|Perfect Number of Pages to Order||5-10 Pages|
Cybersecurity Strategy and Action Plan (CSIA485)
Your mission is to:
You’ve been tasked with assisting the Padgett-Beale Merger & Acquisition (M&A) team, reporting to Padgett-Chief Beale’s Information Security Officer (CISO). The M&A team is working out how to integrate Island Banking Services, a new purchase, into the company as its financial services arm (PBI-FS). PBI-FS will operate as a completely owned subsidiary at first, which implies it will need its own cybersecurity program.
Your first significant project (Project #1) will be to assist PBI-FS in developing a Cybersecurity Strategy and Plan of Action. You’re starting from scratch because Island Banking Services never had a structured cybersecurity program. You’ll need to do some study on best practices and depend significantly on what you learnt in your Cybersecurity Management and Policy undergraduate coursework. For this assignment, the CISO has supplied thorough guidelines. (These are listed after the background information.)
Island Banking Services, a non-US company, was pushed into bankruptcy when criminal money laundering accusations were filed against the company and its officers after five years of existence. Padgett-Beale, Inc. obtained this financial services firm’s digital assets and records from the bankruptcy courts. Licenses for office productivity software, financial transaction processing software, database software, and operating systems for workstations and servers are among the assets purchased. The gear, software, and license required to run the company’s internal computer networks are also included in the sale.
Padgett-Beale, Inc. purchased the IT infrastructure of Island Banking Services (Figure 1).
Padgett-legal Beale’s counsel was successful in negotiating the return of copies of the firm’s records with the bankruptcy court and the criminal courts, allowing the company to resume operations. After Padgett-Beale promised in writing to reopening the customer service call center (but not the branch offices) on the island, the courts consented to do so. The reopening of the call center will keep 10 island people employed, including two call center supervisors. Padgett-Beale plans to move its call center to a company-owned land about 10 miles from its current location, which will be adjacent to a newly opened Padgett-Beale resort.
The Merger & Acquisition plan should be changed so that Island Banking Services is operated as a wholly owned subsidiary for a period of 5 years rather than being completely integrated as an operating element of Padgett-Beale right away, according to Padgett-Risk Beale’s Manager. Given the possibility of more legal issues arising from the former owners’ and workers’ acts, the company’s counsel decided that this was the appropriate course of action. This revision to the M&A plan has been approved by the Board of Directors, and the new subsidiary will be known as PBI Financial Services (PBI-FS). PBI-company FS’s officers and senior management will be announced at a later date. For the time being, the Chief Operating Officer will be the leader of the M&A Team. While a search for a dedicated CISO for PBI-FS is underway, Padgett-Chief Beale’s Information Security Officer will be lent to the subsidiary.
Detailed Instructions from the CISO to You The CISO has provided you and your team members with a set of instructions (below) that you should follow while you execute this work.
Reading and analyzing the background materials is the first task.
Read the background material in this file if you haven’t previously. Review the Padgett-Beale M&A Profile 2020 that was posted in the LEO classroom after that. You should also go over all of the materials from Weeks 14 in the classroom because they contain important information about the Financial Services business as well as the legal and regulatory requirements that apply to it.
Task #2: Conduct a gap analysis and create a risk register.
Determine the most likely information technology/security weaknesses that existed at Island Banking Services previous to its acquisition by PBI using the facts provided to you. Determine which of these will most likely exist in the newly formed subsidiary PBI-FS if they are not handled. In a Gap Analysis, you can document your analysis and evaluation.
Your Gap Analysis should address operational issues linked to PBI-information, FS’s information systems, and information infrastructures’ confidentiality, integrity, and availability (CIA). The framework of People, Process, and Technology should also be considered and used in your investigation.
Step 1: Identify at least 10 important cybersecurity concerns, difficulties, or dangers that the background information and M&A profile indicate exist at PBI-FS / Island Banking Services. You may “read between the lines,” but you must be able to link your discoveries and analyses to explicit statements in these texts. For the Gap Analysis, these things will constitute your “Gaps.” To arrange your analysis, use one or more cybersecurity frameworks or standards (e.g., NIST CSF; People, Processes, and Technologies; Confidentiality, Integrity, and Availability).
