Attached is the requirement file and the case study to be considered as shared by Professor.

Information:

Attached is the requirement file and the case study to be considered as shared by Professor.

EnhancedMetaFilefalsef 0

Few points to be taken care:

The report should completely be based on the Case Study provided at the requirement file towards the end about a SHAMELESS INSURANCE LTD. Please go through the background, Organizational chart, Network Architecture, and recent security incident that happened in SHAMELESS Insurance LTD.

The suggestion provided in report should match with the mission, vision, and values of the organization (SHAMELESS INSURANCE).

The different registers like risk register, asset register, cost register needs to be created in excel and attached in annex part of the report towards end. In report, we can mention that the company has the asset register attached in Annex 1, 2, 3 etc.

Also, under the Network architecture header in the case study, its mentioned that the network architecture provided by their network manager has not updated it for couple of years now, so some components are missing. As a consultant, it is your responsibility to complete the network diagram by collecting the information from various sources.

--this means as part of the report I need to complete the Network architecture diagram as well.

Please cover each requirement mentioned as part of each of the subtasks to meet the requirement of the report for marking.

Also, please keep in mind the below key people in organization provided in Org chart part of case study, putting it here for reference.

Name Designation Background

James Mackenzie CEO Secondary School.

Business inherited from family.

Profit oriented, hasty decisions, abrasive and narrow minded.

Julie Gardham Head of IT MSc Business Management

PMP, ITIL and CRISC.

Amenable & assertive

Steve Drake Network manager BSc Information Technology Infrastructure

ITIL & MCSA

Alice Rose Help deskOperations operative BSc (Hons) IT Management

Brings ideas, information, and suggestions.

Michael Clover Security personnel Secondary School.

Bored of the job.

I am adding all 9 lecture slides here as zip file.

I have created below excel where I have highlighted the contents in each slide for the expert to refer and also mentioned which slide to be referred for which subtask.

EnhancedMetaFilefalsef 0

Please note: The risk register, asset register, RACI matrix, Risk treatment plan etc needs to be included as an attachment in the Annex part of report.

Please note, for calculation and other thing, we can take any assumptions. All the assumptions to be stated explicitly.

SUBTASK 1:

Slide 1 can be referred when deciding the outline of the report, like what approach to take while building the mind map and answering why ISMS. Majorly subtask1. Please try to create a RACI Matrix if possible. Create a mind map to represent the obligations of the ISMS for the case study,

Create a mind map to represent the obligations of the ISMS for the case study, like:Why have an ISMS?Who is it for?Who will benefit?How will it help?What could it help protect against?

In subtask 1- Important point- Create a scope of the ISMS for the case study. What aspects would you focus on keeping in mind costings and manageability. What is the boundary of the scope: like Process(es), Department(s), Whole Company?

Create a one- or two-page information security policy for the case study, that :sets out the management direction for information security,

is in line with the security objectives of the case study,

meets the business, contractual, legal or regulatory requirements.

Asset register, cost register etc to be created as part of this task. For asset register, we need to Identify 2 critical assets from each of the 6 different categories of asset for case study. 6 different categories of asset include Physical, hardware, software, procedure, people, data. So we need to identify 2 critical asset from Physical, hardware, software, procedure, people, data categories and add it in asset register so in total 12 asset(2 asset* 6 categories) will be available in risk register.

Propose an Information Security Team organization chart for the case study. Map the team members to the existing organization chart and what would be their information security roles and responsibilities.

SUBTASK 2:

Provide the benefits of performing risk management for the case study and what would be shortcomings of not conducting risk assessment. The company had some recent incidents as mentioned in the case study so we can refer that as well.

Provide the internal and external factors that contribute towards the risk to the organization in the case study.

Does each factor identified above affect the whole company or stakeholders or both? Mention it.

Identify different incidents from the case study (mentioned in the case study towards the end) and cite them where necessary. What about legal requirements, what if they are not considered?

In a tabular format provide a list of existing 4 risk management frameworks/standards with brief description with along with phases, and also state it is relevant to which industries, and also state their pros and cons.

Using these frameworks/standards, create a tailored risk management approach and present it flowchart and map the relevant frameworks/standards for each phase. Then provide critical analysis for each phase, phases could include but not limited to: Risk Identification, Analysis and Treatment.

We need to create Risk register as part of this task. It should be as per below format, can contain more fields as well but minimum as below fields to be included. (Slide 8 mentioned in my excel).

For each asset identified in subtask 1, we need to find 2 vulnerabilities and detail them as per below format. So, in total we have 12 asset * 2 vulnerabilities= 24 risk entries in risk register.

The full Risk register must be produced, ideally in a spreadsheet. Ensure to include all the aspects in the register like Identification, Analysis and Treatment. Do not forget to include Cost Benefit Analysis and Residual Risk and so on. The register should be in line with the tailored risk management provided for this section. Risk register must reflect based on the case study.

Please use the asset register (created as part of subtask 1) and link it to risk register in subtask 2 to show risk register. Also, there is a mention of risk Treatment plan based on the risk register.

Calculation is mentioned as mandatory. Use the figure in case study for reference. For calculations, assumptions can be made and that assumptions to be mentioned explicitly beforehand.

Assignment to include 2 risk determination calculation.

Likelihood calculation should be there for which you can use iso/iec 27005 or NIST800-30 800-39 5.

Budget allocation can be done in dollar, all the assumption to be stated explicitly.

For case study an insurance company has been mentioned in word file but it is not mentioned what all product they sell so we can assume that it sells product A, b and C apart from insurance and it has to be mentioned explicitly.

Risk identification should start with asset management. Considering the sub-task 1 (Security Governance), create a tailored asset management approach and present it pictorially. For each stage, map the relevant Annex. Stages could include but not limited to: Asset Categorization, asset Classification, Asset Valuation and Asset Prioritization. (SLIDE2)

Refer excel attach to see which slide can be referenced for which subtask.

To conduct analysis within a process, we will have to consider a particular approach like Qualitative, Quantitative, Mixed, etc. Explain the approach you have used and why the other approaches did not fit for your process for the case study.

A full Asset register must be produced, ideally in a spreadsheet. Ensure to include all the aspects in the register like asset information, category, classification, criticality and so on. The register should be in line with the analysis provided above. Asset register must align with the case study.

In order to show that the security plan shared through the report for SHAMELESS Insurance will be beneficial, we need to show calculations to show profit (show calculation before applying the security control and post applying control to show profit or benefit). The calculation is called COST BENEFIT ANALYSIS FORMULA, can be found on slide 9.

As part of this subtask, we need to create a risk treatment plan as well. Refer excel to know the slide to be referred for the format.

Below word file can be used for Risk calculations and vulnerability. Here, you can see different vulnerability.

EnhancedMetaFilefalsef 0

Another document for reference.

EnhancedMetaFilefalsef 0

SUBTASK 3:

Incident handling process is applied in complex computer incidents scenarios and complex security incidents. Demonstrate your skills to apply all the steps of an incident handling process.

Provide the benefits of performing security incident management for the case study and what would be shortcomings of not conducting incident assessment.

In a tabular format provide a list of existing 4 security incident management frameworks/standards with brief description with phases, relevant to which industries, and their pros and cons. Using these frameworks/standards create a tailored incident management approach and present it in a flowchart and map the relevant frameworks/standards for each phase. Map relevant inputs, process and output for each phase.