Network Information Security Itss 43605 U1 Summer 2020 Homew

Network Information Security Itss43605u1 Summer 2020homework 2

Network & Information Security, ITSS4360.5u1, Summer 2020 (Homework #2 – Due August 4, 2020 by 11:59pm) Professor Teaching Assistant Nate Howe, [email protected] Hong Zhang, [email protected] Homework #2 is designed to help students combine various lessons from the semester into an organized, logical, and professional proposal for an information security initiative . Students will work individually and assume the identity of the Director of Information Security for a hypothetical organization they describe. Each student will develop a business proposal for an information security initiative for consideration by senior management of a hypothetical organization. Consider the Chief Executive Officer, Chief Financial Officer, and Chief Risk Officer to be the target audience.

The proposal will be delivered in the form of a memo which must include all of the requirements listed below to be considered complete. Each student will submit one Microsoft Word document to eLearning before the deadline of August 4, :59pm to be considered for full credit.

a) Background on the organization, including size, core competencies, industry, challenges, and strategic direction. Help the reader imagine the context of the organization where you work as the Director of Information Security.

b) Describe key considerations you have as the Director of Information Security. How would you spend your time protecting the organization, in general?

c) Describe the problem to be solved by your proposal. Consider an unresolved security risk which you believe can be mitigated using the approach you are proposing. It could be a change to people, process, technology, or facilities. It might even involve more than one of those elements. What is the likely impact if the risk is NOT mitigated? Explain why you are confident that your proposed approach will be successful in solving the problem you identified.

d) Is there a regulatory / legal requirement for you to have the security control you are proposing? Consider your industry and refer to other players in that industry who have already suffered security incidents.

e) Are their independent organizations recommending the security initiative you are proposing? Explain what they recommend and why they can be trusted to provide reasonable guidance.

f) If your proposal is approved, what project management considerations have you already developed? What are the risks to the successful delivery of the project? What new processes will be created and necessary to sustain the security controls you have introduced with this project?

g) Will vendor services be needed for your initiative to be successful? Describe those services and give examples of providers that we are likely to engage.

h) What financial costs have you estimated will be associated with your proposal? Distinguish between one-time and recurring annual costs. Map hardware, software, services, and human labor costs, as appropriate. Ensure the costs are justified by comparing them to the potential cost of a security incident, such that the project only proceeds if it is cost-effective.

i) What training should be developed in support of your proposed change? Will this impact internal staff productivity? Do external stakeholders, such as regulators, partners, and customers, need to be informed?

j) If your proposal cannot be funded now, what alternative risk management strategies do you recommend to help the organization manage risks effectively in the interim?

Students must include citations of all sources of information considered and reviewed. If other students, faculty, professionals, books, videos, or sources were consulted, links or short descriptions must be included. Content copied from sources without proper references may be considered incomplete and could affect scores. Late submissions will incur penalties; submissions must be made on time via approved systems, and collaboration must be disclosed.

Paper For Above instruction

The increasing sophistication and volume of cyber threats pose significant challenges to organizations across all industries. As the hypothetical Director of Information Security for a mid-sized financial services firm, I am tasked with developing a comprehensive security initiative that mitigates prevalent risks, complies with regulations, and aligns with organizational goals. This proposal outlines the core considerations, identified risks, regulatory context, recommended initiatives, project management factors, vendor engagement, cost analysis, training needs, and alternative strategies to foster a resilient security posture.

Organization Background: Our organization operates within the financial services industry, serving a diverse client base with a focus on retail banking, wealth management, and payment processing. With approximately 2,000 employees and multiple branch locations, our core competencies include transaction handling, customer account management, and data analytics. The strategic direction emphasizes digital transformation—expanding online and mobile banking capabilities while maintaining strict compliance with industry regulations such as GLBA and PCI DSS. Challenges include evolving cyber threats, regulatory audits, and maintaining customer trust amid increasing data breaches.

Key Security Considerations: As the Director of Information Security, my priorities involve ensuring data confidentiality, integrity, and availability. I focus on implementing layered security controls, monitoring network traffic, conducting regular vulnerability assessments, and fostering a security-aware culture among employees. Protecting sensitive customer data from cyber-attacks and insider threats is paramount. Additionally, staying compliant with regulatory requirements and preparing for incident response are ongoing considerations.

Problem to be Solved: A significant unresolved risk is the vulnerability to phishing attacks that target employee credentials, which could lead to unauthorized access to customer data and financial systems. If not mitigated, such breaches could result in significant financial losses, reputational damage, and regulatory penalties. The approach involves deploying multi-factor authentication (MFA), enhancing email security protocols, and conducting targeted employee training. Confidence in success stems from proven industry best practices and the efficacy of layered security controls.

Regulatory and Industry Guidance: Regulations like GLBA and PCI DSS mandate robust access controls and data protection measures. Industry organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommend proactive security measures including threat intelligence sharing and staff training, underscoring their trustworthiness based on their expertise and track record in cyber defense.

Project Management Considerations: Establishing a project timeline with milestones, resource allocation, and stakeholder engagement is critical. Risks include potential delays in training deployment or vendor implementation. To mitigate these, I plan to develop detailed project plans, conduct regular progress reviews, and align the initiative with organizational change management processes. Post-implementation, ongoing monitoring and process adjustments are necessary for sustainability.

Vendor Services: Implementation of MFA and email security solutions will require engaging vendors such as Duo Security or Proofpoint. Their services include cloud-based authentication options and email filtering, essential for reducing phishing-related risks. Vendor support is crucial for seamless integration and ongoing management.

Financial Costs: The estimated one-time costs amount to approximately $150,000, covering hardware upgrades, software licenses, and initial training. Recurring annual costs include $30,000 for licensing, support, and maintenance. This investment is justified by the expected reduction in the cost of data breaches, which, according to industry estimates, averages several million dollars per incident.

Training Development: Comprehensive staff training on recognizing phishing attempts and proper security protocols will be provided. This will have minimal impact on productivity but is essential to maintain security awareness. External stakeholders such as regulators and partners will be informed through compliance reports and communication channels about our improved security posture.

Alternative Strategies: If funding is unavailable, implementing basic security policies, increasing vulnerability assessments, and enhancing employee training with internal resources can help manage risk temporarily until full deployment is feasible.

References

• Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley.
• Ferguson, P., & Dettwiler, J. (2019). Cybersecurity and Financial Services: Protecting Customer Data. Journal of Financial Compliance, 27(4), 56-65.
• FS-ISAC. (2021). Best Practices for Cybersecurity in Financial Services. Retrieved from https://www.fs-isac.org/resources/
• Gordon, L. A., Loeb, M. P., & Zhou, L. (2021). Investing in Cybersecurity: Insights and Recommendations. Information Systems Research, 32(2), 523-540.
• PCI Security Standards Council. (2022). PCI Data Security Standard (DSS).
• Symantec Corporation. (2019). Threat Report: The Rise of Phishing Campaigns. Symantec Security Response.
• Thompson, H., & Neumann, M. (2020). Regulatory Compliance in Financial Data Security. Journal of Banking Regulation, 21(3), 232-245.
• U.S. Securities and Exchange Commission. (2021). Cybersecurity Risk Management. SEC Compliance Guide.
• Verizon. (2022). Data Breach Investigations Report. Verizon Enterprise.
• Zhou, L., & Gordon, L. A. (2018). The Economics of Cybersecurity Investments. Journal of Cybersecurity, 4(1), 45-58.