|Initial CISO Report (Preliminary Cybersecurity Risk Assessment and Strategic Planning)
|30% of overall unit assessment
|Assignments in this unit are developmental and cumulative. You are strongly advised to start planning your assignments from Week-1 in your study.
Leaving your starting date to the week before the due date is a very poor
strategy for success in this unit.
The Norman Joe (Aust) Pty Ltd. is a multi-national retailer company who sells most affordable white goods, electronics, computers, furniture and household appliances around the Australia. Norman Joe is also in online sales business from many years. They just establish a new Australian operation which will be fully operational to take and ship customer’s order by the end of year 2021. After the COVID-19 pandemic situation, Norman Joe has closed most of their stores and decided to run most of their business online. The Norman Joe knows the fact that while working online there are so many risks to their business and high risk of a cyber-attack on the business. So, they hired us and appointed as a chief information security officer to identify business risks and provide security to their electronic data, secure online ordering, billing service and other traditional business processes such as process of transaction, employee and customer data security, secure communication and server. The Norman Joe desired to establish a complete cyber security measures in their Australian operation where they are running four offices at Perth, Sydney, Brisbane and Melbourne locations with approx. 500 staff. Our task here is to identify the cyber security risks and develop corrective measures to protect the organisation by mitigating all the possible threats.
Objectives and scope
The main objective of this assessment is to identify the complexities of their network and implement countermeasures to prevent cyber-attack to the organisation. To clearly identify scope, an audit is conducted where we try to identify the cyber security risks and efforts to organise them effectively. As a part of main considerations, a cyber security strategy plan is prepared based on the identified risks at the company. In this strategic plan, necessary actions to be taken to take the risks to the accepted level. A well-defined and clear security policy and practical procedure for all the employees and visitors is prepared who are directly or indirectly using the company network. A cyber security committee will be established in this regard who is responsible for creating the procedures for Norman Joe’s security as a regular procedure.
Management and leadership within Norman Joe related to security
The Norman Joe company has a well-defined employment procedure which is used to find and select the right person for the management and leadership role. When a suitable person will be found with relevant skill sets, a cyber security committee will be formed. This committee is responsible for creating processes of cyber security as an ongoing process and continuously be updated. The committee is always in touch with the board of directors to formulate cyber security best practice and implement actions that are approved by the BOD. Members of the committee should have in-depth knowledge of current cyber security risks and threats to the company that will help them in preparing the strategic planning for the Norman Joe. The approved security strategy will be analysed for budget and if considered at high level by the committee, it will be applied as a cyber security measure. Besides the cyber security committee, an incident response (IR) team is also formed to handle cyber security events. To resolve a cyber incident, the incident response team is in consultation with a third-party support team of experts who guide them towards critical risks conditions.
Mission – the key mission of this strategic plan is to prepare a cyber security plan by analysing cyber security risks in the organisation. The cyber security plan will also detail the security measures to be implemented at the Norman Joe.
Vision – by implementing the preventive measures to protect the organisation, the Norman Joe will have a well-protected network.
Values – this security plan will add a layer of security and help protect the organisational assets from any cyber incident at the four new location of the company.
To build an effective cyber security strategic plan, we need to follow some steps, that are (Hayward, 2019) –
Step 1: prepare foundation and goals – as a first step, we need to identify all the organisational assets which need to protect in this planning. According to the Norman Joe case study, their main goal in this security planning is to protect their four new branch offices around Australia. Majorly their online business requirement at the new locations needs to be protect from any type of cyber-attack. A security compliance framework will be identified and used in this planning to fulfil the legal requirements. Risks are identified and based on that assessment; risk mitigation tactics will be implemented.
Step 2: know the threats scene – when the assets are identified, the possible threat landscape can be determined. For this, the assessor first needs to understand the environment of Norman Joe related to their business operations and security need. Network and business threats are then identified against the potential attacking measures and possible preventive measures are then identified.
Step 3: developing the plan – at this phase, the strategic plan is developed by picking up a framework which include effective controls, tracking, compliance, and other measures. At this stage, we know the assets that need to be protected so obtaining effective security measures will be easy. While developing the plan, required level of security is evaluated to the maturity level. This includes some best practise and procedures which helps in identify security gaps and implementing security measures according to the company requirement.
