Question Details

(Solved) No Plagiarism Please. Discussion 1 and 2, both 250 words each.


CSIA 413: Cybersecurity Policy, Plans, and Programs

***DO NOT copy a source from the Internet and switched words to try and avoid plagiarism detection. DO NOT use answers already posted on Coursehero. This assignment will be submitted through Turnitin for plagiarism and a 0 grade is given for the entire assignment if any plagiarism.***



As a staff member supporting the CISO, you have been asked to research and then draft an issue specific policy for each of the identified issues. These policies are to be written for MANAGERS and must identify the issue, explain what actions must be taken to address the issue (the company’s “policy”), state the required actions to implement the policy, and name the responsible / coordinating parties (by level, e.g. department heads, or by title on the organization chart). After completing your research and reviewing sample policies from other organizations, you will then prepare an “approval draft” for each issue-specific policy.

- The purpose of each issue-specific policy is to address a specific IT governance issue that requires cooperation and collaboration between multiple departments within an organization.

- Each issue specific policy should be no more than two typed pages in length (single space paragraphs with a blank line between).

- You will need to be concise in your writing and only include the most important elements for each policy.

- You may refer to an associated “procedure” if necessary, e.g. a Procedure for Requesting Issuance of a Third Level Domain Name (under the company’s Second Level Domain name) or a Procedure for Requesting Authorization to Establish a Social Media Account.


Your “approval drafts” will be combined with a one-page Executive Summary (explaining why these issue-specific policies are being brought before the IT Governance Board).

Research:
  • 1. Review NIST’s definition of an “Issue Specific Policy” and contents thereof (NIST SP 800-14 p. 14)
  • 2. Review the weekly readings and resource documents posted in the classroom. Pay special attention to the resources which contain “issues” and “best practices” information for:
    • - Data Breach Response
  • - Preventing / Controlling Shadow IT
  • - Social Media
  • 3. Review NIST guidance for required / recommended security controls
  • - NIST SP 800-53 Access Control (AC) control family (for Social Media policy)
  • - NIST SP 800-53 Incident Response (IR) control family (for Data Breach policy)
  • - NIST SP 800-53 System and Services Acquisition (SA) control family (Domain Name, Shadow IT, Website Governance)
  • 4. If required, find additional sources, which provide information about the IT security issues which require policy solutions.
Write:
  • 1. Prepare briefing package with approval drafts of the two IT related policies for the Manager’s Deskbook. Your briefing package must contain the following:

- Executive Summary

- “Approval Drafts” for

  •  Data Breach Response Policy
    • Preventing / Controlling Shadow IT Policy
    • Management and Use of Corporate Social Media Accounts Policy

As you write your policies, make sure that you address IT and cybersecurity concepts using standard terminology.

  • 2. Use a professional format for your policy documents and briefing package.  Your policy documents should be consistently formatted and easy to read.
  • 3. Common phrases do not require citations. If there is doubt as to whether or not information requires attribution, provide a footnote with publication information or use APA format citations and references.
  • 4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.   

UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE Red Clay Renovations
A case study for CSIA 413
Valorie J. King, PhD Copyright © 2016 by University of Maryland University College. All Rights Reserved.
0 CSIA 413: Cybersecurity Policy, Plans, and Programs Table of Contents
Company Overview.....................................................................................................................................1
Corporate Governance & Management...................................................................................................1
Operations...............................................................................................................................................4
Acquisitions.............................................................................................................................................4
Legal and Regulatory Environment..........................................................................................................5
Policy System...........................................................................................................................................6
Risk Management & Reporting................................................................................................................6
IT Security Management..........................................................................................................................7
Information Technology Infrastructure........................................................................................................8
Enterprise Architecture............................................................................................................................8
Operations Center IT Architecture...........................................................................................................9
Field Office IT Architecture....................................................................................................................10
System Interconnections.......................................................................................................................11 Tables
Table 1. Key Personnel Roster......................................................................................................................3
Table 2. Red Clay Renovations Office Locations & Contact Information.......................................................4 Figures
Figure 1. Red Clay Renovations Organization Chart.....................................................................................2
Figure 2. Overview for Enterprise IT Infrastructure.....................................................................................9
Figure 3. IT Architecture for Operations Center...........................................................................................9 1 Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using “smart home” and “Internet of Things” technologies while maintaining period correct
architectural characteristics. The company’s primary line of business is Home Remodeling Services (NAICS
236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock is
not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate
Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company
has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for
the BoD. The three additional members of the BoD are elected from the remaining stock holders and
each serve for a three year term. The BoD provides oversight for the company’s operations as required
by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state and
federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit of the
stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibility-corporations.html).
The BoD has adopted a centrally managed “Governance, Risk, and Compliance” (GRC) methodology to
ensure that the corporation meets the expectations of stakeholders while complying with legal and
regulatory requirements.
The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer
(CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of
Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology
Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the
company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for
the company and are responsible for implementing the business strategies, policies, and plans approved
by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The
five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board
considers all matters related to the acquisition, management, and operation of the company’s
information technology resources.
The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR,
and HR have over 20 years each with the company. The Director for M&M has ten years of service. The
Director of ITS / CISO has been with the company less than two years and is still trying to bring a
semblance of order to the IT management program – especially in the area of IT security services. This is
a difficult task due to the company’s failure to promptly hire a replacement for the previous director who
retired two years ago. 1 CSIA 413: Cybersecurity Policy, Plans, and Programs Figure 1. Red Clay Renovations Organization Chart 2 CSIA 413: Cybersecurity Policy, Plans, and Programs
Table 1. Key Personnel Roster
Name & Title Office
Location
Wilmington Office Phone
No.
910-555-2158 email Wilmington 910-555-2150 Irma_Bromley@ redclayrennovations.com Nancy Randell
Chief of Staf
Marcus Randell
CFO
Julia Randell
COO
Edward Randell, Esq
Corporate Counsel
Erwin Carrington Wilmington 910-555-2152 [email protected] Wilmington 910-555-2159 [email protected] Owings Mills 667-555-5000 [email protected] Wilmington 910-555-1000 [email protected] Owings Mills 667-555-6260 [email protected] Eric Carpenter Owings Mills 667-555-6370 [email protected] Amanda Nosinger Owings Mills 667-555-6400 [email protected] Rebecca Nosinger Ownings Mills 667-555-6900 [email protected] Eugene Nosinger Owings Mills 667-555-8000 [email protected] Charles Kniesel Baltimore 443-555-2900 [email protected] Erica Kniesel Baltimore 443-555-2900 [email protected] William Kniesel Philadelphia 267-555-1200 [email protected] Philadelphia 267-555-1200 [email protected] James Randell
CEO
Irma Bromley [email protected] Executive Assistant to
Mr. Randell CIO & Director IT
Services CISO / Deputy CIO
Director, Customer
Relations Director, Marketing &
Media
Director, Architecture
& Services
Manager & Architect
in Charge, Baltimore
Field Office
Office Manager &
ISSO, Baltimore Field
Office
Manager & Architect
in Charge,
Philadelphia Field
Office Alison Kniesel-Smith
Office Manager &
ISSO, Philadelphia
Field Office 3 CSIA 413: Cybersecurity Policy, Plans, and Programs
Operations
Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact
information for each location is provided in Table 2.
Table 2. Red Clay Renovations Office Locations & Contact Information
Location
Baltimore Field Office
Philadelphia Field Office
Operations Center (Owings Mills)
Wilmington Office Mailing Address
200 Commerce Street, Suite 450
Baltimore, MD 21201
1515 Chester Street
Philadelphia, PA 19102
12209 Red Clay Place
Owings Mills, MD 21117
12 High Street
Wilmington, DE 19801 Phone Number
443-555-2900
267-555-1200
667-555-6000
910-555-2150 The Operations Center is the company’s main campus and is located in suburban Baltimore, MD (Owings
Mills). The Owings Mills facility houses the company’s data center as well as general offices for the
company’s operations. These operations include: accounting & finance, customer relations, human
resources, information technology services, marketing, and corporate management. There are
approximately 100 employees at the Operations Center. Day to day management of the Owings Mills
facility is provided by the company’s Chief Operating Officer (COO).
The company’s Chief Executive Officer, corporate counsel, and support staf maintain a presence in the
company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center.
Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing
director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager.
Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm.
Each office operates and maintains its own IT infrastructure.
The company’s architects, project managers, and other support personnel frequently work from
renovation sites using cellular or WiFi connections to access the Internet. Many field office employees
are also authorized to work from home or an alternate work location (“telework site”) one or more days
per week.
Acquisitions
Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015
(NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential
construction project undertaken by Red Clay Renovations. RMS also provides Web design and social
4 CSIA 413: Cybersecurity Policy, Plans, and Programs
media services for Red Clay Renovations to promote its services. RMS employees work primarily out of
their own home offices using company provided equipment (computers, video / audio production
equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and
camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent
entity. Red Clay senior management is working to change this, however, starting with bringing all IT and
IT related resources under the company’s central management. As part of this change, Red Clay has set
up a media production facility (“Media Studio”) in its headquarters location which includes office space
for RMS personnel. The production facility and RMS operations are under the management control of
the Director, Marketing & Media Services.
Legal and Regulatory Environment
The firm is licensed to do business as a general contractor for residential buildings in three states (DE,
MD, PA). The company’s architects maintain professional licensure in their state of residence. The
company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial
Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.
The company collects, maintains, and stores personal information from and about customers over the
normal course of doing business. This includes credit checks, building plans and drawings for homes, and
information about a customer’s family members which needs to be taken into consideration during the
design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).
When renovations are required due to a medical condition or disability, the company works with health
insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the
home and to obtain reimbursement from insurers. This sometimes requires that the company receive,
process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as
provided by the customer. The company’s legal counsel has advised it to be prepared to show
compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field
offices and in the operations center.
Red Clay began ofering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118).
These services are primarily ofered out of the Baltimore and Philadelphia field offices. A large
percentage of the company’s “smart home” remodeling work is financed by customers through the
Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides
assistance in filling out the required paperwork with local FHA approved lenders but does not actually
process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and
accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the
Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy
filing, there are substantial criminal penalties for failure to protect business records from destruction or
spoliation. 5 Policy System CSIA 413: Cybersecurity Policy, Plans, and Programs The company’s Chief of Staf is responsible for the overall organization and management of the
company’s collection of formal policies and procedures (“policy system”). The company’s policies provide
guidance to employees and officers of the company (CEO, CFO, and the members of the Board of
Directors) with respect to their responsibilities to the company. Policies may be both prescriptive (what
“must” be done) and proscriptive (what “must not” be done). Responsibility for writing and maintaining
individual policies is assigned to a designated manager or executive within the company. Each policy
identifies the responsible individual by title, e.g. Director of Human Resources.
The major policy groupings are: Human Resources
Financial Management
Information Technology
Employee Handbook
Manager Deskbook Selected policies are published as an Employee Handbook and a Manager’s Deskbook to communicate
them to individual employees and managers and to ensure that these individuals are aware of the
content of key policies which afect how they perform their duties.
Risk Management & Reporting
The company engages in a formal risk management process which includes identification of risks,
assessment of the potential impact of each risk, determination of appropriate risk treatments
(mitigation, acceptance, transfer), and implementation of the risk management strategy which is based
upon the selected risk treatments. For information technology related risks, the CISO working in
conjunction with the IT Governance Board is responsible for identifying and assessing risks.
Corporate-wide, high level risks which could impact the company’s financial performance are disclosed
to shareholders during the annual meeting and in the Annual Report to Investors. For the current year,
the following high level cybersecurity related risks will be disclosed.
1. Cyber-attacks could afect our business.
2. Disruptions in our computer systems could adversely afect our business.
3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home
controllers), fails to provide adequate security for our residential clients.
The company’s risk treatments for cybersecurity related risks include purchasing cyber liability insurance,
implementing an asset management and protection program, implementing configuration baselines,
implementing configuration management for IT systems and software and auditing compliance with IT
security related policies, plans, and procedures. 6 CSIA 413: Cybersecurity Policy, Plans, and Programs
The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT
Security Program and how this program contributes to the company’s risk management strategy. During
the briefing, the CIO presented assessment reports and audit findings from IT security audits. These
audits focused upon the technical infrastructure and the efectiveness and efficiency of the company’s
implementation of security controls. During the discussion period, members of the corporate board
asked about audits of policy compliance and assessments as to the degree that employees were (a)
aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing
audit reports for these items before the next quarterly meeting of the corporate board.
The corporate board also asked the CIO about future plans for improvements to the IT Security program.
The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability
management program. The CIO also reported that the CISO is working with the IT Governance Board to
restart the company’s security education, training, and awareness (SETA) program. SETA activities had
fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The
CISO has also determined that the System Security Plans for the field offices are out of date and lacking
in important secu

