Project #2: Cybersecurity Implementation Plan
Your Task:
The Acquisition of Island Banking Services has moved from the strategy development phase to the integration phase. In this phase, the M&A team will develop transition and implementation plans. Padgett-Beale’s Chief Information Security Officer (CISO) has recommended that a separate Cybersecurity Management Program be established for the Padgett-Beale Financial Services (PBI-FS) subsidiary to isolate as much risk as possible to the PBI-FS organization. This management program will require the establishment of policies, plans, and procedures which are customized to the financial service industry and the operating structure of PBI-FS.
The CISO has asked you to continue supporting the Merger & Acquisition team’s efforts. Your specific tasking is to assist in developing an implementation plan for the previously developed Cybersecurity strategy (Project #1). Since there have been additional developments in the M&A strategy overall, you should pay close attention to the Background Information provided later in this document.
Using your prior work (Project 1), develop a high-level plan for implementing a Cybersecurity Management Plan that will allow PBI-FS to begin operations in its new, on-island location. (The plan for the U.S. headquarters is being developed separately from your efforts.) This plan must take into account compliance requirements for U.S. banking laws, regulations, and standards. It must also include recommendations for required security controls, replacement of outdated hardware and software, and other measures necessary to reduce risk to an acceptable level. You must specifically address measures to reduce risks associated with both insider threats and external threats and threat actors.
Note: you MUST use the implementation plan outline provided later in this document.
You may need to perform additional analysis to address issues specific to the findings from the M&A team regarding the as-is state of the purchased assets which comprise the existing IT infrastructure.
Your high-level plan should include the system development life cycle (SDLC) gates/decision points and relevant tasks required to implement changes in the company’s hardware, software, and infrastructure. See https://www.sebokwiki.org/wiki/System_Life_Cycle_Process_Models:_Vee for more information about the gates & decision points.
You must also address any systems or software interoperability issues which may arise (especially those associated with the company’s existing custom software applications). You do not need to prepare a comprehensive Interoperability Assessment but, you should identify key issues and concerns. See the following resources for definitions and guidance:
• https://www.smartgrid.gov/recovery_act/overview/standards_interoperability.html
• https://www.fcc.gov/general/interoperability
You must clearly show that you have applied the following frameworks and concepts in your analysis and planning:
• Cybersecurity Principles: confidentiality, integrity, availability, non-repudiation, authentication, auditability, accountability
• NIST Cybersecurity Framework (see https://nvlpubs. nist.gov/nistpubs/CSWP/NIST. CSWP. 04162018.pdf )
• NIST Security and Privacy Controls (see NIST SP 800-53) OR Center for Internet Security (CIS) 20 Critical Security Controls for Effective Cyber Defense (see https://www.tripwire.com/state-of-security/security-data-protection/security-controls/cis-top-20-critical-security-controls/ )
• Information Security Management Systems (ISMS) – ISO 27001/27002 (see https://www.praxiom.com/toc35.htm and https://www.praxiom.com/iso-27001.htm )