Assignment
You recently started a new job for a financial services company that caters to consumers. It's a large company with thousands of employees and moderately complex information systems.
One morning, a senior executive calls you into their office. Following a recent spate of data breaches and ransomware attacks on major financial companies, the Board of Directors and the CEO have asked your team to conduct a company-wide, top-to-bottom review of the organization's cybersecurity practices. The scope of the review entails sizing up the company's current cybersecurity posture and producing a set of recommendations for the C-Suite to consider.
The executive candidly tells you, "Franky, this is long overdue. I've been worried about our internal coordination ever since the Equifax hack back in 2017. We've never had an opportunity to carry out a serious review. The security teams are decentralized and scattered across the corporate divisions. It's difficult to get a birds-eye-view of our security operations. This is also the first time that the CEO and Board have been interested in our security practices."
The senior executive leaves you with an assignment. Read the Congressional report on the Equifax breach - slidedeck (approximately 9-12 slides) for a kick-off meeting with your team. Use the findings from the Equifax report - as well as any relevant professional experience you might have - to extrapolate starting points for the security review. Be specific in your recommendations and be sure to explain your reasoning in the deck by appending notes to each slide.
At a minimum, your presentation should address the following questions:
A. What technical failure(s) were the root cause of the 2017 Equifax breach? What managerial failures may have contributed to the Equifax breach? How, if at all, are they related?
B. Which of Equifax's practices would you estimate were the riskiest? Why?
C. What lessons can be learned from Equifax's failures?
D. Knowing that your company is in a similar position to Equifax's in 2017, what do you think the scope of the review should be? What are your main points of concern, and how would you prioritize them?
E. What kinds of information would you seek to know from teams across the company? Why?
F. What would you suggest should happen if the review team uncovers evidence of a security incident during the review process?
G. Do you have any additional insights or guiding questions to help scope the review at this stage?