Case Study A security blizzard

Recently you attended a planning session for IT regarding the various security standards such as Payment Card Industry (PCI), HIPAA, OWASP, White House Directives, Technical Bulletins and alerts from anti-virus providers. The gaps between these guidelines recommended and what your company actually had in place were thoroughly reviewed and placed on a back log list. By the end of the multi-day session the back log list was quite lengthly. An attempt was made to prioritize them but the implementation of some would impact strategic business projects. Clearly the business will need to help prioritize the back log. But how best to engage the business, prioritize all these items and adequately mitigate risk across the enterprise? You recall from MIS 412, the COBIT 5.0 model, and think that it would be useful. You do a quick review of APO13 Manage Security before bringing this to your manager to solve this enterprise planning problem.

Using APO13 ( See D2L Content, Cobit Folder, Cobit 5 Enabling )

[Question 1 - 3 points] What are the three APO13 practice areas

Establish and maintain an ISMS.

Define and manage information security risk treatment plan

Monitor and review the ISMS.

[Question 2 - 6 points] What are the six key deliverables indicated by the three practice areas:

ISMS policy

ISMS scope statement

Information security risk treat plan

Information security business case

ISMS audit report

Recommendations for improving the ISMS.

[Question 3 - 3 points] Based on this case description, which activities ( of the 19 APO13 family) would you rate as the top 3 to help this situation?

Define and communicate information security management roles and responsibilities.

Formulate and maintain an information security risk treatment plan aligned with strategic objectives and the enterprise architecture. Ensure that the plan identifies the appropriate and optimal management practices and security solution, with associated resource, responsibilities, and priorities for managing identified information security risk.

Recommend information security training and awareness programmers..