Assessment item 2 –
The CISO’s priority is to revise ACME’s enterprise information security policy and specific security control standard requirements. To facilitate this the CISO has published a strategic security view, which supports ACMEs corporate aspirations. This strategic view reads as follows:
The Information Security division of ACME Widgets Inc. will strive to ensure that all sensitive corporate and customer information is always protected when being sent, received, processed, or stored in any medium as part of any business process. ACME will identify, implement and operate world-class preventative, detective and responsive security controls to always protect our business information. Furthermore, ACME will actively seek to attract and retain appropriate skills and expertise to ensure that all phases of the business systems’ lifecycle are protected, including architecture, design, build, and operations.
The security policy will provide a clear vision of ACME’s commitment to protecting its business information. A security policy explains the “what” of the enterprise security strategy – the senior management expectations of what broad goals ACME will set itself for preventing, detecting and responding to cyber incidents.
Security control standards provide the “how” of the security strategy and must clearly align with the security policy. You will create a set of specific implementation standards and/or behavioural expectations that will facilitate secure design, configuration and operational decisions by ACME’s technology staff. Control standards must be specific, clearly guiding behaviour and able to be objectively measured for compliance.
As part of your role as lead consultant on one of the focus streams of the ACME security uplift programme, you will contribute to the ‘ACME Cyber Security Standards’ (ACSS), comprising:
3-4 security policy statements that apply to your chosen focus area and that align with the strategic vision.
10-15 specific control requirements that align with one or more policy statements and describe how a person or system will be configured or behave in order to preserve the security of ACME’s information.
The ACSS should incorporate any relevant regulation or legislation that is applicable to ACME, given the nature, location and scope of their business. Utilise your research from Assignment 1 to select appropriate regulatory and/or legislative contexts and drivers for your policy statements and control requirements.
Your submission should include:
A description of the intent, audience and scope of the cyber security standards
3-4 security policy statements describing the security objectives of your focus area.
A clearly presented set of 10-15 specific security control requirements that:
Link to the parent policy statements.
Are supported by referenced industry frameworks.
Include any relevant regulatory or legislative linkage.
Clear accountabilities for implementing each required configuration or behaviour.
Your submission should be of sufficient length to comprehensively address the specific implementation requirements of each policy objective. It may be useful to tabulate the specific requirements to better demonstrate their relationship to the security policy and any supporting material. Overall (including any tables) your submission should be approximately 2000 words in length.
This assessment task will assess the following learning outcome/s:
be able to formulate a security policy.
be able to identify, analyse and select secure system architecture elements.
be able to justify key elements of operations security
Criteria: Document control Clear and concise introduction and articulation of the scope, audience, and applicability of the cyber security standards. An accurate and thorough list of accountable and responsible parties in relation to the requirements.