Note that there was a lot of criminal activity at Island Banking Services. Internal flaws that permitted this to happen without being identified by personnel who weren’t participating in the crimes must be addressed in your analysis.
Step 2: Using your Gap Analysis (step 1), develop a Risk Register (see Table 1 at the end of this document) with 10 or more distinct hazards. Assign a category (confidentiality, integrity, availability, people, process, and technology) to each risk, as well as a severity (impact level on a 15 scale, with 5 being the greatest potential impact).
Step 3: Review the financial services industry’s laws and regulatory guidelines, as well as the laws and regulatory guidance that relate to organizations like Island Banking Services. Identify and record the laws, regulations, or standards that provide direction on how the identified risks must be managed or mitigated for each entry in your risk register. Make a note of it in your risk log.
Step 4: Review rules and regulations that apply to all businesses, such as Sarbanes-Oxley, IRS Business Records regulations, SEC regulations and reporting requirements, and so on. Examine your Risk Register and either map these needs to existing entries or add new entries for important legal or regulatory requirements that you were unable to map to your previously recognized risks. (Include the risk of noncompliance.)
Step 5: Read NIST Cybersecurity Framework v1.1 section 1.2 Risk Management and the Cybersecurity Framework (https:// nvlpubs.nist.gov/ nistpubs/ CSWP/ NIST. CSWP. 04162018.pdf).
Determine the appropriate plan for addressing (treating) each of your identified hazards using this information. Keep in mind the four different types of risk mitigation measures (accept, avoid, control, transfer).
Consider the business implications of each of your mitigation measures (for example, if you implemented a “avoid” approach across the board, your company would be unable to operate in the financial services industry because all operations would have to be shut down).
For each danger in your risk register, write down your risk mitigation approach. Include the matching control category and subcategory (if applicable) from the NIST Cybersecurity Framework for each of your “control” entries (see Tables 1 and 2 in version 1.1). ID.AM Asset Management or PR.AC Identity Management and Access Control are two examples. Remember to include citations for your sources.
Step 6: Create a Cybersecurity Strategy that outlines five or more specific actions (strategies) that the organization should take to implement the risk mitigations you’ve recommended. Include data from your gap analysis, legal and regulatory analysis, risk analysis, and risk reduction recommendations. Include information about how the strategy will effect or leverage people, policies, processes, and technologies under each approach (hardware, software, infrastructure). Include details regarding Island Banking Services and Padgett-Beale, as well as examples and other relevant material. At the very least, you should have a technology-related strategy that includes an updated Network Diagram. This diagram must depict the current state of the IT infrastructure, as well as any recommended mitigation or “control” technologies, such as intrusion detection, firewalls, and DMZs (start with the diagram provided in this assignment file).
Note: The executive who leads the Merger & Acquisition Team will present your strategy to the Board of Directors, so make sure you write in proper language and offer enough detail to describe your recommended strategy.
Step 7: Create and document a suggested plan of action and schedule for implementing each part of the cybersecurity strategy you identified before (in step 6). Estimate the amount of time, effort, and money it will take to carry out your recommendations (include appropriate explanations of your reasoning). Include in the timeline the resources (people, money, etc.) required to complete each activity.
Step 8: Create a list of five or more high-level recommendations for the next measures to take in minimizing the risks identified in steps one through seven. These suggestions should follow logically from your study and be backed up by your Cybersecurity Strategy and Action Plan.
Putting Everything Together
1. Make a Cybersecurity Strategy and Action Plan out of your work for Steps 17. In a single file, the six major elements listed below should occur in this order. The following items must be included in your MS Word document:
a brief introduction (what is in this document and to what organization does it apply)
Analysis of the Gaps (Step 1)
Analysis of Legal and Regulatory Requirements (Steps 3, 4)
Risk Assessment and Risk Register (Steps 2, 3, 4, 5)