Step 4: evaluate organisational ability to accomplish the plan – in this final stage, a cyber security strategy is developed by assessing the organisational capabilities. Necessary security work is done in this regard with the help of a third-party team.
As this cyber security strategic plan is developed according to and by following the Norman Joe’s security requirements. So, the plan will be sufficient enough to protect the information assets defined by the company.
Expected threat and vulnerabilities
The Norman Joe company is running their business online from the main office and from the four newly established branch locations. While running a business online, there can be a number of cyber threats may affect and harm their network with the identified cyber threats. As a part of primary threat modelling exercise, we assess the organisational security with Mitre Att&ck framework. We took an example of the ransomware attack and analyse it with the Mitre Att&ck framework.
Ransomware is a malicious code or software which can infect a system, encrypt all the stored data and displays a message which demand an amount to decrypt the data and the system can work normally. Main target of this cyber-attack is money making where ransom is demanded in the form of cryptocurrency. According to Mitre, this attack is carried out to encrypt data on a system or on a range of systems in a network to block their availability and related resources. The stored data on that systems are encrypted so it become inaccessible without having an encryption key. The attacker here, demand for money in exchange of the encryption key. The attacker threatens the target to wipe out all the data permanently if the money will not be paid. In this attack, all types of files stored on that system, MBR and all disk partitions are become inaccessible. A malware like infection code is used in this attack to infect the target system that will implanted on a target system using so many attack techniques. This cyber-attack can have so many types depending up on the types of impact on the target system. To detect this attack, one can use better system monitoring processes and can also use some command line tools to destruct data like vssadmin, bcdedit, etc. By monitoring of suspicious files and any data modification activity in large quality and unexpected kernel driver installation should be majorly monitored in this regard. Taking backup of system data is the only way to mitigate risks of this attack. This may also help in such type of IT disaster and recovery plan. The data backup will be stored at off site location and use general protection to safeguard the data (Mitre Att&ck, 2020).
Security personnel requirement
The Norman Joe is going to start four new offices in four different location around Australia. So, they need to have a well skilled team to maintain the security of the company. As stated by Norman Joe, they have a procedure to find and recruit persons who have enough skills to meeting the company demand related to cyber security. They are planning to have a cyber security committee who can directly communicate to the board of directors, search for cyber security best practices and deliver recommended actions to eliminate any risk of cyber-attack. The security person recruited in this committee, will have in-depth knowledge of related operation and all basic strategies to mitigate a risk (Simplilearn, 2021). This approach will create a hierarchy in the company where a security personnel working in a team under the cyber security committee and the committee is under operation the board of directors. All the security policies and procedures prepared by the security personnel under the committee, should be approved by the board of directors prior to implement at the Norman Joe. This approval procedure includes approval of the security strategy by addressing the impacts and effects of the cyber risk, its mitigation tactics and the process to be follow in this regard. An incident response team is also working under the committee who is responsible for responding an incident of a cyber-attack. The IR team will be contacted by the anyone to respond to an emergency situation. This IR team also have support of an external third-party. This third-party team will have detailed knowledge of Norman Joe’s structure of network, critical assets and possible risks. A security officer is appointed in this team who is responsible for initial response and instruct the team to support the incident.
A third-party, SETA is selected to provide cyber security training to all the staff at the Norman Joe company, whenever needed. Timely and regular training is provided to all the employees to make them understand the need of security, related risks, basic prevention measures and restrict their online behaviour at workplace. Training to the employees is an ongoing process so that all the employee will be fully trained to identify and respond to an incident by understanding their responsibility.
Cybersecurity project management plan
A cyber security plan is very important to prevent such cyber-attacks and quickly respond to such incident whenever it occurred in the company. Here are steps of developing a cyber security plan (Security, 2020) –
Here is the scheduling of process of the above describe cyber security plan, in the form of a Gantt chart:
Figure: Scheduling of processes in the cyber security plan
In this assessment task, we have worked on the Norman Joe company and prepare a CISO report for it. In this report, we have analysed their initial requirements related to management and leadership and prepare a strategic plan with clear mission, vision and values of the company. All the associated threats to the company’s assets are assessed and related vulnerability is analysed. The report also states the security personnel need and an administration hierarchy for the Norman Joe company. Lastly, a cyber security project management plan is prepared for the company to help them developing a cyber security plan according to the researched objectives and procedures.