 


Solution details:
STATUS
Answered
QUALITY
Approved
ANSWER RATING

This question was answered on: Sep 05, 2019

PRICE: $15

Solution~000200034207.zip (25.37 KB)

Buy this answer for only: $15

This attachment is locked

We have a ready expert answer for this paper which you can use for in-depth understanding, research editing or paraphrasing. You can buy it or order for a fresh, original and plagiarism-free copy from our tutoring website www.aceyourhomework.com (Deadline assured. Flexible pricing. TurnItIn Report provided)

Pay using PayPal (No PayPal account Required) or your credit card . All your purchases are securely protected by .
SiteLock

About this Question

STATUS

Answered

QUALITY

Approved

DATE ANSWERED

Sep 05, 2019

EXPERT

Tutor

ANSWER RATING

GET INSTANT HELP/h4>

We have top-notch tutors who can do your essay/homework for you at a reasonable cost and then you can simply use that essay as a template to build your own arguments.

You can also use these solutions:

  • As a reference for in-depth understanding of the subject.
  • As a source of ideas / reasoning for your own research (if properly referenced)
  • For editing and paraphrasing (check your institution's definition of plagiarism and recommended paraphrase).
This we believe is a better way of understanding a problem and makes use of the efficiency of time of the student.

NEW ASSIGNMENT HELP?

Order New Solution. Quick Turnaround

Click on the button below in order to Order for a New, Original and High-Quality Essay Solutions. New orders are original solutions and precise to your writing instruction requirements. Place a New Order using the button below.

WE GUARANTEE, THAT YOUR PAPER WILL BE WRITTEN FROM SCRATCH AND WITHIN YOUR SET DEADLINE.

Order Now