This week you will continue to work on the BCC Enterprise Information Security Program by creating the BCC Enterprise Security Strategic Plan. Use information completed from Week 1 and information gained this week to complete the BCC Enterprise Strategic Plan.
Part 1
Write a 5- to 6-page BCC Enterprise Information Security Strategic Plan that includes the following:
• Information security vision, mission, and objectives
• Balanced scorecard for each domain
• Control framework and major security areas to be assessed (COBIT or ISO 27002)
• SWOT analysis of the internal and external assessment identifying at least three security initiatives that improve the security objectives
• Operational action plan to complete the security initiatives
Part 2
Create a 6- to 8-slide, media-rich Microsoft® PowerPoint® presentation in which you:
• Define at least three key performance indicators for the security objectives and initiatives.
• Align the key performance indicators to the security objectives and initiatives as specified in the BCC profile.
Full Answer Section
- Vision, Mission, and Objectives
- Vision: To be recognized as a leader in information security, ensuring the confidentiality, integrity, and availability of all organizational data.
- Mission: To implement a comprehensive information security program that protects BCC's critical assets from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Objectives:
- Reduce security incidents by 20% within one year.
- Increase employee security awareness training completion rates to 90% within six months.
- Implement a data loss prevention (DLP) solution within one year.
- Achieve compliance with the ISO 27001 information security standard within two years.
- Balanced Scorecard
Balanced scorecards will be developed for each core security domain:
- Security Awareness and Training:
- Objective: Increase employee security awareness.
- Metrics: Training completion rates, phishing simulation results, reported security incidents.
- Access Control:
- Objective: Implement least privilege access controls.
- Metrics: Number of privileged accounts, access review frequency, inactive account deletion rate.
- Data Security:
- Objective: Protect sensitive data at rest, in transit, and in use.
- Metrics: Data classification completion rate, encryption implementation rate, DLP incidents prevented.
- Incident Response:
- Objective: Effectively detect, respond to, and recover from security incidents.
- Metrics: Incident response plan completion rate, incident detection time, incident resolution time.
- Business Continuity and Disaster Recovery (BCDR):
- Objective: Ensure business continuity in the event of a disaster.
- Metrics: BCDR plan completion rate, successful test recovery time, data recovery success rate.
- Control Framework and Assessment
The ISO 27002 information security standard will be used as the control framework for assessment. A gap analysis will be conducted to identify areas where BCC's current security posture aligns or deviates from the ISO 27002 controls.
- SWOT Analysis
Strengths:
- Strong leadership commitment to security
- Existing security policies and procedures
- Security-aware employees
Weaknesses:
- Lack of a centralized security program
- Outdated security technology
- Limited security awareness training
Opportunities:
- Leverage industry best practices
- Implement new security technologies
- Increase employee security awareness