

• Communicate key components of information technology security awareness programs to diverse stakeholders for effectively fostering healthy security cultures in organizations

Prompt

You were just hired as the new chief information security officer for a large corporation whose security posture is low. The first thing your chief executive officer tells you is that he has recently seen a presentation by one of the information security team members emphasizing the importance of having a security awareness program. As a result, you have been asked to develop a security awareness program based on the specific needs of the organization. To that end, you will make recommendations for enhancing security policies, practices, and processes that are currently contributing to a dysfunctional security culture. Your chief goal is to build a program that will foster a healthy security culture and ensure continuous improvement. Your final project is to create a security awareness program proposal that addresses the needs of this case.

Specifically, the following critical elements must be addressed:

I. Introduction

a) What is the purpose of your proposal? Why is the new security awareness program vital for the organization? Use specific examples to illustrate your claims.

b) Overall, how would you characterize the security posture of the organization? What were the major findings in your risk assessment of the organization's current security awareness policies, practices, and processes?

c) Specifically, are there human factors that adversely affect the security climate within the organization? If so, how? Be sure to consider unintentional and intentional threats to a healthy security culture.

d) Specifically, are there organizational factors that contribute to an unhealthy security culture in the organization? If so, how? Be sure to consider organizational data flow, work setting, work planning and control, and employee readiness.

II. Proposal

a) What is your proposal for mitigating the identified human factors that pose a threat to the organization's security posture? Describe the specific policies, processes, and practices that must be in place to address each of the following.

i. Unintentional Threats: What strategies can protect against human errors made due to cognitive factors? What strategies can protect against human errors made due to psychosocial and cultural factors?

ii. Intentional Threats: What strategies can protect against social engineering?

b) What is your proposal for resolving inoperative organizational factors that pose a threat to the organization's security posture? Describe the specific policies, processes, and practices that should be in place to address each of the following.

i. Data Flow: How do you make sure that the data sender and the data receiver have a sound connection? How do you ensure that data is not tampered with or altered from its intended meaning? What strategies do you propose to address poor communication?

ii. Work Settings: What strategies do you propose to address distractions, insufficient resources, poor management systems, or inadequate security practices?

iii. Work Planning and Control: What strategies do you propose to address job pressure, time factors, task difficulty, change in routine, poor task planning or management practice, or lack of knowledge, skills, and ability?

iv. Employee Readiness: What strategies do you propose to address inattention, stress and anxiety, fatigue and boredom, illness and injury, drug side effects, values and attitudes, or cognitive factors (e.g., misperception, memory, or judgment)?

III. Communication Plan

a) What messaging strategies should be used to ensure that stakeholders understand, buy into, and support the continuous improvement of your proposed security awareness program? Provide specific examples of the types of communication you are proposing.

b) In a broader sense, how would you convince diverse stakeholders of the overall need for a healthy security culture? How do you make it real and relevant for nontechnical audiences?

Milestone One: Statement of Work

In Module Two, you will create a statement of work (SOW) based on the scenario provided in the Case Document. Be sure to include the purpose of the proposal, address the security concerns of the chief executive officer, explain why the security awareness proposal will be vital to the organization, describe how the security posture will be addressed, clarify how human factors will be assessed, and list any organizational factors that will contribute to the status of the security posture. The SOW should also address the scope of the work, project objectives, business needs, business goals, technical requirements, deliverables, tasks to achieve the deliverables, high-level schedule of completing the deliverables and tasks, and personnel and equipment requirements. The SOW will serve as the basis for developing the final proposal. The format of this assignment will be a two- to four-page Word document.

Milestone Two: Security Policies Development

In Module Four, you will submit 10 security policies as part of the planned solution to mitigate the security gaps identified in the Case Document. This assignment will include a list of access control policies addressing remote access, encryption and hashing (to control data flow), auditing network accounts, configuration change management (to reduce unintentional threats), segregation of duties, mandatory vacation (to mitigate intentional threats), personally identifiable information breaches, media protection, and social engineering. This milestone focuses on security functionality, and each policy should be no longer than one page.

Milestone Three: Continuous Monitoring Plan

In Module Six, you will submit a continuous monitoring plan laying out the foundation for continuously monitoring the organization against malicious activities and intentional and unintentional threats. This milestone also focuses on work setting techniques and work planning policies to help employees improve their stress anxiety, fatigue, and boredom. As part of the planned solution, you will propose to mitigate the security gaps for the corporation given in the Case Document. You will need to explain what security tools (firewall, intrusion prevention system/intrusion detection system, antivirus, content filtering, encryption, etc.) and employee readiness strategies (training programs, rewards systems, physical wellness programs, etc.) will be used. The format should be a four- to five- page Word document.

Milestone Four: Communication Plan

In Module Eight, you will submit a communication plan that addresses and summarizes the importance of a security awareness program. How can it enhance the success of the organization? The goal of the communication plan is to find and implement messaging strategies to gain senior management's buy-in and support of the security program. Cyber laws, personally identifiable information breaches and implications, costs of security breaches, and advantages of awareness programs should be addressed. The plan should also include how the awareness training and the security policies and procedures will improve the security posture and culture throughout the organization. The format of this assignment will be a Word document.